Vanta is one of the most widely adopted compliance automation platforms, and access reviews are a core part of its SOC 2 and ISO 27001 workflows. But practitioners who've been through an audit using Vanta for access reviews often discover that Vanta's role in the process is different from what they expected — and that getting to audit-ready evidence requires more than Vanta's native capabilities.
Here's what the experience actually looks like, and the strategies that produce reviews auditors accept.
What Vanta Does Well and Where It Falls Short
Vanta excels as a compliance dashboard and evidence repository. It gives you visibility into your SOC 2 controls posture, tracks which controls are passing and failing, and provides a central place where auditors can review your evidence. For teams that were previously managing compliance in spreadsheets and shared drives, Vanta's structure alone is a significant improvement.
For access reviews specifically, Vanta's native capability is lighter than many teams expect. The workflow is relatively simple: Vanta surfaces a list of users with access to connected applications, reviewers confirm or remove access, and Vanta records that the review happened.
The limitation that practitioners consistently hit is what gets described as the "screenshot problem": Vanta's evidence for an access review is often the fact that a review was completed within the platform, rather than a detailed, reviewable record of individual decisions, justifications, and remediation confirmation. This satisfies the surface-level requirement — a review happened — but doesn't satisfy auditors who look carefully at whether the review was meaningful, whether any access was actually revoked, and whether there's a closed-loop record of what changed.
A second limitation is visibility. Vanta knows about the applications you've connected to it. It doesn't surface applications employees are using that weren't formally onboarded — the SaaS tools purchased by departments, the vendor portals with local authentication, the AI tools employees have connected to company data. A Vanta-based access review covers your known application estate, not your actual application estate.
The Strategy That Works: Vanta as Evidence Destination, Not Review Engine
The most common approach among practitioners who've been through SOC 2 audits with Vanta is to separate the review process from the evidence collection:
Run the actual access review in a dedicated governance tool — one that handles reviewer assignment, tracks individual decisions with timestamps and justifications, automates deprovisioning when access is revoked, and generates a non-editable PDF certification report at campaign close. Export that PDF into Vanta as the evidence that the review occurred.
This works because the PDF from a purpose-built review platform contains the detail that auditors actually look for: who reviewed, when, what decision was made for each record, what justification was provided, and whether revoked access was actually removed. Uploading this into Vanta gives auditors a complete evidence package through a tool they're already reviewing.
The Vanta integration workflow practitioners request most often is automated: when a certification concludes in the IGA platform, the PDF evidence automatically flows into Vanta without requiring a manual upload step. Until that integration exists natively, the manual export-and-upload process is the practical workaround.
Strategy Tips for Access Reviews That Hold Up in Audits
Close the Visibility Gap Before You Review
The biggest risk in Vanta-centered access reviews is that you review the applications Vanta knows about and leave unreviewed access in the applications it doesn't. For most organizations, this represents a significant portion of actual application usage — tools adopted independently by departments, applications connected to company data through personal accounts, legacy systems that predate SSO integration.
Before your review cycle begins, confirm that your application inventory is complete — not just the applications formally connected to Vanta or your identity provider, but the actual tools in use across your organization. Discovery mechanisms that pull from financial expense data, browser launch activity, and HRMS data surface what SSO logs miss. An access review based on an incomplete inventory is an incomplete access review, regardless of how well the review itself is conducted.
Use Activity Data to Prevent Rubber-Stamping
Reviewers who see a list of names without context approve everything. This produces evidence that a review occurred and no evidence that the review was meaningful — a pattern that experienced auditors recognize and probe.
Providing reviewers with last login dates and access frequency data for each record changes the dynamic. A user who hasn't logged into an application in 45 days is a specific, actionable revocation candidate. A user who logs in daily is not. Surfacing this context in the review interface is what enables reviewers to make real decisions rather than working through a list they don't have the information to evaluate.
Implement the Maker-Checker Model
Vanta-connected reviews often surface access data from the same identity provider that granted the access in the first place — Okta or Entra ID confirms what Okta or Entra ID knows about. This creates a conflict for access reviews: the system confirming the review is the same system that made the original access decision.
Auditors increasingly look for independence between access granting and access certification. Using your IdP as the "maker" — the system that grants and enforces access — and a separate governance layer as the "checker" — a neutral system that periodically certifies whether granted access remains appropriate — satisfies this independence requirement. The governance layer's review is independent of the IdP's original decision, which is what gives the certification its value.
Close the Loop Between Review and Remediation
This is the most commonly cited gap in Vanta access review evidence: the review shows that access was marked for revocation, but there's no evidence that access was actually removed.
Auditors following up on access review evidence will ask: for the users whose access was flagged for removal, how do you know it was removed? A review workflow where Revoke decisions automatically trigger deprovisioning via API produces a run log that maps each decision to the corresponding system action — timestamped, attributable, and complete. A review workflow where Revoke decisions produce a list that someone works through later produces a gap that's hard to close after the fact.
If you can't automate deprovisioning for some systems, governed manual tasks with assigned owners, deadlines, and required completion confirmation provide the same audit trail for human-executed removals.
Time Your Reviews to Complete Within the Quarter
The timing mistake that produces evidence gaps: generating the review list on the last day of the quarter and expecting to complete the review, remediation, and evidence finalization in the first two weeks of the following quarter. When the evidence report is dated after the quarter ends, some auditors question whether the access state it documents reflects the quarter's close.
Starting the review three to four weeks before quarter end gives reviewers time to complete their decisions, leaves a week for remediation to be executed and confirmed, and ensures the evidence report is finalized while the quarter is still active. The report is then dated within the period it covers, which is cleaner evidence for the auditor reviewing it in Vanta.
Configure Multi-Level Reviews for High-Risk Applications
For applications that carry elevated risk — financial systems, AWS accounts, applications containing sensitive customer data or ePHI — a single-level manager review may not satisfy auditors who expect stronger governance for high-risk access.
Configuring sequential multi-level reviews — where the direct manager reviews first, followed by the application owner or security team for final sign-off — provides the additional oversight layer that high-risk applications warrant. The evidence from a two or three-level review is more defensible than a single-level review for systems where access decisions carry material compliance risk.
What Auditors Are Actually Looking For in Vanta
When a SOC 2 auditor reviews your access review evidence in Vanta, the questions they're answering are: Did a review happen? Who reviewed? What did they decide for each record? Was revoked access actually removed? And does the timing of the review evidence align with the review period?
Native Vanta evidence answers the first two questions reliably. For the others, the detail depends on how the review was conducted and what evidence was exported into Vanta. The gap between a review that technically happened in Vanta and a review that produces evidence sufficient for a detailed audit examination is what the strategy above is designed to close.
Organizations that consistently pass access review controls in SOC 2 audits using Vanta are typically not relying on Vanta as the review engine — they're using Vanta as the compliance dashboard that receives evidence from a review process that's more rigorous than Vanta's native workflow supports.
.svg)
