When an employee or contractor leaves your organization, it’s important to remove their access to systems and third-party services to maintain security and compliance. With Vanta, offboarding happens automatically when Vanta detects a status change in your connected identity provider (IdP) or HRIS. This article is for workspace administrators who want to ensure former personnel no longer have access to any monitored or unmonitored accounts.
When using Vanta with Google Workspace, it's important to understand that proper integration ensures accurate tracking of employee accounts. Vanta syncs with Google Workspace to monitor account status and facilitate the offboarding process. This integration serves as a foundation for the automated offboarding workflows described below.
Access the Offboarding Drawer
Vanta treats your IdP (e.g., Google Workspace, Office 365, Okta) and HRIS (e.g., Rippling, Gusto, BambooHR) as the source of truth for employment status. As soon as Vanta sees a user’s status change to “offboarded” in one of these services, the user appears in Vanta’s Offboarding drawer.
In Vanta, click People in the left-hand navigation.
From the People list, select the user who needs to be offboarded.
Click the Offboarding tab in the user’s profile.
Understand Offboarding Sections
The Offboarding drawer is divided into two sections:
Monitored Accounts
Accounts that Vanta has detected through connected integrations (e.g., Slack, GitHub, AWS). Vanta tracks these automatically and can detect when access is revoked.Unmonitored Accounts
Vendors or services that Vanta cannot track directly (e.g., legacy tools, custom systems). These require manual verification.
Note that even with Google Workspace integration, Vanta considers certain tools like Google Drive as unmonitored accounts. This is why Google Drive typically appears under the unmonitored accounts section in offboarding checklists, requiring manual verification during the offboarding process.
Deactivate Unmonitored Accounts
For any vendor listed under Unmonitored Accounts, an administrator must confirm that the former user’s access has been removed:
In the Unmonitored Accounts section, locate each vendor.
Click the hollow circle (○) next to a vendor name to mark it as deactivated (the circle will turn into a checkmark).
To deactivate all unmonitored accounts in bulk, click Mark all deactivated.
This step ensures that you’ve manually verified the user no longer has credentials or permissions for each unmonitored service.
Deactivate Monitored Accounts (Override if Needed)
Vanta automatically detects and revokes monitored-account access when possible. If Vanta cannot detect that a monitored account has been disabled (for example, if an admin changed a password but didn’t suspend the user), you can override Vanta’s status:
In the Monitored Accounts section, find the account you want to override.
Click Override next to that account.
Provide a brief reason (e.g., “Password changed manually; account remains active”) and click Confirm.
This tells Vanta that the monitored account should be considered deactivated, even though Vanta can’t detect it automatically.
Complete Offboarding
Once all monitored and unmonitored accounts are deactivated or overridden:
Review both sections to ensure no remaining circle icons remain.
Click Complete Offboarding at the bottom of the Offboarding drawer.
A confirmation dialog appears, click Confirm to finalize.
After completion, Vanta records the offboarding event, and the user moves to a “Soft-Deleted” state. If you ever need to reverse this action (for example, if an offboarding was done in error), click Reset Offboarding in the same drawer to bring the user back to an active state.
Important Notes
Soft-Deleted Users If you remove a user from scope (for example, mark them Out of Scope in the HRIS) before Vanta detects the status change, the user becomes soft-deleted immediately. In that case, Vanta cannot offboard them via the drawer—you'll need to re-add them or let your IdP drive offboarding.
Manually Added Users For any user not imported from an integration (for instance, a service account you added by hand), follow the same deactivation steps. Approve the removal of each integration and complete offboarding as described above. Note that for manually created users, an offboarding checklist will only appear if you initiate offboarding manually by clicking the 'Offboard' button in the user's profile.
Timing Vanta fetches updates from your IdP or HRIS roughly every hour. If you deactivate a user in your IdP but don't see them in the Offboarding drawer, wait a few minutes and refresh the People page.
Auditor Evidence Vanta logs each offboarding action with timestamps. When auditors ask how you remove departed employees' access, you can refer to these logs as proof that all monitored and unmonitored accounts were deactivated.
Re-enabling Mistakenly Offboarded Accounts If an employee has been mistakenly marked for offboarding due to a suspension in Google Workspace, ensure the user's email is marked as active again in Google Workspace and wait for Vanta to sync (typically within an hour) to update the account status.
Google Groups and Organizational Units For employees to appear in Vanta when using Google Workspace integration, they must be members of the designated group specified for Vanta's integration. If employees in special organizational units are not showing up in Vanta, add them to the requisite group in Google Workspace.
Recommended Offboarding Procedure with Google Workspace For optimal results, first offboard the user via your HRIS, then remove access to their email account in Google Workspace only after completing the HR offboarding. Keep employees in the designated Google group if required for maintaining offboarding records within Vanta.