I also follow the closely related addendum: I do not want standing admin access to your system, unless I need it often enough it really impacts my productivity. Doubly so if it's not hooked up to SSO. If the database gets breached, I don't want my name on the list of people who had the admin password.
Most big businesses are good about that, but I've helped a couple family members with their business' WordPress and just have standing access that I really don't want. They don't want to juggle activating/de-activating my account though, so /shrug.
Same all around for me. I have a couple of longstanding accounts on local businesses I help out, but it’s all via VPNs that send the owner an email when I connect. I also refuse to do any work unless they ask me in writing. Text is OK, and I screenshot it. “Why did you give such-and-such rights to that employee?” “I have it in writing where the owner asked me to, Your Honor.”
This has never come up before, but it’s easy enough to be diligent about it.
Also: I keep a little paper notebook where I log the work I do for everyone, and occasionally have someone else sign and date it. It’s basically a cheap blockchain IRL. “How do you know you did this before you stopped doing work for them?” “Because the owner signed and dated the logbook after I did the work but before they hired the new IT person.”
I’m suuuuuper nitpicky about diligence in all this, for the protection of everyone involved, and especially me.