The project ended. The access did not. That is a common breach story.
1. Inventory where they could authenticate
VPN, RMM, Microsoft 365 guest accounts, firewall admin, hosting panels, password manager shares.
2. Disable in the same change window
Do not leave a vague “we’ll revoke Friday” sitting open for a week of forgotten portals.
3. Rotate shared secrets
Any password a vendor knew should be considered public to that vendor’s alumni.
4. Document what remains
If a vendor still monitors something, write it down. Ambiguity is how dual MSPs step on each other.
Need an access review? Open a ticket.

