Prove who has access to what — without the screenshot scramble.
VanillaOne inventories every identity and app across your company, automates joiner–mover–leaver access, and turns daily operations into auditor-ready SOC2 evidence.
Nobody has one list of every account. Now you do.
Connectors sync users, groups, licenses and entitlements from your directory and every app — then correlate human and service accounts into one identity per person.
Native connectors for Entra ID, Google Workspace, JumpCloud, GitHub, GitLab, AWS, Cloudflare and Kubernetes — CSV import for everything else. No agents to install.
Retire the quarterly spreadsheet fire drill.
Recurring campaigns assign each manager a focused workspace — certify or revoke in minutes, keyboard-first. Keeping a dormant or high-risk grant needs a written reason, and the evidence exports itself for the auditor.
Ex-employees shouldn’t keep access for weeks.
Provisioning playbooks run on durable workflows: day-one access for new hires, automatic changes on role change, and complete, verified revocation the day someone leaves — every step logged.
Your onboarding isn’t a template. Stop forcing it into one.
Legacy IGA ships rigid flows, so IT ends up back in scripts and tickets. VanillaOne playbooks bend to how your company actually works.
Access requests that don’t die in Slack threads.
Employees request access with a reason. Approvals route to the right people, high-risk requests get extra scrutiny automatically, and temporary grants expire on their own — no ticket cleanup.
You can’t govern the apps you can’t see.
OAuth sign-ins and consent grants surface every app employees actually use — with the scopes they handed over. Approve it and bring it under governance, or ban it before it spreads.
Evidence is a by-product, not a project.
Every access change is append-only, filterable, and exportable. Drift is flagged, never silently adopted.
audit.events · append-onlyMulti-tenant with Postgres row-level security — your data is isolated at the database layer, not the app layer.
row_level_security = onRoles enforced on the server, sign-in through your identity provider. Secrets live in AWS Secrets Manager.
admin | reviewer | viewer | end-userConnectors request only the Graph scopes they need — admin-consent onboarding in minutes, no agents to install.
User.Read.All · Group.Read.AllQuestions, answered.
What is IGA, in one paragraph?
Identity Governance & Administration is the system of record for who has access to what, why, and who approved it. It inventories accounts across your apps, grants and revokes access through defined processes, and keeps evidence of all of it — which is exactly what a SOC2 auditor asks you to prove.
How is this different from Vanta or Drata?
Compliance-automation tools check boxes and collect screenshots; they don't change who has access. VanillaOne actually provisions and revokes access — the evidence is real because the operations are real.
And from SailPoint or Saviynt?
Same category, a tenth of the weight. Legacy IGA is a six-month consulting project; VanillaOne connects to your directories — Entra ID, Google Workspace, JumpCloud and more — onboards in minutes with no agents, and is built for 50–1000-person companies.
What does joining the waitlist get me?
Early access as onboarding slots open, direct input into the roadmap, and founding-customer terms when pricing is set. No commitment, no payment details.
What's your own security posture?
Postgres row-level security for tenant isolation, server-side RBAC, SSO login, secrets in AWS Secrets Manager, and least-privilege Graph scopes. The audit log is append-only — including for us.
When can I use it?
The core — identity inventory, connectors, audit log — is running today; reviews, requests and workflows are rolling out to early-access tenants in waves. Waitlist order decides who's next.
Be audit-ready by default.
Join the waitlist — early access opens in waves, founding-customer terms included.