Offboarding in
fifteen seconds,
not five days.
An AI-native IAM orchestrator. One Slack message revokes access across Okta, Microsoft 365, Google Workspace, Slack, GitHub, Zoom and Salesforce — cryptographically signed, policy-gated, and logged to a tamper-evident audit chain.
The bill for a manual offboarding.
Six portals. Four HR tickets. A checklist in Notion that nobody reads. Licenses still billing weeks after someone walked out the door. It's a tax you pay every time a contract ends.
Industry baseline for a single manual IT offboarding — labour only, no license waste.
IT + HR coordination across disconnected admin consoles, per departing employee.
Typical window between a termination notice and the last portal finally revoked.
Portals that produce a tamper-evident, SOC 2-ready audit trail out of the box.
Five stages. One signed decision. No orphaned sessions.
Gatekeeper
Natural-language intake from Slack, Teams, a webhook, or an HR ticket. Gemini distills the raw text into a structured IntentPacket with a confidence score.
Metadata
Parallel lookups against HRIS (BambooHR, Workday, Rippling), your asset system, and every connected portal to confirm: is this person really terminated, and what do they still own?
Risk
Signals combine into a deterministic score: privileged account, production ownership, HRIS disagreement, recency, dollar value. Above 0.75 it routes to HITL; above 0.95 it blocks.
Policy (OPA)
Open Policy Agent evaluates every decision against your tenant's Rego. Allowed actions are then signed with a per-tenant key so the Doer Agent never executes an unsigned packet.
Doer Agent
Fetches a 60-second JIT credential from Vault, calls each portal's API in parallel, and writes a SHA-256-chained event to the Zero-Trust WORM ledger. Any failure rolls forward to DLQ.
The second somebody walks out the door, the meter stops.
Most platforms charge by seat and bill in arrears. Every day a stale account lingers is a day of billed license you didn't need. Here is what a single offboarding reclaims, on the exact stack your team already pays for.
| Portal | Tier assumed | Monthly |
|---|---|---|
| Microsoft 365 | E3 | $36.00 |
| Okta | Workforce SSO | $8.00 |
| GitHub | Enterprise Cloud | $21.00 |
| Slack | Business+ | $12.50 |
| Zoom | Pro | $15.99 |
| Salesforce | Platform · 30d grace | $150.00 |
| Total / month reclaimed | deferred 30d | $243.49 |
Autonomy, but not a black box.
Every automated IAM tool on the market either runs on rails (dashboards + checklists) or dispatches opaque agents that you're asked to trust. We reject the second and improve on the first.
Every action passes OPA.
Rego policies are code you own. Allow, deny, require-HITL, block — the decision is explicit and versioned. Every packet the executor receives is signed; unsigned packets fail closed.
The risky 5% routes to an approver.
High-risk offboardings — privileged accounts, production owners, HRIS disagreement — fire a one-time approval link to your security team. One-click approve or reject, with cryptographic attribution.
Tamper-evident by design.
Every decision, every execution, every credential lease emits a SHA-256-chained event to a write-once ledger. SOC 2, SOX and ISO 27001 auditors verify the chain themselves — you don't have to trust us.
The IAM surface area, in one place.
First-class connectors for the systems most teams live in. Generic SCIM and webhook adapters for the rest. Nothing Playwrighted unless a vendor refuses to ship an API.
Three pilot spots. Free for ninety days.
We onboard one company every two weeks. You connect your HRIS and top three portals. We run offboardings end-to-end with your security team approving the risky ones. After three months you pay or you walk — no clawback.