Back to list

Vanta Connector: Pull Live Compliance Data into Rakenne Skills

How to connect your Vanta account to Rakenne so compliance skills can query controls, test results, evidence, vulnerabilities, and personnel data directly — without manual uploads.

Author Ricardo Cabral · Founder

If your organization uses Vanta to manage compliance, your controls, test results, evidence, and personnel data are already there. Rakenne’s Vanta connector lets the AI agent pull that data directly into compliance skills — replacing manual document uploads with live API queries.

This guide explains what the connector does, how to set it up, and what data your skills can access.

What the Vanta connector does

The Vanta connector is an opt-in integration that gives Rakenne’s compliance skills read-only access to your Vanta account. When a skill like ISO 27001 Gap Assessment runs, the agent can query your actual controls, test results, and evidence instead of relying on manually uploaded spreadsheets.

Without the connectorWith the connector
Export CSVs from Vanta, upload to RakenneAgent queries Vanta directly during the skill run
Data is stale the moment you export itData is fresh — pulled on demand
Manual effort to gather evidenceAgent discovers controls, tests, and evidence automatically
Gap assessment based on uploaded documents onlyGap assessment cross-references Vanta controls against ISO requirements

The connector is fully opt-in: it only activates when a skill explicitly requires it. If you’re using skills that don’t need Vanta data (contract drafting, clinical reports, etc.), the connector is invisible — no extra tools in the agent’s prompt, no settings to configure, no overhead.

Two tiers: Management and Auditor

The connector supports two Vanta API tiers, matching Vanta’s own access model:

Management API (for companies)

Use this when your organization has its own Vanta account and you want to assess your own compliance posture.

  • Who uses it: In-house GRC teams, compliance managers, CISOs
  • What it accesses: Your organization’s controls, test results, evidence documents, vulnerabilities, personnel compliance, and vendor data
  • Authentication: OAuth 2.0 with client credentials
  • Rate limit: 50 requests/minute

Auditor API (for audit firms)

Use this when you’re an external auditor who needs to access client organizations through Vanta’s Auditor Portal.

  • Who uses it: Lead auditors, certification bodies, GRC consultants conducting client audits
  • What it accesses: Everything the Management API provides, plus audit listings and cross-organization evidence retrieval
  • Authentication: OAuth 2.0 with client credentials (requires Vanta Audit Partner registration)
  • Rate limit: 250 requests/minute (read), 600 requests/minute (evidence listing)

You can configure both tiers independently. An audit firm might use the Auditor API for client engagements while also using the Management API for their own internal compliance.

Setting up the connection

Prerequisites

  1. A Vanta account with API access enabled
  2. A Vanta API application (created in your Vanta dashboard under Settings > API)
  3. The Client ID and Client Secret from that application

For Auditor API access, your firm must be registered as a Vanta Audit Partner. Contact your Vanta representative if this isn’t set up yet.

Step 1: Open Integrations settings

In Rakenne, go to Settings > Integrations. You’ll see two cards:

  • Vanta (Management API) — for your own organization’s data
  • Vanta (Auditor API) — for cross-organization audit access

Step 2: Enter credentials

Click Connect on the tier you want to configure. Enter the Client ID and Client Secret from your Vanta API application, then click Save.

Rakenne encrypts these credentials at rest using AES-256-GCM. The raw credentials are never exposed to the AI agent — all API calls go through an internal proxy that handles authentication transparently.

Step 3: Verify the connection

After saving, the card shows your masked Client ID (e.g., vci...3456) and a Connected status. If the credentials are invalid, you’ll see an error message explaining what went wrong.

Disconnecting

Click Disconnect at any time to remove stored credentials. Active sessions will be restarted to reflect the change.

What data is available

Once connected, skills that depend on the Vanta connector get access to six data tools (Management API) or eight tools (Auditor API):

Controls

Tool: vanta_list_controls

Lists your compliance controls with their current status, framework associations, and assigned owners. This is the foundation for gap assessments — the agent can compare your Vanta controls against framework requirements to identify gaps.

Example use: An ISO 27001 gap assessment skill queries all controls, maps them to Annex A requirements, and identifies which controls are missing, incomplete, or failing.

Test results

Tool: vanta_list_tests

Retrieves automated test results — the checks Vanta runs against your connected integrations (AWS, GCP, Okta, etc.). Can filter for failing tests only, so the agent focuses on what needs attention.

Example use: The agent pulls failing tests, cross-references them with the controls they validate, and generates a remediation priority list.

Evidence documents

Tool: vanta_list_documents

Lists evidence documents linked to controls. Documents in Vanta are file-based evidence (policies, procedures, screenshots) that auditors review.

Example use: During a gap assessment, the agent checks which controls have supporting evidence uploaded and which are missing documentation.

Vulnerabilities

Tool: vanta_list_vulnerabilities

Retrieves open vulnerabilities — package dependencies, static analysis findings, and API endpoint issues — with their severity and remediation status.

Example use: A security posture review skill pulls open vulnerabilities, groups them by severity, and drafts remediation recommendations aligned with your risk appetite.

Personnel compliance

Tool: vanta_list_personnel

Shows employee compliance status: security training completion, MFA enrollment, and device compliance.

Example use: The agent identifies employees who haven’t completed security awareness training or lack MFA, and flags this as a finding in the gap assessment.

Vendor risk

Tool: vanta_list_vendors

Lists third-party vendors with their risk assessment status and security review information.

Example use: A supplier security assessment skill pulls your vendor list and checks whether high-risk vendors have completed security questionnaires.

Audits (Auditor API only)

Tool: vanta_list_audits

Lists all audits accessible to the auditor account, showing client organization, framework, status, and dates.

Example use: An auditor opens a new Rakenne project for a client engagement and queries their active audits to understand the scope.

Audit evidence (Auditor API only)

Tool: vanta_auditor_list_evidence

Retrieves evidence items for a specific audit, with control mappings and completion status. This is the cross-organization evidence access that distinguishes the Auditor tier.

Example use: The agent pulls all evidence for an ISO 27001 audit, checks completeness per control, and generates an evidence sufficiency report.

How skills use the connector

Skills opt into the Vanta connector by declaring it as a dependency in their metadata.json:

{
  "title": "ISO 27001 Gap Assessment",
  "dependencies": ["vanta-connector"]
}

Or for auditor-tier access:

{
  "title": "ISO 27001 Audit Evidence Review",
  "dependencies": ["vanta-auditor-connector"]
}

When you install a skill with a Vanta dependency, the connector tools become available to the agent in that project. When you uninstall the skill, the tools are removed.

A skill that depends on vanta-auditor-connector gets all eight tools (the six base tools plus audits and audit evidence). It does not need to also list vanta-connector — the auditor variant is self-contained.

Pagination

All Vanta tools support pagination through two parameters:

  • pageSize: Number of results per page (1–100, default 25)
  • pageCursor: Cursor for the next page (omit for the first page)

Each tool response includes pagination information — whether there’s a next page and what cursor to use. The agent handles pagination automatically when iterating through large datasets.

Security model

The Vanta connector follows the same security patterns as other Rakenne integrations:

  • Credentials encrypted at rest using AES-256-GCM, stored in the same encrypted credential store as LLM API keys
  • Proxy architecture: The AI agent process never sees raw Vanta credentials. All API calls go through the Rakenne backend, which adds authentication headers transparently
  • Read-only access: The connector only supports GET requests in this phase. No data is written back to Vanta
  • Admin-only configuration: Only tenant owners and admins can configure or use the Vanta connection
  • Path validation: The proxy rejects any request attempting path traversal outside Vanta’s /v1/ API namespace
  • Per-tenant isolation: Each tenant’s Vanta credentials are separate. One tenant cannot access another’s Vanta data

Practical workflow: ISO 27001 Gap Assessment with Vanta

Here’s what a typical session looks like when running the ISO 27001 gap assessment skill with the Vanta connector:

  1. You: “Run the gap assessment against our Vanta data”

  2. Agent: Calls vanta_list_controls to pull all controls with their status and framework mappings

  3. Agent: Calls vanta_list_tests with failingOnly: true to identify which automated checks are failing

  4. Agent: Calls vanta_list_documents to check evidence coverage per control

  5. Agent: Calls vanta_list_personnel to assess people-related compliance (training, MFA)

  6. Agent: Runs mandatory_artifact_detector, clause_requirements_engine, and other skill tools — now informed by real Vanta data instead of manually uploaded documents

  7. Agent: Produces a gap assessment report that references your actual control status, failing tests, and missing evidence — not hypothetical gaps

The result is a gap assessment grounded in your live compliance posture, not a static snapshot from last week’s CSV export.

Important notes

  • Vanta single-token limitation: Vanta allows only one active access token per API application. If you use the same Vanta application elsewhere, creating a new token in Rakenne will invalidate the previous one. We recommend creating a dedicated Vanta API application for Rakenne.

  • Rate limits: The Management API allows 50 requests per minute. For large organizations with hundreds of controls, the agent paces its requests automatically. The Auditor API has a more generous 250 requests per minute.

  • Data freshness: The connector pulls data on demand during each skill run — there’s no background sync or caching between sessions. Each run gets the current state from Vanta.

  • Future plans: Write-back support (uploading policies drafted in Rakenne as Vanta evidence documents) is planned for a future release.

Ready to let your expertise drive the workflow?

Stop wrestling with rigid templates and generic chatbots. Describe your process, let the agent handle the rest.

Get Started Free — No Sign-Up