Skip to main content

2026 Q1 Release Notes

Katie
Updated

March 25 Release

 

What’s New

  • New AI Risk Controls Added to the Cyber Controls Questionnaire –  
    The Cyber Controls Questionnaire now includes a new Artificial Intelligence risk domain with 8 AI‑specific controls, plus 8 additional controls across existing risk domains. These new AI controls help customers assess governance, risk management, and the responsible use of AI within third‑party environments. 
     
    The questionnaire has increased from 209 to 225 total controls and from 627 to 675 metric questions. Here are insights into the specific controls that were added and their associated content.
    • What to Expect: 
      • How do customers request the new controls?
        • Customers can request the updated controls by selecting the ProcessUnity Core Controls 2026‑1 framework from Advanced Options in the request form. Note: The same process applies for third parties sharing this data with customers.
  • How do customers view results for the new controls? 
    • Customers can view the updated questionnaire content and results by mapping to the ProcessUnity Core Controls 2026‑1 framework in the Framework View tool.

 

  • How do third parties' access and answer the new controls? 
    • Third parties will see the new controls when accessing the Cyber Controls Questionnaire. They may answer them proactively or wait until a customer requests the updated framework.
  • Will existing requests or shares be impacted? 
    • No. Existing and future requests using ProcessUnity Core Controls 2025‑1 (209 controls) will remain unchanged and fully supported.

Additional FAQ: 

  • Will the ‘essential 60’ controls be changed? 
    • No. The existing Essential 60 control set will remain unchanged. The 16 new controls (AI risk controls and additional cyber controls) were not added to the Essential 60 set and will not be included in the control cohort utilized in validation. 
  • Will analytics (e.g., Risk Index, predictive control data) be available for the new controls? 
    • Not initially. The Risk Index and predictive control analytics will not immediately reflect the 16 new controls. These analytics require sufficient volumes of attested data to generate reliable insights. As third parties complete the new control questions, the necessary data will be collected to support future analytical modeling and Risk Index inclusion.

 

  • Risk Index PDF Update -  Companies with an overall risk index but do not have a risk domain score will now show as "Inconclusive" with their own description.

What’s Coming

  • Assessment Autofill Expansion: AI Answers at the Metric Level - Assessment Autofill will be expanded to support AI‑generated answers at the metric level, in addition to existing control‑level responses. This enhancement enables AI to leverage provided documentation to answer all underlying metric questions associated with a control, further reducing the manual effort required to complete assessments. With this expansion, users can achieve near end‑to‑end assessment automation, from questionnaire completion through validation documentation support.
    • General availability: April 1

 

March 17 Release

 

What’s New

  • Predictive Analytics Timing  Predictive control results calculation frequency has increased from daily to hourly. This change ensures customers have the most up to date scores and Risk Index when reviewing a Third-Party profile.  
  • Claim Company Email Updates – Claim Company emails now reflect the organization’s Risk Index score (when available) and highlight any pending requests or shares, giving organizations new to the Exchange an early preview of their Risk Index and clear action steps. 
  • Request & Share Email Updates – Request and Share email notifications will now reflect Third Parties Risk Index score. 

 

What’s Coming

  • New AI Risk Controls Added to the Cyber Controls Questionnaire –  
    The Cyber Controls Questionnaire is being expanded to include a new Artificial Intelligence risk domain with 8 AI‑specific controls, along with 8 additional controls across existing risk domains. These new AI controls are designed to help customers assess governance, risk management, and the responsible use of artificial intelligence within third‑party environments. 
     
    As a result, the questionnaire will increase from 209 to 225 total controls and from 627 to 675 metric questions. Here are insights into the specific controls being added and their associated content.
    • General availability: March 25
    • What to Expect: 
      • How do customers request the new controls?
        • Customers can request the updated controls by selecting the ProcessUnity Core Controls 2026‑1 framework from Advanced Options in the request form.

Note: The same process applies for third parties sharing this data with customers.

  • How do customers view results for the new controls? 
    • Customers can view the updated questionnaire content and results by mapping to the ProcessUnity Core Controls 2026‑1 framework in the Framework View tool.

 

  • How do third parties' access and answer the new controls? 
    • Third parties will see the new controls when accessing the Cyber Controls Questionnaire after March 25. They may answer them proactively or wait until a customer requests the updated framework.
  • Will existing requests or shares be impacted? 
    • No. Existing and future requests using ProcessUnity Core Controls 2025‑1 (209 controls) will remain unchanged and fully supported.

 

March 11 Release

What’s New

  • Document Attachments Updates – Control‑level document attachments now show the date the document was linked to the control (instead of the upload date). Documents auto‑linked via accepted AI control answers are marked with an AI icon to distinguish them from manually linked documents.

  • Company Invitation Link - The invitation link that is sent by email to unclaimed companies on the Exchange is now also available in the Vendor Profile Page. This link will only appear for companies that have not yet been claimed. 

 

 

March 4 Release

What’s New

  • Questionnaire Page Updates – Moved the assessment autofill analysis card in line with its associated question and added bullet formatting to the Analysis content for improved readability.

  • Questions Review Table Update – The Questions Review table drawer now displays data specific to the selected question (control or metric), rather than grouped control‑ and metric‑level data.
  • Cyber Control ID - In the Controls Review table and the Framework View table, the Control ID column will always display the new Cyber Control ID introduced with Live Assessment in Feb. 2025 (5 digit alpha numeric format), even if the attested control information being viewed has not yet been migrated from the legacy control information (X.X.X.X numeric format) which occurs when the Third Party updates their responses.
  • Control "View More" Drawer - In the Controls Review table and the Framework View table, the "View More" drawer display will now always show the Customer the available Control Answer options, the Metric Prompts and associated available Metric Answer options. If the Customer does not have access to the Third-Party Control or Metric responses, they will not see the selected Answer options.

 

February 27 Release

What's New 

Risk Index is Generally Available Friday, February 27 at 3 EST. The Risk Index release includes the following elements:

Risk Algorithms: Leverage the wealth of Exchange data married with AI and Advanced Analytics to produce industry leading risk insights.

  • Risk Index and Domain Index: ProcessUnity Risk Index is an actionable risk rating that unifies internally informed controls data with externally observed security signals, providing summarized insight into an organization’s overall cybersecurity risk posture as well as targeted insight into a specific area of an organization’s cybersecurity risk posture. 
  • Risk Domain Impact: Domain Impact measures potential harm to your business operations if the third party experiences a negative incident in a specific area of cybersecurity, based on your level of engagement and reliance on the third party. 
    • Customers receive instant insights calculated based on ProcessUnity’s proprietary Auto Impact Responses. In order to achieve the most accurate insights, Customers are recommended to complete the Impact Questionnaire to define their specific business relationship with the third party.
    • Please visit our knowledgebase article for more information on the Relationship Impact Methodology.

Customer Third-Party View Impacting Changes: Allow customers to view the enhanced risk profile and risk report featuring Risk Index, for all their Third Parties.

  • Third-Party Portfolio Relationships: Enhancements to the Third-Party Portfolio Relationships table providing a view of Risk Index across the entire Third-Party Portfolio
    • Addition of Risk Index column on the Relationships table, that is filterable and sortable
    • Risk Index Rating and Risk Index columns on the Relationships download
  • Third-Party's “Risk Profile” Tab: A redesigned “Risk Profile” tab presenting multi-level insights about a Third Party, including a Risk Overview, Risk Domain Analysis, and Controls Intelligence as well as the option to download the insights via a new PDF Risk Report.
    • Risk Overview includes Inherent Risk and Risk Index
      • Inherent Risk
        • The Inherent Risk Score and Rating displayed will be specific to the Customer viewing the Third Party and their relationship definition via the Impact Questionnaire
        • Addition of Inherent Risk description
        • Addition of Inherent Risk Rating interpretations
        • Addition of “Update Pending” flag will alert users if there is a more recent Impact Questionnaire submission and Inherent Risk and Domain Impact is in the queue to be recalculated
      • Risk Index
        • The Risk Index and Rating displayed is the same for all Exchange users
        • Risk Index Rating and Score
        • Risk Index Rating interpretations
        • Risk Index definition
        • Risk Index date time last calculated
        • Display of all possible Risk Index Ratings and where the Score falls in the range
        • "Update Pending” flag will alert users if there is a more recent attestation date or predictive date and therefore Risk Index is in the queue to be recalculated
    • Risk Domain Analysis includes Risk Domains, Domain Impact and Domain Index
      • Risk Domains
        • List of the Cyber Risk Domains
        • Risk Domain descriptions
      • Domain Impact
        • The Domain Impact values displayed will be specific to the Customer viewing the Third Party and their relationship definition via the Impact Questionnaire
        • Domain Impact Rating
        • Domain Impact definition
      • Domain Index
        • The Domain Index displayed is the same for all Exchange users
        • Domain Index Rating and Score
    • Controls Intelligence includes the Controls Review table displaying Controls Information, including Control Scores and Finding Severity for the ProcessUnity Core Controls
      • Filterable via the Risk Domain table above
      • Controls data presented in this table will be driven by the level of authorization
        • If the third party has controls attested and authorized for the customer, attested control data will display
        • If the third party has controls attested but not authorized for the customer, predictive control data will display
        • If the third party has no controls attested, predictive control data will display
      • Finding Severity
        • Addition of two new Finding Severity ratings:
          • Nominal: control scores under the threshold and controls answered NA
          • Unknown: controls with no score
      • Additional column “Essential” flags if a Control is weighted heavier for Finding Severity or considered for Validation
  • Risk Report PDF Download: New Risk Report PDF showcasing multi-level insights for a Third Party, including the following elements
    • Cover Page: Third Party Name and Firmographics
    • Risk Summary: Risk Overview with Inherent Risk and Risk Index, Risk Domains Analysis with Domain Impact and Domain Index and Risk Controls Matrix with Counts of controls organized by Impact and Finding Severity
    • Risk Domains (page for each risk domain): Risk Domain Impact Rating, Risk Domain Index and Rating, Risk Domain Controls Matrix showing counts of domain controls organized by Finding Severity, Domain Priority Controls
    • Appendix: Risk Methodology
  • Third-Party's “Relationship” Tab
    • Moved the previous “Risk Reduction” card from Risk Profile tab to Relationship tab
      • Style enhancements
      • Split into 2 cards: Inherent Risk and Residual Risk and Risk Reduction
    • Inherent Risk
      • The Inherent Risk Score and Rating displayed will be specific to the Customer viewing the Third Party and their relationship definition via the Impact Questionnaire
      • Addition of Inherent Risk description
      • Addition of Inherent Risk Rating interpretations
      • Addition of “Update Pending” flag will alert users if there is a more recent Impact Questionnaire submission and Inherent Risk and Domain Impact is in the queue to be recalculated
    • Residual Risk and Risk Reduction
      • Addition of Residual Risk and Risk Reduction definitions
      • Shows the Residual Risk and Risk Reduction based on highest fidelity data
    • Page layout update moving the “Custom Attributes” and “Business Decision” cards side by side to make better use of standard screen sizes
    • Enhancement to “Custom Attributes” and “Business Decision” cards allowing them to be individually editable
      • User option to “Edit Custom Attributes” or “Edit Business Decision”
      • User option to “Cancel” or “Save” their updates
  • Third-Party's “Framework View” Tab
    • Moved the previous “Risk Navigator” table from Risk Profile tab to new Framework View tab
      • Addition of two new Finding Severity ratings Nominal and Unknown
      • Removed “Predictive Data Only” checkbox due to rare usage
      • No other changes to functionality and columns
    • Framework Report XLSX download
      • Updated to show the Residual Risk and Risk Reduction based on the highest fidelity data available to the customer
      • Addition of two new Finding Severity ratings Nominal and Unknown
    • Framework Report PDF download
      • Updated to show the Residual Risk and Risk Reduction based on the highest fidelity data available to the customer

Company Self-View Impacting Changes: Allow companies on the Exchange to see their own risk profile and risk report featuring Risk Index, building on the original Self-View Risk Index release in November 2025.

  • Self-View “Risk Profile” Tab: New Risk Report PDF showcasing multi-level insights for a company, including the following elements
    • Cover Page: Company Name and Firmographics
    • Risk Summary: Risk Overview with Risk Index, Risk Domains Analysis with Domain Index, Risk Controls Matrix including Counts of controls organized by Finding Severity
    • Risk Domains (page for each risk domain): Risk Domain Index and Rating, Risk Domain Controls Matrix showing the counts of domain controls organized by Finding Severity, and Domain Priority Controls
    • Appendix: Risk Methodology
  • Controls Review table
    • Addition of two new Finding Severity ratings Nominal and Unknown
  • Self-View “Framework View” Tab
    • Framework View table
      • Addition of two new Finding Severity ratings Nominal and Unknown
    • Framework Report XLSX download
      • Relational Risk (Inherent Risk, Residual Risk and Risk Reduction) values removed to align with UI
      • Addition of two new Finding Severity ratings Nominal and Unknown
    • Framework Report PDF download
      • Relational Risk (Inherent Risk, Residual Risk and Risk Reduction) values removed to align with UI

 

February 25 Release

What's New 

  • Questionnaire Page Updates: Various updates were made to the individual question page found once keyed into the Cyber Controls questionnaire. 
    • Enhanced 'Answer Options': Users now have the ability to re-confirm existing answers. This will maintain the existing selected and prior confirmed answer, but will update the answered by and the date to reflect current date and user name performing the action.  
    • Review and Submit button placement: This button has been re-located to the top right to be in a centralized space alongside other questionnaire navigation actions. 
Screenshot 2026-02-26 at 2.30.41 PM.png

 

February 20 Release

What’s New

Predictive Model 3.1: Predictive Control Scoring accelerates insights into an organization’s security posture, based on similar companies and refined by external evidence. 

  • This latest version incorporates all attested and validated controls into the model since the previous version, as well as enhanced the industry classification which is a key driver for determining a company’s “peer group.” 
  • This release supports Risk Index and ensures the controls intelligence feeding into Risk Index is as up to date and as accurate as possible. 

  • These enhancements apply to standard Predictive as well as “tuned” Predictive.  Tuned Predictive refines predictive control scores after a company has completed and attested to the Essential 60 Controls and dramatically improves the accuracy of the predictive scores for the remaining controls. 
  • Please visit our knowledgebase article for more information on the Predictive Data Methodology and the Predictive Model Release Notes.

 

February 11 Release

What’s New

  • Legacy Assessment’s Migrated to Latest Content The existing content migration process from legacy content (ie pre-February 2025) to latest questionnaire content has been updated so that no user engagement is required to proceed with the migration. This was done to ensure that all third parties who have engaged with the platform after the launch of this new content in February last year are all seeing the latest content.  
image (36).png
  • Ability to Search by Question ID in Question Navigation – Question navigation found on the individual question pages now supports searching and navigating to a question using the alpha-numeric question ID. 

 

What’s Coming

  • Assessment Autofill Model Update – The AI model that powers the Assessment Autofill feature will be updated on February 13, here is a summary of why this update occurred and what to expect:
    • Issue: The model reasoning was generalizing too broadly from the evidence provided to justify the answer output.
    • Solution: We are currently testing a larger and smarter AI model to provide more accurate reasoning given the evidence.

 

Resolved Issues

  • Consistent Rendering of AI Analysis Data – Fixed an issue that resulted in inconsistent rendering of AI analysis data found in the ‘Assessment Autofill Review’ component when it was available for a control. Now when an AI answer is available for a control, the respective AI analysis data will be displayed as expected. 

 

February 4 Release

What’s New

  • ProcessUnity Framework Names – Updated the following framework names to match the new naming convention to be consistent across the platform.  
    • ProcessUnity Critical Cyber Risk Questionnaire ---> ProcessUnity Essential Controls 
    • ProcessUnity Cyber Risk Questionnaire ---> ProcessUnity Core Controls 
  • ProcessUnity Request Names - Updated the following request names to be consistent across the platform. 

    • ProcessUnity Critical Controls ---> ProcessUnity Essential Controls 

    • ProcessUnity Cyber Controls  ---> ProcessUnity Core Controls 

    • ProcessUnity Critical Controls (with Metrics) ---> ProcessUnity Essential Controls Plus Metrics

    • ProcessUnity Cyber Controls (with Metrics) ---> ProcessUnity Core Controls Plus Metrics​​

  • New Tooltips – Tooltips have been added in the Question Review and Control Review table to provide clarity to users. Tooltips have been added to the following:  
    • Question Review Table - AI Answers header and missing attachments and column triangle icon
    • Control Review Table - Improvement Rank, Score Basis, Essential, Finding Severity, and Weakness
      Count column headers​
  • Risk Index Pending Update – Date Last Recalculated Comparison to Attest or Predictive Dates 
    • The date and time information displayed under the Risk Index has been modified to show the last time the Index was recalculated. Previously it displayed the last time the Index changed, which led to confusion and users thinking the data was stale.  
    • In addition, a "Pending Update" flag will alert users if there is a more recent attestation date or predictive date and therefore Risk Index is in the queue to be recalculated. This is especially important for the My Company view, to inform Third Parties that their recently submitted questionnaire updates are not yet reflected in the Risk Index and Risk Domain Index ratings displayed. 
    •  
  • Controls Review Filter - High and Medium Findings Quick Filters 
    • For a company looking at their own Risk Profile on the My Company view, the "High and Medium Findings" quick filter for the Controls Review table has been separated into individual quick filters for "High Findings" and "Medium Findings" 
    •  
       
      Resolved Issues 
  • Negative Predictive Residual Reduction Fix – Fixed a rare edge case where the Predictive Risk Reduction value was negative 
    • The negative Predictive Risk Reduction value was due to a rounding issue in the case that the Inherent Risk score was 1 but the Predictive Residual Risk score was 1.XX 
    • In addition to negative risk reduction not a valid value, it was causing a 500 error when calling get /v2/portfolio/third-parties/{company_id}/risk-profile for the Third Party 
    • Associated PI Ticket: PI-585 

January 22 Release

What’s New

  • Questionnaire Navigation – Questionnaire navigation is now moved underneath the page header for the Cyber Controls questionnaire and Impact questionnaire to allow users easier access to select next, back or jump to a specific question.   
  • Updating Primary Address subtext in Action Center – Once a user adds the address requirements in the Action Center the subtext indicating ‘City and Country must be provided to complete this action’ will no longer populate to remove user confusion. 
  • Control Metric Counts Per Framework - New fields added to Get Frameworks by Third Party API V3, allowing users to see the count of total unique metrics associated with each framework versus the count of metrics already attested by the company. 

January 14 Release

What's New

  • Request and Shares on the Submit Questionnaire page - Placed the request and shares into an accordion-style list. The list of request and shares will now be hidden by default with the option for users to expand the list. This reduces how long users would need to scroll down the page to the final “Submit” button. 

  • Attachments Drawer This section in answering the Questionnaire will now default to being open for easier access and visibility to users. The button to link documents is now labeled “attach documents” to give users clarity they can upload documents and attach them to controls within the drawer.  

January 7 Release

Resolved Issues

  • Questionnaire Navigation Disabled – The Back and Next buttons within questionnaires were disabled for some users completing validation requests. This issue has been corrected, and questionnaire navigation now works as expected. 

Was this article helpful?

0 out of 0 found this helpful
Return to top

Related articles