Anyone else have contractors who can still log into GitHub months after their contract ended?

Former contractor emailed me because they noticed our github org still showed up in their browser history. i figured it was probably an old cached login at first but checked anyway. github access was still active, vpn still worked, and they still had jira access on a couple projects. they weren’t doing anything with it  just noticed it and sent an email. full time employee offboarding goes through HRIS so accounts usually get disabled same day. contractors are tracked through procurement spreadsheets and email chains, which means IT only finds out somebody rolled off if somebody remembers to send a message. procurement is now supposed to notify IT when contracts end, “already missed one”. whole thing only got caught because somebody outside the company decided to say something. nothing internally flagged it. contractor offboarding feels like one of those things that sits in the gap between procurement and IT where nobody really owns it.