Skip to main content

Offboarding Personnel

✅ Feature availability: This article discusses Access Management features, which may require an upgrade or add-on. Refer to Vanta Plans and Pricing for details.

When personnel leave your company, Vanta helps you manage two parts of the process: (1) starting offboarding once Vanta recognizes that the personnel record is no longer employed, and (2) deprovisioning and completing offboarding by reviewing accounts, assigning tasks, and confirming that offboarding is complete.

⚙️ User permissions: To start or complete offboarding, you need a user role with permissions to manage people in Vanta. This means an Admin or Editor role, or a custom role with the required permissions.

Getting started

  1. Start offboarding: Vanta needs to recognize the personnel record as no longer employed before you can begin deprovisioning or complete offboarding.

  2. Reviewing accounts: Review the personnel record's known accounts and systems, assign the people responsible for deprovisioning each one, and kick off the process.

  3. Monitor deprovisioning tasks: Track deprovisioning tasks as assignees work through their accounts.

  4. Complete offboarding: Once all tasks are done and monitored accounts are deactivated, complete the final step to mark the personnel record as fully offboarded in Vanta.

Starting offboarding

To appear in the Offboarding filter on the People page, a personnel record should have a Terminated employment status. How a personnel record reaches that status depends on how employment data is managed in Vanta.

ℹ️ Note: Once a personnel record appears as Terminated, go to Personnel > People, open the record, and select Deprovision accounts to continue. The Offboard action on the People page is used to complete offboarding for records that are already eligible for final completion—it's not how you start the offboarding workflow.

Employment status controlled via HRIS

If your HRIS is connected, Vanta uses it as the primary source of truth for employment status.

After the next sync (typically within about an hour for many integrations) changes to a personnel record's HRIS status can update their employment status in Vanta. In practice, the offboarding workflow is usually available once the personnel record appears as Terminated in Vanta.

If a personnel record appears as Inactive instead of Terminated, Vanta may be missing a usable end date. See Troubleshooting below.

Employment status controlled via IdP

If no HRIS is connected, Vanta uses your identity provider to determine employment status.

Offboarding can start when Vanta detects that the linked IdP account has been deleted, suspended, blocked from sign-in, or otherwise deactivated, depending on the provider. For example:

  • Google Workspace: Suspend the account

  • Microsoft 365: Block sign-in

  • Okta or OneLogin: Suspend the account

If your HRIS and IdP are both connected, HRIS data takes priority—deactivating the IdP account alone will not update employment status if an active HRIS record is still linked.

Manually managed personnel

If a personnel record isn't connected to an HRIS or identity provider, employment status won't update automatically. To start offboarding, you'll need to initiate it directly from the personnel record.

To mark the record as Terminated:

  1. From Personnel, go to the People page.

  2. Open the personnel record.

  3. Go to the Offboarding tab and click Offboard.

  4. Confirm Start offboarding.

This marks the personnel record as Terminated. After that, the personnel record moves into the same Deprovision accounts workflow used for other terminated personnel.

Reviewing accounts

Once a personnel record is Terminated, open the record from the People page and select the Deprovision accounts task.

Vanta surfaces all known accounts and systems associated with that personnel record and organizes them into sections for review. Depending on your setup, you may see:

  • Accounts Vanta will deprovision automatically through connected integrations

  • Accounts that need to be removed manually or confirmed

  • Systems to review based on the personnel record's group memberships

Accounts Vanta deprovisions automatically

If automated deprovisioning is available for your workspace and supported by the connected integration, Vanta shows these accounts in a separate section.

Once you start deprovisioning, Vanta removes access automatically and updates the status as it verifies removal. No action is needed for these accounts unless you need to override the integration's status.

Accounts that need to be removed manually

These accounts still need follow-up. There are two types:

  • Integrated accounts: Accounts in systems connected to Vanta that Vanta can monitor, but that still need an assignee or manual confirmation.

  • Manual accounts: Accounts from past access requests in systems that are not integrated with Vanta.

For each account, assign the person responsible for deprovisioning it. By default, Vanta fills this in using the vendor's security owner. You can also reassign an account if ownership is transferring to a current employee.

Systems to review from group memberships

If you assign systems to personnel groups, Vanta surfaces systems that should be reviewed even when no known account has been found yet.

For each system, either assign the person responsible for confirming whether an account exists and deprovisioning it if needed, or ignore it if confirmation isn't required.

To customize what appears in this section, go to Personnel > People > Groups and update the group’s Offboarding > Access removal settings. See Vendor Scoping by Group for more details.

Monitoring deprovisioning tasks

Once you've reviewed accounts and assigned the owners responsible for deprovisioning, you're ready to kick off the process. From there, Vanta tracks progress and assignees work through their tasks until all accounts are resolved.

Starting deprovisioning

Once accounts and systems have assignees where needed, click Start deprovisioning. Assignees will receive their tasks and notifications. Notifications are batched and can take up to five minutes to appear.

What assignees do

Assignees complete their work from Access > Deprovisioning tasks—they don't need access to the People page to do this.

Each task includes the system name, account name, former owner, and entitlements. Once the assignee has deprovisioned the account in the external system, they click Confirm account as deprovisioned.

For supported integrations, Vanta automatically closes the task when it detects the account has been deprovisioned.

Monitoring status

As assignees work through their tasks, you can monitor the status of each account from the personnel record.

For each account, you can:

  • View the associated deprovisioning task

  • Mark the account as deprovisioned and close the task

  • Open the system directly from Vanta

For deprovisioned accounts, Vanta records when the account was verified and how—whether via integration or manual confirmation.

Completing offboarding

Starting deprovisioning does not automatically mark a personnel record as fully offboarded in Vanta—there is a separate final step.

Once all required offboarding tasks are complete and monitored accounts are deactivated or manually marked as deactivated, you can complete offboarding to mark the personnel record as fully offboarded in Vanta. When you complete offboarding, Vanta also marks any unmonitored accounts as deactivated.

To complete offboarding for a single personnel record:

  1. From Personnel, go to the People page.

  2. Open the personnel record.

  3. Go to the Offboarding tab and click Complete offboarding.

Bulk offboarding

If you need to complete offboarding for multiple personnel records at once, you can use bulk offboarding instead of completing each record individually.

To complete offboarding for multiple personnel records at once:

  1. From Personnel, go to the People page.

  2. Select the checkboxes next to the personnel records you want to offboard. You can bulk offboard up to 1,000 personnel records at a time. The People page displays 50 records at a time, but you can continue selecting across pages until you reach the limit.

  3. Click Offboard.

  4. Review the confirmation dialog. Vanta separates the selected records into those that will be offboarded and those that won't. Bulk offboarding only completes offboarding for records that are already eligible for final completion—it does not initiate offboarding for active personnel records.

  5. Click Offboard to confirm.

If a personnel record appears in the will not be offboarded group, the reason will be shown in the dialog. Common reasons include:

  • The personnel record was already offboarded

  • The personnel record doesn't have an end date

  • The personnel record isn't yet Terminated

  • There are still incomplete offboarding tasks

  • There are still active monitored accounts

Resolve the issue shown and then try again.

Troubleshooting

A personnel record shows as Inactive instead of Terminated

This usually means Vanta doesn't have the end-date information it needs to proceed with offboarding. This commonly happens when the HRIS has a future end date or doesn't provide a usable end date.

To resolve this:

  1. Go to Integrations.

  2. Open your HRIS connection and select Configure scope.

  3. Find the personnel record and mark it Out of scope.

  4. After the next sync, Vanta will use your identity provider as the source of truth for that record. If the IdP account is already deactivated, Vanta will pull the IdP deactivation date as the end date and offboarding should become available.

The IdP account was deactivated, but Vanta didn't start offboarding

If the personnel record is linked to both an HRIS and an IdP, HRIS data takes priority. Even if the IdP account has been suspended or deleted, an active HRIS record can prevent the employment status from updating as expected.

The personnel record is Terminated, but I can't complete offboarding

A Terminated status means the offboarding workflow is available—it doesn't skip the deprovisioning steps or the final completion step.

You may still need to finish required offboarding tasks or mark monitored accounts as deactivated before Complete offboarding becomes available.

I need to keep the person's inbox active

Some providers let you suspend or block sign-in without deleting the account. That can still make offboarding available in Vanta while preserving mailbox access. See Offboarding a User in Vanta while Keeping an Inbox Active for provider-specific guidance.

I need to find everyone who still needs offboarding attention

Go to Personnel > People and use the Offboarding filter. From there, use the task status filters to narrow the list and open individual records that need deprovisioning or final completion.