GRC, TPRM, and AI safety — defined plainly.

Policies and mechanisms regulating who can view or use which resources. Foundational for both internal security and the vendor access lifecycle.

ThirdSentry's confidence model that only penalizes dimensions where the organization actually has data — never phantom-penalizing for empty or inactive capabilities.

The discipline of inventorying, tiering, monitoring, and controlling AI use within an organization. Includes risk classification, model selection oversight, change management, and incident response — analogous to GRC for AI systems.

When an AI model generates a confident-sounding answer that is factually incorrect or fabricated. Mitigated through RAG (grounding answers in real evidence), citations (showing the source for every claim), and confidence scoring (flagging low-confidence answers for review).

A registry of every AI use case in an organization with its risk tier, attached policies, and approval status. Required by emerging AI governance standards and increasingly by enterprise procurement teams.

A vendor's reported security posture as captured through completed security questionnaires, supporting evidence, and reviewer-validated responses. The second of the three layers in ThirdSentry's vendor scoring model.

A maintained list of an organization's hardware, software, data, and third-party services. Foundational for both internal control monitoring and vendor risk programs.

An append-only record of every mutation performed in a system, including the actor, timestamp, action, and (for AI systems) the tool called. ThirdSentry writes an AuditLog row on every change, including every Effy AI tool call.

ThirdSentry's read-only role enforced at the database layer (not just UI permissions). An AUDITOR can view, comment, and submit reviews — but cannot edit any record, accidentally or otherwise.

Pre-engagement checks on a vendor's reputation, ownership, financial stability, and regulatory standing. Increasingly automated through vendor intelligence services.

A documented strategy for maintaining business operations during disruption — including responses to vendor failures and other third-party incidents.

An assessment of which business functions are critical and what dependencies — including third parties — they rely on. Drives RTO/RPO targets and continuity priorities.

A vendor security questionnaire from the Cloud Security Alliance specifically designed for cloud service providers. Aligned to the CSA Cloud Controls Matrix.

Risk that propagates from a single fourth-party incident to multiple of your vendors and ultimately to your business processes. Visualization tools map the dependency graph so the blast radius is visible before an incident.

Formal third-party evaluation that attests to compliance with a standard or framework — examples include SOC 2, ISO 27001 certification, and HITRUST validation.

Center for Internet Security Critical Security Controls — a prioritized, defense-in-depth control set widely adopted as a starting baseline for security programs.

A reference to the specific source (policy, control, evidence file) an AI used to draft an answer. Inline citations make AI-drafted responses verifiable by a reviewer and defensible to an auditor.

Tools and practices that continuously assess cloud-environment configurations against security baselines and best practices.

A formal evaluation determining whether an organization or vendor adheres to a specified regulation, framework, or contractual requirement. Conducted by internal or external auditors.

A scheduling view of recurring compliance obligations — control reviews, framework audits, vendor reassessments, and policy refresh cycles.

Risk arising from over-reliance on a small number of vendors or sub-processors. Common pattern: many of your vendors all depend on the same fourth-party (e.g., a major cloud provider), turning their concentration into your concentration.

A numeric or qualitative measure of how strongly an AI-generated answer is supported by retrieved evidence. Low-confidence answers are flagged for closer reviewer attention rather than auto-approved.

Process for establishing and maintaining the configuration of systems and applications consistent with policy and baseline expectations.

Automated, ongoing verification that controls are operating effectively — replacing or supplementing periodic manual audits. Generates evidence and triggers alerts when control health degrades.

Ongoing observation of a vendor's security posture and operational status throughout the relationship — distinct from point-in-time assessments performed at onboarding or annual review.

The practice of correlating equivalent controls across different frameworks (e.g., SOC 2 CC6.1 maps to ISO 27001 A.5.18) so that a single control answer satisfies overlapping requirements. Reduces evidence collection across multi-framework audit cycles.

Insurance covering financial loss from cyber events including breaches, ransomware, and certain third-party incidents. Insurers increasingly require evidence of vendor risk programs as part of underwriting.

A legal or contractual obligation to notify affected parties (and often regulators) when personal data is exposed. Notification timelines vary by jurisdiction — GDPR is 72 hours; many U.S. state laws are similar.

Labeling data by sensitivity (e.g., Public, Internal, Confidential, Restricted) so appropriate controls can be applied automatically and consistently.

Encoding data so only authorized parties can read it. Required at rest and in transit for any sensitive information across nearly all modern compliance frameworks.

Policies and processes ensuring data is managed consistently across its lifecycle — including ownership, quality, access, retention, and third-party sharing.

Technical and policy controls preventing unauthorized exfiltration, sharing, or accidental disclosure of sensitive data.

A contract between a data controller and processor specifying processing scope, sub-processor management, security requirements, and breach notification obligations. Required by GDPR Article 28.

Policies, tools, and procedures for recovering or continuing technology infrastructure after a disruptive event.

ThirdSentry's AI assistant — twelve specialist agents across GRC and TPRM that draft policies, reconcile vendor signals, answer questionnaires with cited evidence, and route decisions to human reviewers. Tenant-isolated by architecture; every tool call is audit-logged.

Tooling that monitors endpoint devices for suspicious activity and provides investigation and response capabilities.

An organization-wide approach to identifying, assessing, and managing risks across all categories — strategic, operational, financial, compliance, and third-party.

European Union regulation classifying AI systems by risk level (unacceptable, high, limited, minimal) with corresponding obligations. Limited-risk AI systems must disclose AI involvement; high-risk systems require conformity assessments.

Gathering and validating documentation that proves a vendor or control is operating as claimed — certifications, screenshots, configuration exports, pen-test reports.

A centralized, indexed repository of compliance artifacts (policies, certifications, pen-test reports, screenshots) linked to the controls and assessments they support. ThirdSentry's evidence vault is tenant-scoped and indexed for AI retrieval.

An architecture or workflow that can withstand scrutiny from a regulatory examiner — not just an auditor. Stronger standard than 'audit-ready' because examiners often request raw data and process evidence rather than summaries.

Security platform integrating data across endpoints, network, identity, and cloud to detect and respond to threats holistically rather than per-tool.

All externally reachable assets, services, and entry points an attacker could probe — including those exposed by vendors. Continuously monitored to detect new exposure quickly.

An arrangement where multiple organizations trust each other's authentication assertions, enabling users to access partner systems without separate credentials.

Federal Risk and Authorization Management Program — U.S. government program providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products used by federal agencies.

Federal Financial Institutions Examination Council — issues guidance on cybersecurity, third-party risk management, and authentication for U.S. financial institutions. The FFIEC IT Handbook is a primary reference for bank examiners.

Risk from your vendor's vendors (sub-processors). Often invisible to the contracting organization but a primary source of cascading and concentration risk.

EU General Data Protection Regulation. Governs the processing of personal data of EU residents, including specific obligations on data processors and sub-processors via Article 28.

Gramm-Leach-Bliley Act — U.S. law requiring financial institutions to safeguard customer information and explain their information-sharing practices. The Safeguards Rule includes vendor management requirements.

An integrated discipline covering corporate governance, enterprise risk management, and regulatory compliance. In modern platforms, internal GRC and TPRM increasingly run on a unified data model.

U.S. Health Insurance Portability and Accountability Act administrative simplification provisions covering the protection of electronic Protected Health Information (ePHI). Applies to covered entities and their business associates.

Health Information Trust Alliance Common Security Framework. A certifiable framework that maps to multiple healthcare regulations and standards, popular among healthcare service providers.

An AI workflow design where a human reviewer must approve, edit, or reject an AI-generated artifact before it ships. ThirdSentry applies this on every drafted policy, scored assessment, and outbound questionnaire response.

A service that authenticates users and issues identity assertions to other applications. Foundational for SSO and federated access architectures.

When a policy is published, ThirdSentry creates a PolicyVersion record that cannot be modified. Drafts and approved-but-unpublished content are kept separate so an auditor can see exactly what was published, when, and by whom.

A documented playbook for detecting, responding to, and recovering from security incidents — including incidents involving vendors and sub-processors.

A documented set of rules governing how an organization protects its information assets — including requirements for vendors and other third parties handling sensitive data.

The level of risk that exists before any controls or mitigating factors are applied. For vendors, the baseline risk implied by the data and access scope they have, before evaluating their security measures.

Risk posed by individuals inside the organization or vendor with privileged access who may misuse it. Mitigated through access controls, monitoring, and least-privilege policies.

A coordinated set of policies, monitoring, and response procedures aimed at detecting and mitigating risk from individuals with authorized access.

A workflow that runs structured questionnaires against the organization's own controls (rather than against vendors). AI-scored, reviewer-validated, and automatically generates risks and remediation tasks for failed controls.

International standard for Information Security Management Systems (ISMS). The 2022 revision introduces 11 new controls (including threat intelligence, secure coding, and cloud security) and reorganizes the Annex A control set.

International standard for AI Management Systems. Establishes requirements for governing AI systems across their lifecycle — model selection, change management, performance monitoring, and incident response.

Foundational IT controls covering access management, change management, system operations, and computer-operations practices. Frequently in scope for SOC 2 and financial-statement audits.

Granting privileged access only when needed and for a limited duration, then automatically revoking it. Reduces standing privilege as an attack surface.

A measurable signal that provides early warning of increasing risk exposure — for example, a vendor's certificate expiring, patch backlog growing, or assessed posture diverging from live exposure.

Contractual or regulatory consequences a party may face for failing to meet obligations — typically defined and capped through indemnification, limitation-of-liability, and insurance clauses.

Real-time, externally observable security posture of a vendor — including exposed services, certificate health, patch hygiene, and known incidents. One of the three layers in ThirdSentry's vendor scoring model.

A third-party provider delivering ongoing cybersecurity monitoring, detection, and response — frequently for organizations without large in-house security teams.

Authentication requiring two or more independent verification factors — typically something you know (password) plus something you have (token) or are (biometric).

A voluntary framework from the U.S. National Institute of Standards and Technology for managing AI risk across four functions: Govern, Map, Measure, and Manage. Increasingly referenced in U.S. AI procurement and audit contexts.

National Institute of Standards and Technology Cybersecurity Framework. Version 2.0 (released 2024) added Govern as a sixth function alongside Identify, Protect, Detect, Respond, and Recover.

U.S. federal control catalog with 298 controls covering security and privacy. Used for FedRAMP, FISMA, and many regulated-industry programs as the canonical control library.

A contract restricting disclosure of confidential information shared between parties. Often a prerequisite to receiving sensitive evidence (pen-test reports, SOC 2 Type II) from a vendor.

New York Department of Financial Services cybersecurity regulation requiring covered financial institutions to maintain a cybersecurity program, including third-party service-provider controls and CISO accountability.

New York State Department of Health regulation establishing cybersecurity program requirements for hospitals — including risk assessments, multi-factor authentication, and incident response capabilities.

International principles for trustworthy AI: inclusive growth, human-centred values, transparency, robustness, and accountability. Endorsed by 40+ countries and increasingly cited in AI procurement contracts.

Risk arising from inadequate or failed internal processes, people, or systems — including the operational risk introduced by vendor dependencies.

Process for applying security updates and patches to systems and applications on a defined cadence. Patch hygiene is one of the most common signals in vendor external-exposure scoring.

Payment Card Industry Data Security Standard. The 4.0 release added customized validation, expanded MFA requirements, and tightened web-application security controls.

A simulated attack against systems or applications to identify exploitable vulnerabilities. Often required as evidence in vendor security reviews and many regulatory frameworks.

ThirdSentry's GTM-defining capability. Continuously compares each vendor's assessed posture (questionnaire-based) against live external exposure (continuous monitoring). When the gap exceeds threshold, severity is tiered Minor / Moderate / Severe, the parent risk record is updated, and a remediation task is generated automatically.

A measurable change in a vendor's posture between two points in time, typically detected through continuous external monitoring. Drift can be temporary (e.g., a brief misconfiguration) or material (e.g., an exposed service that persists), with severity tiering applied before alerts fire.

The end-to-end workflow for resolving an identified risk or control failure: assignment, ownership, target date, status updates, and closure verification with evidence.

The risk that remains after controls have been applied. Represents what the organization or vendor relationship still exposes you to despite the security measures in place.

An AI architecture that retrieves relevant documents from a tenant-scoped knowledge base and includes them in the model prompt, so generated answers are grounded in real data and can cite their sources. Reduces hallucination and improves auditability.

A reviewer's authoritative decision that supersedes an AI-generated score or recommendation. The original AI output is preserved alongside the override so the reasoning trail is complete.

A contractual clause permitting the customer to audit the vendor's controls, processes, and security measures. Frequency, scope, and notice provisions vary by contract.

The amount and type of risk an organization is willing to accept in pursuit of its objectives. Drives both vendor selection thresholds and ongoing-monitoring sensitivity.

A documented inventory of identified risks, their assessment, ownership, and treatment plans. ThirdSentry's risk register tracks both internal and vendor risks on the same data model.

A methodology for quantifying risk on a numeric or categorical scale to enable prioritization and comparison across vendors, controls, or assessments.

A platform that collects, correlates, and analyzes log data across systems to detect security events and support incident investigation.

A standardized set of questions used to assess a vendor's security posture, controls, and practices. Common formats include SIG, SIG Lite, CAIQ, and custom enterprise questionnaires.

A contractual commitment to specified service levels — uptime, response time, support hours, recovery time objectives. Breach typically triggers remedies or service credits.

A questionnaire developed by Shared Assessments covering 18 risk-control areas. SIG Core is the comprehensive form; SIG Lite is a shorter screening version. Widely used in enterprise vendor security review.

A component whose failure would disrupt the entire system. In TPRM, identifying critical vendor dependencies that lack alternatives.

Authentication mechanism that lets a user sign in once to access multiple applications. Centralizes credential management and enables consistent access policy enforcement.

Service Organization Control 2 — an AICPA auditing standard that evaluates a service organization's controls across the five Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). Type I evaluates control design; Type II evaluates operating effectiveness over a period.

A deletion approach that marks a record as deleted (e.g., setting `isDeleted: true`) rather than removing it from the database. Preserves the audit trail and enables recovery — required for any record with audit significance.

An AI agent scoped to a single domain (vendor, policy, risk, evidence, etc.) with its own tool set, rather than a general-purpose chatbot. ThirdSentry's Effy assistant uses twelve specialist agents routed by a classifier so the right specialist handles each request.

A vendor's vendor — a third party engaged by your direct vendor to process data on their behalf. GDPR Article 28 requires disclosure and prior approval. In risk terms, a sub-processor is your fourth party.

Visibility into fourth-party (sub-processor) dependencies across your vendor base. Surfaces concentration risk (when many vendors rely on the same sub-processor) and cascading risk (when a fourth-party incident affects multiple of your vendors).

An architectural property where one customer's data is fully separated from another's at every layer — database queries, vector retrieval, AI tool calls. ThirdSentry enforces tenant isolation server-side via context variables, so the LLM cannot supply or override the org_id.

Numerical representations of your organization's documents stored in a vector index that is filtered to your organization at query time. Ensures the AI never retrieves another customer's data, regardless of how the model is prompted.

The discipline of identifying, assessing, monitoring, and controlling risks introduced by external parties — vendors, suppliers, contractors, service providers, and the sub-processors those parties depend on.

A vendor scoring approach that evaluates three independent dimensions: (1) business criticality assigned at onboarding, (2) assessed posture from completed questionnaires, and (3) live external exposure from continuous monitoring. The composite score plus per-layer breakdown gives reviewers full context.

A public-facing portal where an organization shares its security posture, certifications, sub-processor list, and policies with prospects and customers. Reduces inbound questionnaire burden.

ThirdSentry's three-layer vendor risk model combining business criticality, assessed posture, and live external exposure. Replaces single-signal (questionnaire-only or scorecard-only) approaches with a unified score across both internal and external sources.

Comprehensive evaluation of a potential vendor before contracting — including security posture, financial stability, regulatory standing, and operational maturity.

Auto-enriched vendor profiles combining funding, ownership, headcount, tech stack, news events, and security incidents — refreshed continuously from multiple data sources. Replaces manual vendor research with a maintained, cited record per vendor.

End-to-end management of a vendor relationship from sourcing and onboarding through monitoring, renewal, and offboarding.

Formal process of terminating a vendor relationship — revoking access, retrieving or destroying data, closing accounts, and ensuring continuity of dependent operations.

A structured approach to identifying, assessing, mitigating, and monitoring risks from vendors and other third parties across the relationship lifecycle.

Categorizing vendors into risk levels based on data sensitivity, service criticality, and integration depth. Determines the depth of due diligence and frequency of ongoing review.

A security model that assumes no implicit trust based on network location. Every request is authenticated, authorized, and encrypted regardless of origin.

A vulnerability exploited before a patch is available. Material zero-days affecting vendor systems often appear as posture divergence events before the vendor formally discloses.