Change passwords in as many places as applicable. Things may be amicable right now -- circumstances change, the employee may become disgruntled later. Or someone may try to use social engineering and/or impersonate that person.
Even if the only way into the innards of your operation is through a VPN connection they will no longer have access to, you should still change passwords on essential accounts -- those that would cause you the most harm if they became inaccessible or broken. Ditto for any public spaces that are not controlled by Corporate IT -- GitHub, company Facebook page, whatever. The higher up the ladder this person is, the larger the list of places you should be making sure are inaccessible after they leave.
The routine of changing passwords on this scale should be one that is well documented and regularly performed regardless of human turn-over.