When I worked at Sherwin Williams, they had a policy: Any time a key holder left a store, you immediately changed the locks, even if the person was still working for the company. This may seem to be over-cautious, but it actually protected the company and the employee. In IT, I have continued to use the analogy of "change the locks" in many scenarios.
It's obvious this policy protects Sherwin Williams. After all, it protects them from any bad apples that might come back. It also protects the company in the case where someone else got hold of the employee's old key.
What's less obvious is that it protects the departing employee. The locks were often changed on the employee's last day. If, by chance, the store was robbed that very night, and there wasn't any sign of forced entry, then that employee was in the clear.
Without this clear and consistent policy, the company would have an unknown number of keys floating around for every store. Eventually, this might would cause a preventable security breach.
I think the parallels with IT are obvious. When an employee leaves, or changes roles, change the locks. In other words, remove any access or privileges they no longer need.
Unlike the physical world, the exact changes that need to be made may not be as obvious. Therefore, it is important to set up well thought out policies. Here are some things to look at:
There are no right answers to these questions. The important thing is to have these discussions early, and often, before something goes wrong.