01
Exit event from HRMS, IdP, or manual trigger
Exit event from HRMS, IdP, or manual trigger
PRODUCT · LEAVER PATH
When they leave, access leaves with them.
The moment a termination shows up in your HR system, KINT revokes every account, every app, every session. Median runtime: 47 seconds.
KINT runtime
Instant Offboarding
The same governed runtime handles source events, app actions, audit evidence, retries, and replay.
Source event
received
Policy
approved
Evidence
signed
PROOF PATH
How KINT closes access.
02
Policy engine checks connector readiness and approvals
Policy engine checks connector readiness and approvals
03
Sessions revoked, seats released, group memberships removed
Sessions revoked, seats released, group memberships removed — in parallel
04
Browser automation handles apps without APIs; evidence captured
Browser automation handles apps without APIs; evidence captured
WHAT IT HANDLES
Built for the real access path.
KINT covers the whole route from source truth to app action: employee data, policy rules, connector readiness, approvals, evidence, and replay stay in one governed path.
Source truth
Governed action
Audit evidence
API revocation: Google Workspace, Microsoft 365, Slack, GitHub, Jira, Zoom, and 150+ more
Browser revocation for apps without APIs: Adobe Admin Console, Figma, Canva, Navan
Session termination — not just suspension. Active sessions killed, refresh tokens expired
License reclamation — freed seat flagged for reuse, not silently re-billed
HOW IT WORKS UNDER THE HOOD
What "47 seconds" actually means.
T+0s Termination event received from HRMS webhook T+3s Policy check passed · approval recorded · idempotency key issued T+8s Google Workspace · user suspended · sessions terminated T+14s Slack · user deactivated · DMs preserved per retention policy T+22s GitHub · org access revoked · personal repos transferred per rules T+31s Adobe Creative Cloud · browser automation · license released T+38s Jira · user deactivated · ticket ownership transferred to manager T+47s Evidence packet signed · SOC 2 CC6.1 + CC6.2 mapping complete
If a step fails — provider rate-limit, expired token, API outage — KINT retries with exponential backoff and surfaces the failure to the operator. Replays are idempotent: a re-run never double-revokes or double-creates.