IT OPS
Agentic Offboarding: Discover, Revoke, and Verify All Access
An agent takes a departing employee's name, discovers every SaaS tool they touch across your org, revokes access in each.
How it runs
The automated pipeline, trigger to output.
- TriggerOperator starts offboarding for named employee
- ActionDiscover access across connected systemsGitHub
- ActionRevoke discovered Drive and app accessGoogle Drive
- LogicVerify each revocation; loop on still-active
- ActionFile signed-off completion reportConfluence
- OutputAnnounce completion in IT channelSlack
What it does
Hands the full offboarding investigation to an agent. Instead of a fixed checklist, the agent discovers where the employee actually has access — connected apps, repos, shared drives, channels — then revokes each one and independently verifies the seat is gone. It reasons about edge cases like shared service accounts and orphaned tokens that a static flow would miss.
When to use it
Use it when your tool sprawl is too large or too fluid for a hardcoded checklist, or when offboarding senior staff whose access is broad and non-obvious. Best when you want thorough discovery rather than a predetermined list.
How it works
- 1An operator triggers the run with the departing employee's identity.
- 2The agent enumerates the systems the person has access to by querying connected integrations.
- 3For each discovered seat it issues a revocation, then re-queries to confirm the access is actually removed.
- 4It loops on anything still active and reasons about why, escalating true blockers.
- 5The agent compiles a completion report listing every system, its revocation status, and confirmation timestamp.
- 6The report is filed in Confluence and announced in the IT channel.
Set it up
What you configure once, before turning it on.
- 1Connect GitHubRepos, issues, pull requests, actions.
- 2Connect Google DriveDocs, sheets, slides, files.
- 3Connect SlackChannels, DMs, threads, mentions.
- 4Connect ConfluenceSpaces, pages, blueprints.
- 5Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
- 6Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
- 7Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.
More IT Ops workflows
Recurring Sensor Fault Root-Cause Investigator
On a schedule, an agent reviews recent Monday work orders and BigQuery telemetry to identify equipment with repeating faults, drafts a root-cause hypothesis with a recommended fix.
Daily Building Anomaly Digest to MS Teams
Each morning queries BigQuery for the prior day's flagged sensor anomalies, summarizes them by site and system into a ranked briefing.
Agentic Inactive-Seat Reclamation Review
An agent investigates each idle SaaS seat by correlating SSO login gaps with HR status and ticket history, classifies it as reclaim, hold, or escalate, and drafts a reasoned…
Reconcile SSO logins against expense spend to find unmanaged tools
Joins SSO usage data with expense/payment records in Snowflake to surface tools that are being used but not paid for, or paid for but never logged.
Approved-Seat Deprovision Execution
Fires when an IT approver confirms a seat for removal, then executes deprovisioning via the IdP API and logs the action to an audit table and a Linear cleanup ticket.
HVAC Anomaly Detection to Severity-Routed Work Orders
Ingests building HVAC telemetry via webhook, flags out-of-band temperature, pressure, or runtime readings.
Run it inside a business
This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.
Run this workflow in your colony.
14-day trial. No DevOps. No Sales call. Provisioned in under a minute.