Staffing agencies lose the site security narrative when a contractor's badge still works Monday after Friday's assignment ended. Here's how to close the gap.
Related demo
See compliance workflows in Teambridge
Try our workforce AI agents, then book time to map the workflow to your operation.
The assignment ended in your VMS at 4:47 PM Friday. The contractor's badge kept working through the weekend. It probably still works right now.
This is the gap that quietly defines staffing agency liability. Not the digital access — you probably killed that in your ATS the moment the assignment status flipped. The problem is the physical badge at the tenant's front desk, sitting in an access control system you don't own, waiting for a Monday-morning email that a facilities coordinator will get to when they get to it.
The Gap Nobody Owns: Why a Contractor's Badge Still Works Three Days After You Ended the Assignment
Here is the actual sequence in most staffing agencies. Assignment ends Friday at 5 PM. Ops coordinator sends an email to the client's facilities contact around 5:30. Facilities lead opens the email Monday at 9. Badge deactivation happens sometime that morning, if the person handling it isn't out sick or in a meeting. Total exposure window: roughly 64 hours during which a former contractor's credential still opens a door.
The scale of the problem isn't a secret. Industry reports reveal that over 30% of organizations take more than three days to revoke all system access after an employee leaves — and some never fully complete the process at all. Studies show that one-third of organizations take more than 24 hours to fully offboard an employee. Those numbers are for W-2 employers with a single IT team. For staffing agencies, they get worse — because you don't own the door.
Every revocation is a handoff. Your system of record says "assignment ended." The client's access control system — Brivo, Genetec, Lenel, CCURE, Kastle, whatever — has no idea. The bridge between the two is a human being with an inbox.
Warning
Physical badges are the offboarding step that gets the least attention and carries the most reputational risk. When a client's security team runs a post-incident review, the timestamps that matter are on the door reader logs, not in your ATS.
The moment employment ends, cut off access to all corporate systems. This includes network logins, VPN, email, cloud services, internal applications, and building entry badges. That's the security industry's baseline expectation for a W-2 employer. Now imagine trying to hit that standard when the badge system belongs to someone else's facilities department.
Why Mid-Assignment Offboards Are the Worst Case, Not the Edge Case
Contract-end dates are the easy version. You know the assignment ends March 31, you queue a revocation ticket for March 30, done. The workflow has days of runway.
Mid-assignment offboards compress that runway from days to minutes. Three scenarios keep showing up:
- The walkoff. Contractor leaves the site mid-shift, doesn't come back, doesn't answer calls. No formal termination yet, but they still have a working badge and a grievance.
- Termination for cause. Agency ends the assignment for a safety violation, theft, harassment, or a failed drug test. The exposure window between the decision and the badge being dead is a legal and physical safety issue.
- Client-requested removal. The client's site manager calls at 2 PM and says "don't send this person back." The badge needs to be dead before the person's next scheduled shift, which might be that evening.
Access revocation should begin at the moment the termination decision is made — ideally before or simultaneous with the employee being notified. For involuntary terminations, any delay creates a window for intentional data exfiltration. The same principle applies to physical access, except the exfiltration risk is a person walking back into a building they were told to stay out of.
The long-tail risk is worse than most agencies think. UScellular's 2023 breach was ultimately traced to unauthorized individuals who illegally gained access to a former third-party vendor's system, caused by a misconfigured server at the vendor that allowed them to view outdated information on 52,000 wireless customer accounts. The company said its relationship with the third-party vendor ended several years ago. The vendor relationship had ended years before the breach — but the access hadn't been fully closed. That's the pattern. Contractor access becomes an attack vector long after everyone assumed it was cold.
Industries where this matters most:
- Healthcare. Badged access to patient floors, med rooms, records areas.
- Live events. Backstage, cash rooms, artist compounds — with 200 contractors badged for a weekend.
- Janitorial. After-hours access to Class A office towers, law firms, financial services floors.
- Construction. Site trailers, materials cages, PPE lockers, and the front gate.
- Light industrial and logistics. Dock doors, sortation areas, high-value inventory.
An agency running 40+ contractors at a single client site at any given time is running 40+ live physical credentials that need to be tracked, revoked, and reconciled. The math gets ugly fast.

Mapping the Actual Revocation Chain: VMS → Agency → Tenant Facilities → Access Control System
Draw the workflow honestly. Here's what most agencies actually run:
Step 1. Assignment status changes in the ATS or VMS. Timestamped, clean, machine-readable.
Step 2. A notification fires to the agency's ops coordinator — email, Slack, dashboard alert, whatever.
Step 3. The ops coordinator drafts an email or opens a ticket to the client's facilities contact. "Please deactivate badge #A47291 for John Smith effective immediately."
Step 4. Someone on the tenant's side reads the message, opens the access control system, finds the record, and disables it. Or forwards it to someone else. Or lets it sit.
Steps 1 and 2 are systems events. Step 4 is a systems action. Step 3 is a human message — and that's where the SLA collapses.
| Step | Type | Typical Latency | Fails When |
|---|---|---|---|
| Assignment ended in VMS | System event | Instant | Rarely |
| Notification to ops | System event | Seconds | Notification routing broken |
| Email/ticket to tenant | Human message | 15 min – 4 hrs | Coordinator busy, out, or forgets |
| Badge deactivated in ACS | Human action | 1 hr – 5 days | Facilities queue is backlogged |
Manual, ticket-driven offboarding. IT gets a Monday email for a Friday departure. By the time the ticket is worked, the employee has already been gone for days. That description was written about internal IT. It maps perfectly onto the agency-to-tenant handoff.
The fix isn't to run faster on step 3. The fix is to eliminate step 3 as a human message and turn it into a system event with a required acknowledgment. Revocation outcomes should be verified with door reader logs and ACS status, not with "got your email, will do" replies.
Ready to move?
Ready to see Teambridge in action?
The Contract Language That Makes or Breaks Your Liability
The MSA and site access addendum are where you set — or lose — the terms of the handoff. If your current addendum says "Agency will notify Client of terminations in a timely manner," you have written yourself into every post-incident review as the responsible party.
The language that actually protects an agency:
- Revocation SLAs, tiered by exit type. 4 hours for hostile terminations. 24 hours for standard mid-assignment ends. 7 days for scheduled contract completions. The tenant's obligation, not just the agency's.
- Timestamped confirmation of deactivation. The tenant returns a machine-readable acknowledgment with the ACS timestamp, not a "done" reply.
- Shared audit log obligation. Both parties keep timestamped records of every request, acknowledgment, and verification. Reconciled monthly.
- Escalation path. If facilities doesn't acknowledge within the SLA, the escalation goes to a named security lead, then to the client's account manager, with defined timeframes.
- Post-incident cost allocation. If a badge stayed live past the SLA and a loss occurred during that window, the tenant's delay is on the tenant.
This matters because regulatory frameworks like HIPAA, PCI-DSS, NIST, and the FTC Safeguards Rule all require organizations to control and revoke access to sensitive data. Maintaining IT compliance means protecting employee data, documenting your offboarding process, and proving that access was revoked in a timely manner. When an auditor pulls your file, they don't care that you sent the email. They care whether the access was actually closed, when, and who verified it.
If a former employee accesses protected health information, payment card data, or customer records after their departure, your organization is liable, regardless of whether the access was intentional or accidental. Many cyber insurance policies also require documented offboarding procedures as a condition of coverage.
The agency's exposure isn't just to the client. It's to the client's insurer, the client's regulator, and the client's plaintiffs' bar. The contract language is the thing that draws the boundary of where your responsibility ends and theirs begins — assuming the boundary is drawn clearly and the evidence exists to prove it.
Important
Every new client contract should include a badge revocation addendum before the first contractor is dispatched. Retrofitting it into an active account is 10x harder than negotiating it during procurement.
Building an Event-Driven Offboarding Trigger Instead of a Monday Email
Here's the operational shift: treat the assignment-end event as the trigger, not as the reason someone should later send a message.
When an assignment closes in your workforce platform — whether from a schedule change, a no-call/no-show flag, a credential expiration, a client removal request, or a manual termination — that state change should fire a structured revocation request into the tenant's system. Not a paragraph of prose. A payload.
The payload needs to carry:
- Contractor legal name (as it appears on the badge)
- Badge or PIV ID
- Client site code (for multi-site tenants)
- Assignment ID and exit reason category
- Effective revoke timestamp — in the site's local timezone, not agency HQ time
- Required acknowledgment field the tenant fills back in with their ACS timestamp
- Escalation deadline
The timezone detail is not trivial. A 5 PM Pacific termination sent as "5 PM" to a facilities team in Eastern Time creates a three-hour ambiguity window in the audit log. Every timestamp gets normalized to the site's local time and the ISO-8601 UTC offset.
After the request fires, the workflow doesn't end. A post-revocation verification job runs at 24 and 72 hours to confirm closure. If the ACS acknowledgment hasn't come back, the record goes to an exceptions queue and escalates according to the contract SLA. This is exactly the kind of thing a good workflow automation layer is built for — the trigger, the payload, the acknowledgment tracking, and the escalation are all one workflow, not four disconnected inboxes.
Before vs. after, in plain terms:
| Before (Monday email model) | After (event-driven model) | |
|---|---|---|
| Trigger | Human notices status change | System detects status change |
| Send format | Email prose | Structured payload |
| Ack tracking | Reply in inbox | Field in shared record |
| Verification | "Did they do it?" | Auto-check at 24 and 72 hrs |
| Exposure window | 24–96 hours | Under 4 hours for hostile exits |
| Audit evidence | Email thread + spreadsheet | Timestamped log per event |
What to Do When the Client Won't Give You API Access
The realistic middle ground: most tenants — especially hospitals, secured industrial sites, financial services floors, and Class A commercial towers — will not open their access control system to a vendor. Nor should they, from their security posture's perspective.
That doesn't mean you're back to the Monday email. The workarounds that hold up:
- Structured, machine-parseable tickets. Every revocation request goes through a single, structured intake form on the tenant's side. Same fields every time. Same acknowledgment format. Same SLA clock.
- Shared revocation log. A jointly-owned record — spreadsheet, database, whatever the tenant will accept — that both sides update. The agency logs the request. The tenant countersigns the closure with an ACS timestamp.
- Weekly badge audits. Reconcile your active assignments list against the tenant's active badge list. Anything on the tenant's active list that isn't on your active assignment list is a live badge for a person who shouldn't have one. This audit catches the tail.
- Escalation SLAs, enforced. If facilities doesn't acknowledge within the contractually agreed window, the request routes to the named escalation contact automatically. Not next week. Same day.
- Named backup contacts. Every site has a primary and secondary facilities contact on file. If the primary is out, the request routes automatically.
The off-boarding security gap is the period — hours, days, sometimes years — between an employee leaving and every one of their access paths being fully, verifiably closed. The two failure modes to design against are visibility gaps (you don't know if the badge is still live) and policy inconsistencies (site A does it one way, site B does it another). Standardize the process across every client so your ops team runs the same runbook every time. This is especially critical for staffing agencies that place workers across dozens of client sites with different security postures.

The Audit Trail That Actually Holds Up
When a client's security team, an insurer, or a regulator asks you to prove that access was closed on a specific date for a specific contractor, what do you hand them?
The agencies that lose this conversation hand over an email thread and a screenshot of a spreadsheet. The agencies that win hand over a single record showing:
- Timestamp of assignment end in the VMS
- Timestamp the revocation request was sent to the tenant
- Timestamp of tenant acknowledgment with the ACS event ID
- Timestamp of post-revocation verification (24 and 72 hour checks)
- Names and roles of every human actor in the chain
- The exit reason category and any relevant notes
All tied to the specific contractor, specific site, and specific badge ID. All in one record. Not in seven inboxes and a tab in a shared drive.
A verifiable, timestamped offboarding record isn't an administrative overhead; it's the proof that your security controls are operational, not just documented. This is the difference between being the trusted vendor and being the named party.
The exposure window closed at the agency's boundary — here's the log to prove it.
That sentence, backed by data, is what you want your general counsel to be able to say when a client's incident report crosses their desk.
How Teambridge Runs This Automatically
The workflow described above isn't theoretical. This is what Teambridge Automations is built to run.
Assignment-end events fire triggers. Whether the event is a manual termination, a no-show flag, a credential expiration that invalidates the placement, or a schedule change that ends an assignment early, the system detects it and fires the revocation workflow immediately — not next Monday.
Document Studio holds the site access addendums, the countersigned revocation acknowledgments, and the badge-return receipts. Every document is timestamped, versioned, and pulled into the audit trail without anyone digging through a shared drive.
Admin Tools surfaces overdue badge revocations as exceptions on the ops dashboard. If a tenant hasn't acknowledged a revocation within the SLA, it doesn't sit quietly in an inbox — it shows up as an exception with the assignment ID, the site, the badge number, and how long it's been open.
The AI Specialists chase tenant facilities contacts when acknowledgments haven't landed. They send the follow-up, log the response, and escalate to the named backup contact when the primary hasn't replied within the SLA window. Not to replace the ops team's judgment on the hostile exits, but to make sure the routine 90% of revocations never get lost because someone was in a meeting.
The point of all of this isn't automation for its own sake. It's closing the gap between your system of record and the client's door — because that gap is where the liability actually lives.
If you're running contractors at client sites and your current badge revocation process is a Monday email, book a walkthrough focused specifically on the assignment-end-to-badge-revocation loop. That's the conversation worth having before an incident forces it.









