The concept is that you have your personal vault, and then you can also be a member of multiple organisations, each with a vault.
If you want, you can choose to disable the "personal ownership" option, so that employees lose their personal vault and can only use the organisation's vault. You can also select the "single organisation" option to prevent an employee from joining a second organisation.
Once you have done that, you can audit all of the shared "collections" in an organisation and revoke access to specific "collections" for specific employees.
And if you want enterprise-y control, then you can manage employee credentials using LDAP, etc.
It is a bit confusing to be fair, but I think you can do the things you mention?
If you want, you can choose to disable the "personal ownership" option, so that employees lose their personal vault and can only use the organisation's vault. You can also select the "single organisation" option to prevent an employee from joining a second organisation.
Once you have done that, you can audit all of the shared "collections" in an organisation and revoke access to specific "collections" for specific employees.
And if you want enterprise-y control, then you can manage employee credentials using LDAP, etc.
It is a bit confusing to be fair, but I think you can do the things you mention?