When an employee or contractor leaves your organization, it’s important to remove their access to systems and third-party services to maintain security and compliance. With Vanta, offboarding happens automatically when Vanta detects a status change in your connected identity provider (IdP) or HRIS. This article is for workspace administrators who want to ensure former personnel no longer have access to any monitored or unmonitored accounts.
Access the Offboarding Drawer
Vanta treats your IdP (e.g., Google Workspace, Office 365, Okta) and HRIS (e.g., Rippling, Gusto, BambooHR) as the source of truth for employment status. As soon as Vanta sees a user’s status change to “offboarded” in one of these services, the user appears in Vanta’s Offboarding drawer.
In Vanta, click People in the left-hand navigation.
From the People list, select the user who needs to be offboarded.
Click the Offboarding tab in the user’s profile.
Understand Offboarding Sections
The Offboarding drawer is divided into two sections:
Monitored Accounts
Accounts that Vanta has detected through connected integrations (e.g., Slack, GitHub, AWS). Vanta tracks these automatically and can detect when access is revoked.Unmonitored Accounts
Vendors or services that Vanta cannot track directly (e.g., legacy tools, custom systems). These require manual verification.
Deactivate Unmonitored Accounts
For any vendor listed under Unmonitored Accounts, an administrator must confirm that the former user’s access has been removed:
In the Unmonitored Accounts section, locate each vendor.
Click the hollow circle (○) next to a vendor name to mark it as deactivated (the circle will turn into a checkmark).
To deactivate all unmonitored accounts in bulk, click Mark all deactivated.
This step ensures that you’ve manually verified the user no longer has credentials or permissions for each unmonitored service.
Deactivate Monitored Accounts (Override if Needed)
Vanta automatically detects and revokes monitored-account access when possible. If Vanta cannot detect that a monitored account has been disabled (for example, if an admin changed a password but didn’t suspend the user), you can override Vanta’s status:
In the Monitored Accounts section, find the account you want to override.
Click Override next to that account.
Provide a brief reason (e.g., “Password changed manually; account remains active”) and click Confirm.
This tells Vanta that the monitored account should be considered deactivated, even though Vanta can’t detect it automatically.
Complete Offboarding
Once all monitored and unmonitored accounts are deactivated or overridden:
Review both sections to ensure no remaining circle icons remain.
Click Complete Offboarding at the bottom of the Offboarding drawer.
A confirmation dialog appears, click Confirm to finalize.
After completion, Vanta records the offboarding event, and the user moves to a “Soft-Deleted” state. If you ever need to reverse this action (for example, if an offboarding was done in error), click Reset Offboarding in the same drawer to bring the user back to an active state.
Important Notes
Soft-Deleted Users
If you remove a user from scope (for example, mark them Out of Scope in the HRIS) before Vanta detects the status change, the user becomes soft-deleted immediately. In that case, Vanta cannot offboard them via the drawer—you’ll need to re-add them or let your IdP drive offboarding.Manually Added Users
For any user not imported from an integration (for instance, a service account you added by hand), follow the same deactivation steps. Approve the removal of each integration and complete offboarding as described above.Timing
Vanta fetches updates from your IdP or HRIS roughly every hour. If you deactivate a user in your IdP but don’t see them in the Offboarding drawer, wait a few minutes and refresh the People page.Auditor Evidence
Vanta logs each offboarding action with timestamps. When auditors ask how you remove departed employees’ access, you can refer to these logs as proof that all monitored and unmonitored accounts were deactivated.