Live demo · Same heuristics as the CLI · 100% in-browser

Upload a roster. See who still has the keys.

This demo runs the same 7 ghost-account heuristics that ship in @tenet/offboarding-audit. Nothing you upload or paste here leaves this browser tab. No network call. No logging. We don’t keep it, because we can’t — it never reaches our servers. The live demo is deliberately the same code path as the CLI so your CISO can read the source and sign off.

  • criticalH03 · risk 99 · P1grace.yamamoto@demo-co.example

    terminated employee holds admin access to 5 high-sensitivity apps

    apps: aws_admin, aws_iam, github_org_admin, okta_admin, snowflake

  • criticalH07 · risk 97 · P1grace.yamamoto@demo-co.example

    terminated employee role_level=admin — NYDFS 23 NYCRR 500 72-hour revocation line crossed

    apps: aws_admin, aws_iam, github_org_admin, okta_admin, snowflake

  • criticalH07 · risk 97 · P1boris.kowalski@demo-co.example

    terminated employee role_level=super_admin — NYDFS 23 NYCRR 500 72-hour revocation line crossed

    apps: aws_iam, okta_admin, slack

  • highH02 · risk 95 · P2grace.yamamoto@demo-co.example

    terminated 258 days ago, still in 5 apps

    apps: aws_admin, aws_iam, github_org_admin, okta_admin, snowflake

  • highH02 · risk 95 · P2priya.iyer@demo-co.example

    terminated 301 days ago, still in 4 apps

    apps: chatgpt_enterprise, cursor, github, slack

  • criticalH03 · risk 95 · P1tina.wolfe@demo-co.example

    terminated employee holds admin access to 3 high-sensitivity apps

    apps: okta_admin, salesforce_admin, workday_admin

  • criticalH03 · risk 90 · P1boris.kowalski@demo-co.example

    terminated employee holds admin access to 2 high-sensitivity apps

    apps: aws_iam, okta_admin

  • highH02 · risk 85 · P2yasmin.barnes@demo-co.example

    terminated 189 days ago, still in 3 apps

    apps: claude, gemini_workspace, slack

  • highH02 · risk 80 · P2khadija.ahmed@demo-co.example

    terminated 164 days ago, still in 3 apps

    apps: claude_enterprise, salesforce, slack

  • highH06 · risk 80 · P2noah.peralta@demo-co.example

    contractor end-date was 184 days ago, 3 apps still active

    apps: github, github_copilot, slack

  • highH02 · risk 75 · P2cassandra.patel@demo-co.example

    terminated 120 days ago, still in 4 apps

    apps: chatgpt_enterprise, github, gmail, slack

  • highH02 · risk 75 · P2tina.wolfe@demo-co.example

    terminated 137 days ago, still in 3 apps

    apps: okta_admin, salesforce_admin, workday_admin

  • highH04 · risk 73 · P1priya.iyer@demo-co.example

    terminated employee retains 2 AI tool grants — EU AI Act Article 26 operator record at risk

    apps: chatgpt_enterprise, cursor

  • highH04 · risk 73 · P1yasmin.barnes@demo-co.example

    terminated employee retains 2 AI tool grants — EU AI Act Article 26 operator record at risk

    apps: claude, gemini_workspace

  • highH02 · risk 70 · P2boris.kowalski@demo-co.example

    terminated 102 days ago, still in 3 apps

    apps: aws_iam, okta_admin, slack

  • highH04 · risk 69 · P1cassandra.patel@demo-co.example

    terminated employee retains 1 AI tool grant — EU AI Act Article 26 operator record at risk

    apps: chatgpt_enterprise

  • highH04 · risk 69 · P1khadija.ahmed@demo-co.example

    terminated employee retains 1 AI tool grant — EU AI Act Article 26 operator record at risk

    apps: claude_enterprise

  • highH01 · risk 60 · P2grace.yamamoto@demo-co.example

    terminated employee retains access to 5 apps

    apps: aws_admin, aws_iam, github_org_admin, okta_admin, snowflake

  • highH01 · risk 57 · P2cassandra.patel@demo-co.example

    terminated employee retains access to 4 apps

    apps: chatgpt_enterprise, github, gmail, slack

  • highH01 · risk 57 · P2priya.iyer@demo-co.example

    terminated employee retains access to 4 apps

    apps: chatgpt_enterprise, cursor, github, slack

  • mediumH05 · risk 55 · P3georgia.mbeki@demo-co.example

    on leave 276 days with role_level=admin

    apps: okta_admin, salesforce_admin, slack

  • highH01 · risk 54 · P2khadija.ahmed@demo-co.example

    terminated employee retains access to 3 apps

    apps: claude_enterprise, salesforce, slack

  • highH01 · risk 54 · P2tina.wolfe@demo-co.example

    terminated employee retains access to 3 apps

    apps: okta_admin, salesforce_admin, workday_admin

  • highH01 · risk 54 · P2yasmin.barnes@demo-co.example

    terminated employee retains access to 3 apps

    apps: claude, gemini_workspace, slack

  • highH01 · risk 54 · P2boris.kowalski@demo-co.example

    terminated employee retains access to 3 apps

    apps: aws_iam, okta_admin, slack

Employees scanned

10

Findings

25

5 critical · 19 high

Latency

11.69 ms

Entirely in-browser. No network call.

Rule coverage

7 rules active

H01–H07 across ghost, shadow-AI, admin, contractor

By severity

critical × 5high × 19medium × 1

Running this in production

Install the CLI in 10 seconds.

# Run instantly against the bundled demo npx -y https://tenet.grindworks.ai/tenet-offboarding-audit-0.1.0.tgz --demo # Audit your own roster npx -y https://tenet.grindworks.ai/tenet-offboarding-audit-0.1.0.tgz employees.csv

Zero network calls. Hash-only audit log at ~/.tenet/audit.jsonl — SHA-256 digests only, never plaintext employee data. That log is the artifact a CCPA / CPRA / NY SHIELD / Colorado AI Act / EU AI Act Article 26 auditor asks for.

→ Full install + heuristic catalog + compliance mapping

Ready for 40+ SaaS connectors + per-subject DSAR export?

The open-source CLI is the starting point. The hosted product reads directly from Rippling, BambooHR, Workday, Okta, Microsoft Entra, Google Workspace — SCIM + API write-back across 40+ mid-market SaaS apps, shadow-AI discovery via email telemetry + finance signal + browser telemetry, and one-click evidence export for CCPA, CPRA, NY SHIELD, Colorado AI Act, Virginia CDPA, Connecticut CTDPA, Texas TDPSA, EU AI Act Article 26, and SOC 2 Type II CC6.2.

Join the design-partner waitlist →