We need a way to restrict offline access to the vault. Right now a vault is available offline for 30 days. Which means if we revoke someone’s access to the organization’s vault and they don’t connect to the internet, they can still pull passwords for up to 30 days afterwards. We need a way to customize and restrict offline access to an organizations vault.
There is a feature under development to manage Vault Timeout Action Policy which would allow you to always require a device to Logout rather than allow for Unlock.
In which case the local vault cache is removed on timeout, and would require Login and internet access, as well as any authentication if you have SSO enabled.
Generally though, best practice would be to rotate any credentials a users previous had once you revoke access, as there would be any number of ways someone could gain access to these once shared.