Deny Security
You should be able to apply deny security to objects and sites in SharePoint. Everyone in the company (via domain users AD group membership or some other security group membership) should be able to see a site except employee a, b and c.
As you hire new employees with deny security in place, you don't have to add them to the site.
Imagine this... If you have 20 new hires a week and 200,000 sites that they need access to and each site has random individuals who aren't allowed to see random sites. The administrative burden is huge.
Locking down the sites to only the individuals who work on that project isn't possible. We want to have a collaborative environment where other individuals can find amazing exemplar documents for reuse.

2 comments
-
Nick Balestrino commented
This would be exceedingly helpful in M&A scernarios as well where you need to bulk revoke access at a site level to large groups of users on specific sites, but not all sites, on a specific date.
-
Ryan Helmer commented
Also at issue is a user can only be a member of up to 1024 groups.