Prove who has access to what — without the screenshot scramble.

VanillaOne inventories every identity and app across your company, automates joiner–mover–leaver access, and turns daily operations into auditor-ready SOC2 evidence.

Early access — waitlist members get founding-customer terms.
app.vanillaone.io/dashboard
VanillaOne
DashboardHuman identities482ApplicationsAccess reviews3WorkflowsConnectorsAudit log
Good morning, Priya
Here’s what needs your attention across Acme Corp today.
Start a review
96%
Compliance posture
↑ 4% this quarter
3
Reviews overdue
up to 12 days late
8
Newly discovered apps
unreviewed · last 7 days
5
Critical-risk items
needs action now
Needs attention14
aws
Dormant admin on AWS — Sam Ortiz
no sign-in for 62 days
High
Drift detected — direct add in GitLab
group backend · Maintainer
Medium
Leaver run pending — Dana Cho
9 accounts to revoke · verified on completion
Pending
Access changes8 weeks
1,438↑ 9%
GrantsRevocations
One inventory

Nobody has one list of every account. Now you do.

Connectors sync users, groups, licenses and entitlements from your directory and every app — then correlate human and service accounts into one identity per person.

Entra ID
Google Workspace
GitHub
GitLab
awsAWS
Cloudflare
JumpCloud
Kubernetes
One identity
maya.chen · 9 accounts · 2 bots

Native connectors for Entra ID, Google Workspace, JumpCloud, GitHub, GitLab, AWS, Cloudflare and Kubernetes — CSV import for everything else. No agents to install.

Access reviews

Retire the quarterly spreadsheet fire drill.

Recurring campaigns assign each manager a focused workspace — certify or revoke in minutes, keyboard-first. Keeping a dormant or high-risk grant needs a written reason, and the evidence exports itself for the auditor.

JK next / prev · A keep · R revoke
…/reviews/q3-finance
Reviewer workspace
Q3 Finance certification · 12 of 20 reviewed
60%
SO
Sam Ortiz · Finance
AWS · AdministratorAccess
High · dormant 62d
✓ Keep− Revokedecision logged · 14s
Revoked — access will be removed and verified
LF
Lena Fischer · Sales
Salesforce · Standard user
Low
…/workflows
Workflows
Playbooks that provision and deprovision as people join, move, and leave.
Engineering onboarding
dept = EngineeringAuto-start7 steps
Active
Offboarding — all staff
event = leaverAuto-startrevokes all 9 accounts
Active
Sales → Marketing mover
dept changeTo queue
Draft
Joiner · Mover · Leaver

Ex-employees shouldn’t keep access for weeks.

Provisioning playbooks run on durable workflows: day-one access for new hires, automatic changes on role change, and complete, verified revocation the day someone leaves — every step logged.

Workflow engine

Your onboarding isn’t a template. Stop forcing it into one.

Legacy IGA ships rigid flows, so IT ends up back in scripts and tickets. VanillaOne playbooks bend to how your company actually works.

Visual builder — compose playbooks on a canvas, no code.
Trigger bindings — start from events in any source; matchers and priorities pick the playbook.
Human-in-the-loop — mix automated steps with approvals and manual tasks.
Durable runs — resumable timelines with retries; nothing half-finishes silently.
…/workflows/onboarding/edit
When a person joins
entra · Auto-start · pri 10hris · To queue · pri 20
Wait until start date
Pauses until the employee's first day
Create Entra user & write membership
OU: Employees · retries ×5
Waiting for manager approval
Required for privileged groups
+ Add step or drag from library
Trigger bindings
Source
Entra ID
Conditions
User type = MemberDepartment in [Eng, Data]+ Add
Auto-start
Priority
10
When several playbooks match the same event, the lowest number wins.
RUN #4821 Assign groups 09:41:02 Grant GitLab 09:41:18 Grant AWS retry 2/5 Notify
Self-service requests

Access requests that don’t die in Slack threads.

Employees request access with a reason. Approvals route to the right people, high-risk requests get extra scrutiny automatically, and temporary grants expire on their own — no ticket cleanup.

…/requests/approvals
Approvals
Review and decide on access requests from your team.
SR
Sam Rivera · Finance
SStripe · refunds:write · 30 days
High
“Processing customer refunds during the July billing migration.”
✓ ManagerApp owner · pendingauto-revokes 2026-08-04
ApproveReject
…/discovered-apps
Discovered apps
Shadow IT auto-detected from SSO and OAuth grants. Triage each app before it spreads.
Ma
Mailmodo
offline_access · 6 users · via Microsoft
HighApproveBan
Ca
Calendly
calendar.events · 58 users · via Google
MediumApproveBan
Lo
Loom
drive.readonly · 23 users · via Google
MediumApproveBan
Shadow-IT discovery

You can’t govern the apps you can’t see.

OAuth sign-ins and consent grants surface every app employees actually use — with the scopes they handed over. Approve it and bring it under governance, or ban it before it spreads.

Built for SOC2

Evidence is a by-product, not a project.

Immutable audit log

Every access change is append-only, filterable, and exportable. Drift is flagged, never silently adopted.

audit.events · append-only
Tenant isolation

Multi-tenant with Postgres row-level security — your data is isolated at the database layer, not the app layer.

row_level_security = on
Server-side RBAC + SSO

Roles enforced on the server, sign-in through your identity provider. Secrets live in AWS Secrets Manager.

admin | reviewer | viewer | end-user
Least-privilege scopes

Connectors request only the Graph scopes they need — admin-consent onboarding in minutes, no agents to install.

User.Read.All · Group.Read.All

Questions, answered.

What is IGA, in one paragraph?

Identity Governance & Administration is the system of record for who has access to what, why, and who approved it. It inventories accounts across your apps, grants and revokes access through defined processes, and keeps evidence of all of it — which is exactly what a SOC2 auditor asks you to prove.

How is this different from Vanta or Drata?

Compliance-automation tools check boxes and collect screenshots; they don't change who has access. VanillaOne actually provisions and revokes access — the evidence is real because the operations are real.

And from SailPoint or Saviynt?

Same category, a tenth of the weight. Legacy IGA is a six-month consulting project; VanillaOne connects to your directories — Entra ID, Google Workspace, JumpCloud and more — onboards in minutes with no agents, and is built for 50–1000-person companies.

What does joining the waitlist get me?

Early access as onboarding slots open, direct input into the roadmap, and founding-customer terms when pricing is set. No commitment, no payment details.

What's your own security posture?

Postgres row-level security for tenant isolation, server-side RBAC, SSO login, secrets in AWS Secrets Manager, and least-privilege Graph scopes. The audit log is append-only — including for us.

When can I use it?

The core — identity inventory, connectors, audit log — is running today; reviews, requests and workflows are rolling out to early-access tenants in waves. Waitlist order decides who's next.

Be audit-ready by default.

Join the waitlist — early access opens in waves, founding-customer terms included.