💡 Still using the classic Drata experience? Refer to Personnel Exclusion for the original UI.

Personnel exclusions allow you to exclude specific compliance checks for selected personnel while keeping those users included in audit scope. This helps document approved deviations, temporary gaps, or accepted risks without removing personnel from compliance monitoring entirely.

Understand personnel exclusions

Personnel exclusions let you exclude certain test requirements for a person while keeping that person included in audit scope. Use personnel exclusions when a requirement applies generally but does not apply to a specific individual or role.

When you create a personnel exclusion:

You can apply it indefinitely or for a defined time range
Drata records a business rationale for audit review
Auditors can review exclusion reasons and durations in audit exports

Example scenario

Alex is a contractor who supports internal tooling.

Alex has access to company systems
Alex does not access customer data
Alex uses a personal device that the company does not manage

If Alex should remain included in the audit, but a device management requirement does not apply, create a personnel exclusion for that requirement. Alex stays in scope, and all other applicable checks continue to apply.

Create a personnel exclusion

Use the Personnel page to create exclusions for one or more users.

Step 1: Start creating the exclusion

Select Governance > Personnel page. You can start an exclusion in either of the following ways:

Select Create exclusion on the Personnel page, or
Select one or more users, then select Actions > Create exclusion
- If you start by selecting users, Drata automatically sets the personnel grouping to Custom personnel and pre-fills the selected users.

Personnel page with the create exclusion buttons showing

Step 2: Select the personnel grouping

Choose how Drata applies the exclusion:

Custom personnel: Apply the exclusion to specific users
Status or group: Apply the exclusion based on employment status or IdP group
All personnel – all time: Apply the exclusion to all personnel indefinitely

When you apply an exclusion by status or group, Drata creates a separate exclusion for each applicable user. Drata automatically updates exclusions as personnel join or leave the selected status or group.

Step 3: Select compliance checks to exclude

Choose the checks that do not apply to the selected personnel. Common examples include:

Acknowledged Policies
Antivirus
Auto Updates
Background Check
Disk Encrypted
HIPAA Training
Identity MFA
Lock Screen
AI Awareness Training
Offboarding Evidence
Password Manager
Security Training

Select only the checks that require an approved exception.

Step 4: Set the exclusion duration and reason

Choose how long the exclusion applies:

Indefinite: The exclusion remains active until archived
Custom: Select a start and end date

Enter a business rationale for the exclusion. Drata includes this reason in audit download packages if the personnel is sampled.

Step 5: Confirm and save

Review the exclusion details.
Select the confirmation checkbox.
Select Save.

Drata applies the exclusion during the next sync and updates.

View, edit, or archive personnel exclusions

You can view exclusions in the following ways:

Open the Active exclusions tab to view all current exclusions, or
Select a personnel record and scroll to review the requirements (compliance checks) that were excluded.

Edit a personnel exclusion

To edit an exclusion:

Find and select the exclusions you want to update.
In the modal that appears, update the exclusion details (such as requirements, duration, or reason).
Save your changes.

Drata applies updates during the next Autopilot sync.