⚠️ Select your experience

The steps depend on your interface version. Select a link to skip to the instructions for your version.

Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.

Instructions for the New Experience ⬇️

Personnel exclusions allow you to exclude specific compliance checks for selected personnel while keeping those users included in audit scope. This helps document approved deviations, temporary gaps, or accepted risks without removing personnel from compliance monitoring entirely.

Before you begin

Review the following before creating personnel exclusions:

Workspace scope: Personnel exclusions only apply to your primary workspace in Drata.
Devices cannot be excluded individually. You can exclude a personnel record from device compliance checks, which applies to all of that person's devices.
Sync timing: New and updated exclusions take effect on the next Autopilot sync.

Understand personnel exclusions

Personnel exclusions let you exclude certain test requirements for a person while keeping that person included in audit scope. Use personnel exclusions when a requirement applies generally but does not apply to a specific individual or role.

When you create a personnel exclusion:

You can apply it indefinitely or for a defined time range
Drata records a business rationale for audit review
Auditors can review exclusion reasons and durations in audit exports

Example scenario

Alex is a contractor who supports internal tooling.

Alex has access to company systems
Alex does not access customer data
Alex uses a personal device that the company does not manage

If Alex should remain included in the audit, but a device management requirement does not apply, create a personnel exclusion for that requirement. Alex stays in scope, and all other applicable checks continue to apply.

Step 1: Start creating the exclusion

Select Governance > Personnel page. You can start an exclusion in either of the following ways:

Select Create exclusion on the Personnel page, or
Select one or more users, then select Actions > Create exclusion
- If you start by selecting users, Drata automatically sets the personnel grouping to Custom personnel and pre-fills the selected users.

Step 2: Select the personnel grouping

Choose how Drata applies the exclusion:

Custom personnel: Apply the exclusion to specific users
Status or group: Apply the exclusion based on employment status or IdP group
All personnel – all time: Apply the exclusion to all personnel indefinitely

When you apply an exclusion by status or group, Drata creates a separate exclusion for each applicable user. Drata automatically updates exclusions as personnel join or leave the selected status or group.

Step 3: Select compliance checks to exclude

Choose the checks that do not apply to the selected personnel. Common examples include:

Acknowledged Policies
Antivirus
Auto Updates
Background Check
Disk Encrypted
HIPAA Training
Identity MFA
Lock Screen
AI Awareness Training
Offboarding Evidence
Password Manager
Security Training

Select only the checks that require an approved exception.

💡 Excluding personnel from MFA checks note:

To exclude a personnel record from the MFA on Identity Provider check, select Identity MFA. Use this when the person is exempt from your IdP MFA policy (for example, a contractor without an IdP account, or a service account).

For more information, refer to Test 86: MFA on Identity Provider.

Step 4: Set the exclusion duration and reason

Choose how long the exclusion applies:

Indefinite: The exclusion remains active until archived
Custom: Select a start and end date

Enter a business rationale for the exclusion. Drata includes this reason in audit download packages if the personnel is sampled.

Step 5: Confirm and save

Review the exclusion details.
Select the confirmation checkbox.
Select Save.

Drata applies the exclusion during the next sync and updates.

View, edit, or archive personnel exclusions

You can view exclusions in the following ways:

Open the Active exclusions tab to view all current exclusions, or
Select a personnel record and scroll to review the requirements (compliance checks) that were excluded.

Edit a personnel exclusion

To edit an exclusion:

Open the Active exclusions tab on the Personnel page.
Select the exclusion you want to update.
In the modal, update the requirements, duration, or reason.
Save your changes. Drata applies the update on the next Autopilot sync.

Archive personnel exclusions

Archive an exclusion when it no longer applies.

To archive a single exclusion:

Open the Active exclusions tab on the Personnel page.
Select the exclusion.
Select Archive.

To archive in bulk:

Open the Active exclusions tab on the Personnel page.
Select the exclusions you want to archive.
Select Actions > Archive.

⚠️ Archiving cannot be undone. If you need the same exclusion again, create a new one.

Exclusions with a custom duration are auto-archived once the duration ends. To view archived exclusions, change the filter to Archived.

View exclusions in your tests

Personnel exclusions appear in the monitored tests that correspond to the excluded compliance check (for example, an Identity MFA exclusion appears in Test 86: MFA on Identity Provider).

When viewing a test:

The Excluded list shows each excluded personnel and how long they've been excluded.
You cannot add or remove personnel directly from the test. To change who is excluded, edit the exclusion on the Active exclusions tab on the Personnel page.

Instructions for the Classic Experience ⬇️

HERE'S WHY

Managing your personnel audit scope is an important part of maintaining your compliance. Exclusions play a critical role in tailoring compliance management to your organization's specific needs, allowing flexibility while maintaining compliance integrity. As your organization's personnel change over time, that audit scope can also change. We want to equip you with all the tools you need to accommodate your personnel audit needs within Drata.

HERE'S HOW

Before Diving In…

You can no longer modify the included and excluded personnel list in the test drawer for all monitored tests that correspond to a personnel compliance check. To modify this, please go to the personnel page and view the exclusions tab.
Personnel exclusions will only apply to your primary workspace in Drata
When creating an exclusion, you can select multiple applicable personnel. However, when saved, Drata will track the exclusion for each applicable personnel separately. The exclusions can be viewed from the personnel details or in the exclusions tab in the personnel page. This way you are able to create exclusions in bulk and modify them on a per-personnel basis.
You can create as many exclusions as you'd like for any personnel
If there are multiple active exclusions for a personnel with the same compliance check(s), Drata will only apply the most recently created active exclusion. Once that one has been archived or is inactive, Drata will apply the subsequent exclusion.
If an exclusion has a custom duration, it will only be applied for that specified time frame.
Devices cannot be individually excluded in Drata. The device compliance checks across all devices for that personnel can be excluded.
While devices cannot be individually excluded in Drata, specific AWS assets can be excluded from syncing by using the 'DrataExclude' tag in AWS.

Create an exclusion:

Create an exclusion from your personnel list

On the personnel list page, select the personnel you want to exclude. Click on Actions and click on Create Exclusion

Confirm the applicable personnel for the exclusion. You can search through your personnel list and add any others you'd like to exclude

Fill out the exclusion settings
Select the compliance checks the exclusion should contain. The selected checks will appear below the selector and can be edited.

Set the duration of this exclusion. By default, the duration will be indefinite. You can select Custom instead and select a range of dates. You cannot apply an exclusion to the past.

Enter a reason you are creating the exclusion. This reason will appear in the audit download if the personnel is sampled.

Once you check the box to confirm the details, you can click Save. On the next Autopilot sync, the applicable personnel's compliance, test data, and control data will be updated with the exclusion.

Create an exclusion from the exclusions tab in the personnel page:

Click on the Exclusions tab in the personnel page and click on Actions and then Create exclusion

Follow the steps above to fill out the exclusion details

Create an exclusion for personnel in your IdP group or by employment status:

When you are creating an exclusion, select Status or group for the personnel grouping in Applicable personnel. You can then type and/or multi select an IdP group and/or employment status for the exclusion.
Once you save the exclusion, a separate exclusion with the same settings will be created for each group or status selected. These can be modified at any time as well.
On a daily basis, Drata will enforce the exclusion based on who is part of that group or status. For example, if someone is added or removed from that group or status, the exclusion will behave accordingly automatically.

Creating an exclusion for All personnel all time

When you are creating an exclusion, select All personnel – all time for the personnel grouping in Applicable personnel.
Once this exclusion is saved, Drata will apply this exclusion to all personnel all time in your account for the specified settings. This exclusion can be modified at any time as well.

View an exclusion:

An exclusion icon on the personnel table will be shown for the compliance checks that the personnel has been excluded from.

You can also view the exclusion in the personnel details.

If you click on the exclusion, the details for the applied exclusion will be shown. You can edit the exclusion settings for an active exclusion (compliance checks, duration, and reason) at any time by clicking on Edit. Changes will be synced next time Autopilot runs.

You can view all exclusions in the Exclusions tab in the personnel page. You can click on an exclusion to view the details and edit the settings at any time. Changes will be synced next time Autopilot runs.

You can also filter exclusions in the exclusions table by compliance check by clicking on the "All compliance checks" dropdown.
You can also search exclusions by the applicable personnel in the Search bar

Viewing exclusions in your tests:

Personnel exclusions will be applied to the tests that correspond to the excluded compliance checks. When viewing a test, you cannot modify the included or excluded list. To modify this list, please visit the exclusions table to modify or create an exclusion.

When viewing the Excluded list, you can see how long that person has been excluded for.

Archive an exclusion:

Go to the Exclusions tab in the personnel page and click on the archive icon at the right of the exclusion. Archiving an exclusion cannot be undone. Once archived, the personnel's compliance checks, associated tests, and control data will be updated next time Autopilot runs.

To view archived exclusions, change the filter to Archived

If you set a custom duration for an exclusion, Drata will auto-archive the exclusion once that duration has completed.
To archive exclusions in bulk, select the exclusions you want to archive, and then click the Actions button and then select Archive Exclusion. Note: this cannot be undone.