For People & HR

When someone leaves on Friday, their AI access leaves too.

Identity isn't stored in a list someone forgot to update. It's signed into the token itself — and your HRIS revokes it the moment status changes. No 11 PM scramble. No legal letter on Tuesday.

Request a Demo How it works →

A Thursday in March

Marcus runs People Ops. He used to dread Fridays.

8:42 AM

A senior engineer gives notice.

In the old world: Marcus opens a ticket asking eng to revoke her API keys, prays nothing slips through, manually scans the vendor portal for stale tokens.

Last day, 5:00 PM

Workday flips her status to Inactive.

Visionality's HRIS connector picks it up within minutes. Every token signed to her SSO identity goes 403 sso_caller_mismatch. Permanently. No ticket. No reminder.

The next Monday

No one notices, because nothing happened.

And that is exactly the goal. Marcus exports the offboard audit in two clicks — every key, every revocation, timestamped.

What becomes true

The four things you stop chasing.

The Friday-resignation Slack thread is a one-liner: "Revoked, automatic."

Audit asks who used Claude this quarter — you filter by SSO group, export, done.

A contractor wraps up; their keys evaporate on their last day, not their last paycheck.

Workday says 'cost-center moved' — the AI rollups follow without a meeting.

How it actually works

Identity is in the envelope, not on a server.

Every Visionality virtual key is an HMAC-signed envelope. Inside it: the budget binding, the expiration, and the SSO sub the key was issued to. The gateway verifies all three offline — before any DB lookup — and rejects the request with 403 sso_caller_mismatchif the caller doesn't match.

# Issued to [email protected], bound to her SSO identity
vk_eyJ2IjoxLCJzdWIiOiJhbGljZUBhY21lLmNvbSIsImV4cCI6...

# Every request must include the caller header
curl https://gw.visionality.ai/v1/anthropic/messages \
  -H "x-api-key: $VK" \
  -H "X-Acc-Caller: [email protected]" \
  ...

# Anyone else: 403 sso_caller_mismatch — before the LLM sees a token.

We integrate with the systems that own people.

HRIS-driven identity is the whole point. Your source of truth stays your source of truth.

Okta

SSO source for the signed sub claim

Azure Entra ID

SSO + group membership for project access

Google Workspace

SSO source, alias resolution

BambooHR

Joiners / movers / leavers feed → auto-revoke

Workday

Cost-center mapping for chargeback

Rippling

Department + manager hierarchy for spend rollups

Gusto

Personal-budget assignment by role band

Three other people are asking different questions.

The same row in our ledger answers all four. Pick the door that matches the meeting you're in.

For Finance →For Projects →For Security →vs Portkey →