Skip to main content

Personnel exclusions (New experience)

Use this article to create and manage personnel exclusions in the new experience.

Updated this week

💡 Still using the classic Drata experience? Refer to Personnel Exclusion for the original UI.

Personnel exclusions allow you to exclude specific compliance checks for selected personnel while keeping those users included in audit scope. This helps document approved deviations, temporary gaps, or accepted risks without removing personnel from compliance monitoring entirely.

Understand personnel exclusions

Personnel exclusions let you exclude certain test requirements for a person while keeping that person included in audit scope. Use personnel exclusions when a requirement applies generally but does not apply to a specific individual or role.

When you create a personnel exclusion:

  • You can apply it indefinitely or for a defined time range

  • Drata records a business rationale for audit review

  • Auditors can review exclusion reasons and durations in audit exports

Example scenario

Alex is a contractor who supports internal tooling.

  • Alex has access to company systems

  • Alex does not access customer data

  • Alex uses a personal device that the company does not manage

If Alex should remain included in the audit, but a device management requirement does not apply, create a personnel exclusion for that requirement. Alex stays in scope, and all other applicable checks continue to apply.

Create a personnel exclusion

Use the Personnel page to create exclusions for one or more users.

Create personnel exclusion model

Step 1: Start creating the exclusion

Select Governance > Personnel page. You can start an exclusion in either of the following ways:

  1. Select Create exclusion on the Personnel page, or

  2. Select one or more users, then select Actions > Create exclusion

    • If you start by selecting users, Drata automatically sets the personnel grouping to Custom personnel and pre-fills the selected users.

Personnel page with the create exclusion buttons showing

Step 2: Select the personnel grouping

Choose how Drata applies the exclusion:

  • Custom personnel: Apply the exclusion to specific users

  • Status or group: Apply the exclusion based on employment status or IdP group

  • All personnel – all time: Apply the exclusion to all personnel indefinitely

When you apply an exclusion by status or group, Drata creates a separate exclusion for each applicable user. Drata automatically updates exclusions as personnel join or leave the selected status or group.

Step 3: Select compliance checks to exclude

Choose the checks that do not apply to the selected personnel. Common examples include:

  • Acknowledged Policies

  • Antivirus

  • Auto Updates

  • Background Check

  • Disk Encrypted

  • HIPAA Training

  • Identity MFA

  • Lock Screen

  • AI Awareness Training

  • Offboarding Evidence

  • Password Manager

  • Security Training

Select only the checks that require an approved exception.

Step 4: Set the exclusion duration and reason

Choose how long the exclusion applies:

  • Indefinite: The exclusion remains active until archived

  • Custom: Select a start and end date

Enter a business rationale for the exclusion. Drata includes this reason in audit download packages if the personnel is sampled.

Step 5: Confirm and save

  1. Review the exclusion details.

  2. Select the confirmation checkbox.

  3. Select Save.

Drata applies the exclusion during the next sync and updates.

View, edit, or archive personnel exclusions

You can view exclusions in the following ways:

  • Open the Active exclusions tab to view all current exclusions, or

  • Select a personnel record and scroll to review the requirements (compliance checks) that were excluded.

Edit a personnel exclusion

To edit an exclusion:

  1. Find and select the exclusions you want to update.

  2. In the modal that appears, update the exclusion details (such as requirements, duration, or reason).

  3. Save your changes.

Drata applies updates during the next Autopilot sync.

Archive personnel exclusions

Archive an exclusion when it no longer applies.

To archive exclusions:

  1. Open the Active exclusions tab.

  2. Select the exclusions you want to archive.

  3. Select Archive.

If you need the same exclusion again, create a new exclusion.

Did this answer your question?