Drata Release Notes
66 release notes curated from 45 sources by the Releasebot Team. Last updated: Jul 9, 2026
- Jul 8, 2026
- Date parsed from source:Jul 8, 2026
- First seen by Releasebot:Jul 9, 2026
Drata Now Supports APRA CPS 230: Built for Both Sides of the Relationship
Drata releases its APRA CPS 230 framework for regulated entities and material service providers, with live support for governance, operational risk, incident management, business continuity, and service provider management, plus reusable controls, audit-ready evidence, and Trust Center sharing.
Drata's APRA CPS 230 framework is purpose-built for regulated entities and material service providers.
Here's what's live and why the July 2026 deadline was only the beginning of CPS 230.
APRA's Prudential Standard CPS 230 came into force on July 1st, 2025.
As of 1 July 2026, pre-existing service provider contracts must be uplifted to meet CPS 230, and the deferred business continuity requirements now apply to non-significant financial institutions.. Organizations that haven't started are already behind — and for most, the honest answer to "are we ready?" exposes a familiar set of problems: risk programs running separately from business continuity, third-party contracts that haven't been uplifted, and no single source of truth for which vendors are material and what happens if one goes down.
Drata's APRA CPS 230 framework is now live. Developed alongside one of Drata's leading Australian audit alliance partners, the framework is purpose-built to help both APRA-regulated entities and the material service providers (MSPs) they rely on meet CPS 230 requirements.
The Compliance Challenge CPS 230 Creates
CPS 230 consolidates three previously separate compliance programs — operational risk management, business continuity, and third-party/outsourcing risk — into one integrated, Board-accountable standard. That scope is what makes it genuinely difficult to implement well. It's not enough to check each area separately. APRA expects organizations to connect all three into a coherent operational risk profile, with a single auditable evidence trail.
Most organizations trying to get ready are confronting a version of the same structural problem: risk in a spreadsheet, a BCP that lives in a document, third-party management in a separate platform, and no audit-ready evidence linking any of it. When APRA reviews compliance, they're looking for a coherent operational risk profile,not three disconnected programs.
CPS 230 also creates obligations on both sides of the service provider relationship. Regulated entities must hold their MSPs to the standard; MSPs must demonstrate assurance to their regulated customers. A compliance program that only addresses one side leaves the other exposed.
What's Live in Drata
Drata's CPS 230 framework covers all five requirement areas — Governance, Operational Risk Management, Incident Management, Business Continuity, and Service Provider Management — with two complementary configurations designed to work together:
For APRA-Regulated Entities
Pre-built requirements and controls mapped to all five CPS 230 areas, connected to integrated risk management, TPRM, and business continuity workflows. CPS 230 controls are cross-mapped to SOC 2, ISO 27001, Essential Eight, and NIST CSF from day one — evidence collected for existing frameworks reuses automatically for CPS 230, with no separate compliance silo.
For Material Service Providers
A purpose-built MSP configuration that maps exactly which obligations apply to providers, not just to regulated entities. MSPs can operationalize their requirements, generate audit-ready evidence, and share their posture directly with regulated customers via the Drata Trust Center.
Additional capabilities live in the framework:
- TPRM / MSP Register — a single source of truth for MSP registration, supporting the annual register submission requirement to APRA
- TPRM AI Agent — streamlines third-party risk reviews and direct vendor data collection for MSP oversight
- Policy templates aligned to CPS 230, including Business Continuity, Third-Party Management, Risk Assessment, and Information Security
- Audit Hub — centralized evidence and reviewer collaboration for APRA reviews and internal audit assurance
- Continuous control monitoring — automated evidence collection and monitoring for key CPS 230 controls
Who This Is Built For
Directors of Compliance and GRC Managers at regulated entities are are now past the July 2026 deadline with a set of still-open items: legacy vendor contracts not yet uplifted to CPS 230 minimum provisions, a BCP that exists in documents but isn't linked to critical operations or tolerance levels, and no centralized MSP register. Drata's framework connects the BIA, critical operations register, tolerance levels, and BCP under one platform with the audit trail APRA expects.
CISOs at regulated entities own both the security and operational risk programs — and CPS 230 makes Board accountability explicit. CISOs need to surface the right evidence to the Board, not just pass an audit. Drata's integrated operational risk and TPRM gives them real-time visibility into MSP concentration risk, incident notification readiness tied to the 72-hour and 24-hour APRA obligations, and cross-framework control coverage from existing programs.
MSP compliance and security leaders are often blindsided by CPS 230. If an APRA-regulated customer has designated you as a material service provider — which they determine based on whether you support a critical operation, not whether you volunteer for it — their CPS 230 obligations flow downstream to you through contract requirements.
As of 1 July 2026, those contracts must already reflect CPS 230 provisions, and any that don’t are a live gap.. Providers with CPS 230 assurance ready will win and retain business; those without will face contract renegotiation. Drata's MSP configuration gives providers a fast path from their existing SOC 2 or ISO 27001 to a defensible CPS 230 posture, with Trust Center sharing for direct customer assurance.
What Makes Drata's Approach Different
Having a framework name in a GRC platform is a starting point, not a finish line. The quality of the implementation is what determines whether organizations can actually use it to meet their CPS 230 obligations — and three things set Drata's framework apart.
Built with Australian Auditors Who Understand How APRA Assesses Compliance
The framework was developed alongside one of Drata's leading Australian audit alliance partners and reflects CPG 230 guidance on how APRA supervisors actually review compliance in practice — including evidence expectations for controls and common supervisory findings. That matters when the reviewer asks for evidence on a specific requirement rather than just a control list.
Both Sides of the Relationship, in One Platform
CPS 230 creates accountability obligations on both regulated entities and their MSPs. Drata built two complementary configurations that map exactly which obligations belong to which party — eliminating the accountability gap that creates compliance risk when each side is operating in isolation.
Test Once, Satisfy Many
CPS 230 controls are cross-mapped to SOC 2, ISO 27001, Essential Eight, and NIST CSF. Organizations that already have other frameworks in Drata can reuse a significant portion of existing evidence for CPS 230, rather than running a separate compliance program from scratch.
Get Started
The CPS 230 framework is available now in the Drata GRC platform. For APRA-regulated entities and material service providers now subject to CPS 230, the time to close remaining gaps is now.
Request a demo or log in to your Drata account to add the CPS 230 framework.
Original source - Jul 2, 2026
- Date parsed from source:Jul 2, 2026
- First seen by Releasebot:Jul 4, 2026
Chrome Extension 2.7.1 Available
Drata releases SafeBase Chrome Extension 2.7.1.
Version 2.7.1 of the SafeBase Chrome Extension is out! Click here to learn more!
Original source All of your release notes in one feed
Join Releasebot and get updates from Drata and hundreds of other software products.
- Jul 2, 2026
- Date parsed from source:Jul 2, 2026
- First seen by Releasebot:Jul 4, 2026
Clearer AI Accuracy Labeling
Drata updates the AI Accuracy label on the AI Analytics dashboard to better clarify the metric.
We have updated the “AI Accuracy” label to “AI Accuracy (Approved Without Edits)” on the “AI Analytics” dashboard to help customers better understand the metric. Click here to learn more!
Original source - Jul 2, 2026
- Date parsed from source:Jul 2, 2026
- First seen by Releasebot:Jul 4, 2026
New Framework Support: CyberFundamentals (CyFun)
Drata adds CyberFundamentals support with continuous monitoring, automated workflows, and integrated risk for CyFun and NIS 2 alignment.
Drata operationalizes the CyberFundamentals framework with continuous monitoring, automated workflows, and integrated risk so organizations can align with CyFun and NIS 2 expectations. Click here to learn more!
Original source - Jul 2, 2026
- Date parsed from source:Jul 2, 2026
- First seen by Releasebot:Jul 3, 2026
Chrome Extension 2.7.1 Available
Drata releases SafeBase Chrome Extension 2.7.1 with better Content Collections support and ZenGRC fixes.
Version 2.7.1 of the SafeBase Chrome Extension is out with the following updates:
- Improved support for Content Collections
- Fixed issues with ZenGRC portals
- Behind-the-scenes support for multi-product questionnaires
- Other small improvements and enhancements
Similar to Drata with recent updates:
- Okta release notes75 release notes · Latest Jul 9, 2026
- n8n release notes59 release notes · Latest Jul 7, 2026
- Hubspot release notes158 release notes · Latest Jun 30, 2026
- Slack release notes175 release notes · Latest Jul 1, 2026
- Ubiquiti release notes763 release notes · Latest Jul 10, 2026
- Obsidian release notes90 release notes · Latest Jun 9, 2026
- Jun 29, 2026
- Date parsed from source:Jun 29, 2026
- First seen by Releasebot:Jun 29, 2026
Turning CyberFundamentals Into Continuous Trust With Drata
Drata now supports Belgium’s CyberFundamentals framework with continuous monitoring, automated workflows, integrated risk, and reusable evidence across CyFun, ISO 27001, NIST CSF, and SOC 2, helping teams move from static self-assessments to continuous compliance.
See how Drata operationalizes Belgium’s CyberFundamentals framework with continuous monitoring, automation, and integrated risk so enterprises can align CyFun with broader cyber resilience efforts without adding headcount or more spreadsheets.
As NIS 2 raises the bar across Europe, organizations operating in Belgium are taking a closer look at CyberFundamentals (CyFun) as a practical national framework for structuring cyber resilience efforts. For enterprises with operations in Belgium, CyFun gives teams a concrete way to structure security expectations and show progress over time.
The problem is that most CyFun programs are still driven by static spreadsheets, email threads, and one-off self-assessments. That model doesn’t scale for complex environments, multiple frameworks, and lean security teams.
Drata’s CyberFundamentals support is designed to change that.
The Challenge: CyberFundamentals Without More Overhead
CyFun, owned by the Centre for Cybersecurity Belgium (CCB), is a framework that offers a clear, step-by-step approach to help organisations protect their data, significantly reduce their risk of common cyber-attacks, and improve cyber resilience. It uses a proportional assurance model with three assurance levels, Basic, Important, and Essential, preceded by an entry level called Small.
For enterprises, especially those already running ISO 27001, NIST CSF, SOC 2, or CIS Controls, CyFun introduces several challenges:
- Duplicated work across frameworks. Teams struggle to understand how CyFun maps to existing ISO/NIST programs, leading to parallel implementations and redundant evidence collection.
- No single view of CyFun coverage. Maturity assessments live in spreadsheets and slide decks, not in an operational system of record with real-time control status.
- Limited visibility for leadership. Boards, CISOs, and regulators expect proof of annual progress and continuous improvement, not one-off self-assessments that go stale quickly.
- Pressure from broader European cyber resilience obligations. CyFun is not a legal requirement, but the 2025 update does introduce an important key measure on sharing cybersecurity incidents with relevant external stakeholders and reporting significant incidents to authorities as required by law. .
For GRC leaders and CISOs, the ask is clear: operationalize CyFun as part of your broader program, without creating another siloed project or tool stack.
The Solution: Operationalizing CyberFundamentals in Drata
Drata operationalizes the CyberFundamentals framework with continuous monitoring, automated workflows, and integrated risk, so organizations can align with CyFun and NIS 2 expectations without adding headcount or more spreadsheets.
CyFun is available as a dedicated framework within Drata, with:
- Requirements mapped to Drata Common Controls (DCF) so you can implement a control once and reuse evidence across CyFun, ISO 27001, NIST CSF, SOC 2, and more.
- Tailored policy templates covering areas CyFun expects—such as acceptable use, asset management, backups, incident response, encryption, physical security, access control, and vendor management—managed centrally in Policy Center.
- Continuous control monitoring via integrations and automated tests, replacing static self-assessment checklists with a live control map.
Because CyFun is supported by relevant insights from the NIST Cybersecurity Framework, ISO 27001/ISO 27002, IEC 62443, and the CIS Critical Security Controls, Drata helps teams align CyFun work with broader security and compliance efforts without creating a separate operating silo.
Use Cases by Persona
Director / Head of GRC or Compliance
For champions responsible for overall governance, Drata provides a single view of CyFun controls, tasks, and evidence across all three assurance levels. You can map CyFun to your existing ISO and NIST controls, track recurring activities (like vulnerability scans, access reviews, and backup tests), and show boards and regulators a defensible improvement story year over year.
CISO / VP Security
Security leaders gain continuous visibility into CyFun safeguards—such as MFA, backups, logging, antivirus, segmentation, and risk management—through Drata’s monitoring, Risk Management, and Vulnerability Monitoring capabilities. This makes it easier to demonstrate a structured, risk-based CyFun program while supporting broader cyber resilience efforts without ballooning assurance headcount.
Security Engineers and IT Admins
Practitioners responsible for implementing CyFun key measures can orchestrate patching, backups, VPN/MFA deployment, endpoint protection, logging, and awareness training using Drata’s integrations, automated tests, and Task Management. Evidence is captured once and reused across frameworks and questionnaires instead of being rebuilt for each review.
Third-Party Risk Teams
Third-Party Risk Teams can leverage agentic workflows to assess suppliers against CyFun’s supply chain-related standards and tie their third-party posture back to the same CyFun-aligned view of risk and controls.
The Impact: From Static Self-Assessments to Continuous CyberFundamentals Readiness
Enterprises using Drata for CyberFundamentals realize four key outcomes:
Continuous CyFun readiness
Move beyond annual CyFun self-assessment checklists to a live control map with automated testing, so teams always know where they stand across CyFun Basic, Important, and Essential levels.Single implementation for multiple frameworks
Implement a control once in Drata and reuse evidence across CyFun, ISO 27001, NIST CSF, SOC 2, and more—eliminating redundant projects and spreadsheets.Automated cyber hygiene at scale
Use Drata’s integrations, tests, and workflows to automate evidence collection and reminders for CyFun’s low-cost, high-impact safeguards, such as MFA, backups, patching, logging, and awareness training.Provable, shareable assurance
Publish your CyFun-aligned posture via Drata Trust Center and use AI Questionnaire Assistance to auto-draft responses to CyFun- and NIS 2–related questionnaires using existing evidence—shortening procurement and review cycles.
Why It Matters for Complex Environments
For enterprises with Belgian operations, CyFun is explicitly aligned with ISO and NIST and is intended as a practical baseline and bridge—not a competing ISMS. Drata’s approach turns that baseline into an advantage:
- Continuous vs. periodic. CyFun is often implemented as an annual self-assessment; Drata makes CyFun continuous, monitored, and evidenced.
- Unified vs. siloed. Generic GRC or local tools often require separate projects for CyFun, ISO, and NIST; Drata unifies frameworks and evidence in one platform so teams work from a single source of truth.
- Agentic, AI-native automation. Drata’s AI and workflow engine reduce manual work across evidence collection, risk, and questionnaires—critical for the lean teams CyFun was designed to support.
- Trust as a business accelerator. By combining continuous monitoring with a public-facing Trust Center, CyFun alignment becomes something you can demonstrate to customers, partners, insurers, and regulators—not just claim in a slide deck.
See CyberFundamentals in Drata
See CyberFundamentals in Drata
CyberFundamentals is already available as a framework in Drata, with requirements, DCF control mappings, and policy templates, supported by the same Continuous Compliance, Integrated Risk Management, Policy Center, Trust Center, and AI Questionnaire Assistance capabilities you use today.
If you’re responsible for CyFun alignment and broader cyber resilience readiness in Belgium, now is the time to move from static assessments to continuous assurance.
Request a demo to see how CyberFundamentals fits into your broader compliance and risk program, and how you can operationalize it without adding another tool or team.
Original source - Jun 26, 2026
- Date parsed from source:Jun 26, 2026
- First seen by Releasebot:Jun 28, 2026
- Modified by Releasebot:Jul 4, 2026
Multiple Risk Registers and Workspace Support
Drata adds Multiple Risk Registers and Workspace Support in the new Drata experience for more flexible risk management.
Multiple Risk Registers and Workspace Support are now generally available in the new Drata experience.
Together, these capabilities give customers more flexibility to organize risk management by business structure and extend risk workflows across workspaces.
Click here to learn more!
Original source - Jun 26, 2026
- Date parsed from source:Jun 26, 2026
- First seen by Releasebot:Jun 28, 2026
AI Test Failure/Error Diagnosis and Remediation Guidance
Drata now extends AI summaries to diagnose failing tests with plain-language root causes and step-by-step remediation in Monitoring.
Drata now extends AI summary capabilities to automatically diagnose failing and erroring tests, surfacing plain-language root cause summaries and step-by-step remediation guidance directly in the Monitoring experience.
Click here to learn more!
Original source - Jun 25, 2026
- Date parsed from source:Jun 25, 2026
- First seen by Releasebot:Jun 26, 2026
When One Risk Register Starts Holding You Back
Drata launches Multiple Risk Registers in Risk Management Pro, giving teams a new way to organize risks by region, product, or business unit while keeping a unified view of posture across registers and workspaces. It adds register-level ownership, flexible controls mapping, and clearer analytics.
Learn how Multiple Risk Registers in Drata’s Risk Management Pro let you organize, move, and analyze risks across regions, products, and workspaces—without losing a unified view of overall posture.
Most mature risk programs don’t think in terms of “one big list.” They think in terms of regions, product lines, and business units—APAC versus global, Product A versus Product B, enterprise-wide strategic risks versus more localized issues.
When everything is forced into a single register:
- Ownership gets blurry as different teams crowd into the same view.
- It’s hard to separate what’s happening in one region or product from the rest of the business.
- Reporting turns into manual filtering, exporting, and reconciling just to answer basic questions.
At the same time, risks rarely line up cleanly with a single system or workspace. A single risk—like an outage scenario in APAC—can span multiple products, services, and teams. If your tools only see part of that picture, it’s harder to understand where controls are mapped, who owns what, and what your actual exposure looks like.
Risk leaders need two things at once:
- Structure that reflects how they actually manage risk (by region, product, or business unit).
- A unified view that still shows the full risk picture across all of those slices—without duplicating effort or losing control of configuration.
Shape Your Risk Registers Around How You Actually Operate
As part of Drata’s Integrated Risk Management capability on the Agentic Trust Management Platform, Multiple Risk Registers in Risk Management Pro gives teams a way to mirror how they run their programs—while keeping a unified, continuously visible view of overall exposure across registers and workspaces.
This capability is available to customers with Risk Management Pro enabled and includes updates across roles, navigation, register setup, and analytics.
Give Every Register a Clear, Accountable Owner
In role administration, a new Risk Register Owner role lets you assign day-to-day ownership at the register level:
- Risk Register Owners can manage all risks within the registers they own.
- They cannot change global risk settings, which stay with existing Risk Manager–type roles.
This is designed to sit alongside your current model:
- Existing roles like risk owner and restricted risk manager continue to control which individual risks a user can see or act on.
- Combined, this gives you clear boundaries: global configuration in one place, register-level ownership in another, and risk-level permissions on top—so only the right people have access to each register and its risks.
See Every Risk—No Matter Which Register It Lives In
The Risk area now makes it easy to move between a unified view and register-level detail:
- All Risks gives each user a consolidated list of all risks across all registers they have permission to see, using the same access model and filters they’re used to.
- Registers shows a list of the registers they can access, with the ability to drill into a specific register or create a new one.
If no registers have been created yet, the Registers view will simply appear empty until you stand up your first one.
In Risk Insights, register becomes a first-class filter:
- Filter by one register to see that slice of your program on its own.
- Combine multiple registers to see a rollup across, for example, APAC and Enterprise.
- Clear filters to see an aggregate view across all registers.
You use the same familiar filters (status, severity, and more), with register acting as another dimension for analysis.
Create Registers for Regions, Products, or Business Units
From the Registers view, you can stand up new registers that reflect how your team actually works:
- Give each register a clear title (for example, “APAC Risks” or “Enterprise Risks”).
- Add an optional description for additional context.
- Choose whether to associate controls to risks in that register (this is selected by default and is generally recommended).
- If Workspaces are enabled, optionally associate one or many related workspaces with the register.
- Optionally assign one or more register owners.
The design is intentionally flexible:
- You’re not limited to a one-register-per-workspace model.
- A single register can span multiple workspaces—such as an APAC register that applies to several product workspaces.
Only workspaces a user already has access to will appear in the related Workspaces selection. If your tenant doesn’t use Workspaces, that field simply doesn’t appear.
Every register starts with the standard template library of risk scenarios, and that library is the same across registers, so you can keep scenario definitions consistent while you add more structure.
Reorganize Existing Risks Without Starting Over
If you already have a single, established register, you don’t have to start from scratch.
With Multiple Risk Registers, you can:
- Select risks in an existing register (for example, Enterprise Risks) and move them into a new register (such as APAC Risks).
- Move multiple risks at once—those risks are removed from the original register and now live in the new one, maintaining a single source of truth.
Today, risks cannot be copied so that they exist in multiple registers simultaneously. If you need to represent a similar scenario in more than one register, you can create a new risk in the destination register, or import risks into another register via CSV.
Within any register, you can add new risks in two ways. Either one by one through the standard create-risk flow (choosing the risk source—internal or vendor—setting status, title, and other required details), or in bulk via CSV upload.
The core create-risk experience remains the same, Multiple Risk Registers just adds structure on top of what you already know.
Connect Each Risk to the Right Controls Across Workspaces
Multiple Risk Registers also extends how risks connect to controls and Workspaces.
When you create or edit a risk, you can:
- Map the risk to controls by framework (for example, all controls associated with SOC 2 requirements).
- Filter the available controls by one or more of the workspaces related to that register.
- Leave the workspace filter blank to see controls across all related workspaces.
This makes it possible for a single risk to be mapped to controls across multiple workspaces. In the APAC example, one APAC risk can be associated with controls from several product workspaces if that’s how the organization truly mitigates that risk.
Workspace behavior for risk is handled inside the feature itself:
- The workspace picker at the top of the app does not control what appears in Risks and Registers.
- Changing the global workspace selector will take you back to the dashboard, but it won’t change which registers or risks you see.
- Instead, workspace scoping for risk is driven by each register’s related Workspaces and the controls those workspaces contain.
Keep Scoring and Categories Consistent as You Scale
To keep assessments comparable across the program, core configuration stays global:
- Custom scoring models, categories, and thresholds defined in risk settings apply to all registers; there is no per-register scoring or categorization in this release.
- Custom fields created for risks also apply across every register.
That means you can introduce new registers, move risks between them, and scale your structure without fragmenting how risks are scored or categorized. Governance stays centralized, while execution becomes more segmented and manageable.
How Multiple Risk Registers Changes Your Day-to-Day
Enterprise GRC Director
- Problem: Needs to see risk across regions and product lines, but a single register makes it hard to distinguish what’s happening in APAC versus globally.
- Solution: Create separate registers (for example, APAC and Enterprise), associate them with the right workspaces, and use All Risks and register filters in Insights to move between segmented and rollup views.
- Outcome: A clearer picture of regional versus enterprise risk without maintaining separate tools or manual rollups.
Risk Director or Risk Manager
- Problem: Wants to segment risks into meaningful domains (APAC, Enterprise, specific products) and assign accountable owners—without handing out broad configuration access.
- Solution: Use the Risk Register Owner role to give specific teams ownership over their registers, while keeping global scoring, categories, and thresholds in central Risk Management roles.
- Outcome: Local teams manage their own registers day-to-day, while overall governance remains consistent and centrally controlled.
GRC or Security Program Owner / Admin
- Problem: Already has a populated single register but needs more structure without re-implementing everything.
- Solution: Stand up new registers, move existing risks into them, or import via CSV, all while reusing the same templates, risk settings, and custom fields.
- Outcome: A more organized, multi-register risk program with minimal rework and no loss of historical data or configuration consistency.
The Business Impact: Structure, Visibility, and Control
Multiple Risk Registers is designed to improve both how risk teams work and how leaders see their posture with:
- Programs structured the way you actually operate. Registers can mirror regions, products, or business units instead of forcing everything into one list, and ownership and workflows become clearer at the register level.
- Unified, continuous visibility across the program with All Risks and register-aware Insights that let you see aggregate and per-register views in one place, and risk posture stays continuously visible across regions, products, and workspaces instead of being fragmented across tools or spreadsheets.
- Less manual reconciliation and fewer fire drills thanks to flexible mapping between risks, controls, and Workspaces means you don’t have to maintain duplicate lists or workarounds when risks span multiple areas. Global settings keep scoring and categories aligned, reducing configuration drift over time.
- Tighter access and accountability via the combination of Risk Register Owner, risk owner, and restricted risk manager roles ensures the right people have access to the right registers and risks. No more all-or-nothing access.
Why Drata Stands Out
Multiple Risk Registers is part of Drata’s broader approach to Integrated Risk Management on the Agentic Trust Management Platform:
- Enterprise-grade flexibility: Many-to-many relationships between registers and Workspaces (one register to many workspaces, and one risk to controls across multiple workspaces) match the complexity of modern organizations instead of forcing a one-register-per-workspace compromise.
- Centralized governance, decentralized execution: Global scoring models, categories, thresholds, and custom fields apply across all registers, while register-level ownership and structure stay close to the teams that manage the work.
- One platform for a complete view of risk: All Risks and register-aware Insights give leaders a clear, consistent lens on risk across regions, products, and business units—without stitching together exports or external spreadsheets.
It’s a focused release that deepens Drata’s role as the place where risk is not only documented, but structured, owned, and continuously visible across the business.
Bringing It All Together
Risk programs don’t stand still. As you add regions, products, and teams, the way you organize risk has to evolve too.
Multiple Risk Registers in Risk Management Pro lets you:
- Reflect your organizational reality with registers that match how you operate.
- Keep a single, unified picture of risk across all those registers and workspaces.
- Maintain consistent scoring and configuration as your program grows.
If you’re ready to start structuring your risks with Multiple Risk Registers, connect with your Drata account team or admin to plan your first set of registers and how to roll them out across your environment.
Not a Drata customer yet? Schedule a demo to learn more.
Original source - Jun 22, 2026
- Date parsed from source:Jun 22, 2026
- First seen by Releasebot:Jun 23, 2026
AI-Assisted Trust Center Setup
Drata adds AI-Assisted Trust Center Setup to generate Trust Center content from uploads, knowledge base content, and synced evidence.
For customers with an unpublished Trust Center, AI-Assisted Trust Center Setup automatically analyzes uploaded documents, knowledge base content, and synced evidence to generate Trust Center content in minutes, helping customers achieve faster time to value. Click here to learn more!
Original source - Jun 22, 2026
- Date parsed from source:Jun 22, 2026
- First seen by Releasebot:Jun 23, 2026
New Role: Trust User
Drata adds a new Trust User role for dedicated access to Trust Center and Questionnaires (AIQA) SSO links in side navigation.
With the new Trust User role, you can now give users dedicated access to the Trust Center and Questionnaires (AIQA) SSO links in the side navigation. Click here to learn more!
Original source - Jun 17, 2026
- Date parsed from source:Jun 17, 2026
- First seen by Releasebot:Jun 18, 2026
From Intake Request to Security Approved: How Zip and Drata Automate Vendor Reviews
Drata adds a Zip integration that auto-creates vendor records, starts security reviews, and syncs approvals back to procurement. It reduces manual handoffs, maps key vendor data, and attaches relevant documents to keep third-party risk reviews moving.
Drata's Zip integration auto-creates vendor records and kicks off security reviews. No more manual handoffs.
Every time your team submits a new vendor intake in Zip, someone on the security team has to be notified, a review has to be kicked off, and the result has to make its way back to procurement before anything gets approved. For fast-growing companies, this manual handoff is one of the most persistent sources of friction between procurement and security—and it often keeps third-party risk reviews stuck in spreadsheets or limited to only “critical” vendors, leaving gaps that raise overall risk.
The Drata and Zip integration helps eliminate this.
The Problem: Procurement and Compliance Don't Talk to Each Other
Most companies manage vendor intake and vendor security in separate systems. Zip handles the procurement side — intake submissions, approval workflows, spend controls. Drata handles the compliance side — vendor security reviews, evidence collection, control monitoring.
The gap between them is manual. Someone on the procurement team submits a vendor intake in Zip and emails the security team. The security team creates the vendor record in Drata and kicks off a review. Eventually they email back with an approval. The whole process takes days, sometimes weeks — and requires both teams to stay in sync across systems that don't communicate.
For companies targeting SOC 2, ISO 27001, or any framework that requires vendor due diligence, this friction doesn't just slow things down — it creates risk. Vendors can get approved for spend before a security review is complete.
The Solution: Zip × Drata Integration
Drata now integrates directly with Zip. When a team member submits an intake request in Zip for a new vendor, Drata detects it automatically and does three things:
- Creates the vendor record in Drata — no manual entry required.
- Maps standard fields from Zip intake directly to the Drata vendor record, so all context carries through.
- Kicks off a vendor security review according to your configured Drata program settings.
When the review is complete and approved in Drata, the status syncs back to Zip automatically. Procurement sees the approval. Vendor onboarding keeps moving. No email chains. No duplicate data entry. No vendor slips through the gap.
How It Works: Step by Step
- A team member submits an intake request in Zip and selects a new vendor.
- Zip detects that the vendor is new and triggers the Drata integration.
- Drata automatically creates the vendor record and starts a security review based on your program configuration.
- Relevant documents (SOC 2, ISO certification, bridge letters, pen test reports) are attached automatically based on your configured document type filters.
- The security team completes and approves the review in Drata.
- Drata syncs the approval back to Zip via webhook — immediately and at scale.
- The Zip request is now cleared for approval with a verified security review on record.
What's Included in the Integration
- Standard Zip vendor fields can map to Drata vendor records out of the box. Custom fields are on the roadmap for a future phase.
- Vendor contact name and email from the Zip vendor contact object are automatically mapped to Drata — no manual configuration needed.
- Intake data can be converted to PDF and attached directly to the Drata vendor record.
- Document attachments are filtered by type (SOC 2, ISO, bridge letters, pen test) and are configurable per deployment.
- Deep links to Drata vendor records are now returned directly in the Zip API response.
Setup in Drata
In Drata, go to Settings → Integrations and select Zip. From there:
- Generate API credentials with the required scopes.
- Paste credentials into Zip — the integration pulls what it needs automatically.
- Configure field mappings and set the default Drata User ID as vendor owner.
- Select which document types should be attached per deployment.
That's the setup. Once live, the integration runs in the background — no ongoing configuration needed.
Get Started
The Zip × Drata integration is available now. If you use both Zip and Drata, connect the integration in Settings → Integrations in your Drata account.
Not yet a Drata customer? See how Drata works and book a demo now.
Original source - Jun 16, 2026
- Date parsed from source:Jun 16, 2026
- First seen by Releasebot:Jun 17, 2026
Launch Your Trust Center in Minutes, Not Days
Drata adds AI Trust Center Setup to draft Trust Item descriptions from existing security documents, link source evidence, and speed Trust Center launches from days to a single review session, with human review and approval kept in control.
AI Trust Center Setup
AI Trust Center Setup drafts items from your existing security documents and links source evidence. Review, edit, and publish your Trust Center in minutes, not days.
Compliance teams begin their Trust Center launch with a lot already in hand. SOC 2 reports. Security policies. Knowledge base content built up over years of answering vendor questions. And when it’s time to start building their Trust Center, every standard Trust Item description starts with information that already lives somewhere in those documents.
The work of a Trust Center launch has always been translating that source material into customer-facing content, then linking the right evidence to each item. It's careful work. It's meaningful work. It's also the work that compliance teams tell us takes the longest.
Starting now, AI Trust Center Setup makes that work faster.
What AI Trust Center Setup Does
AI Trust Center Setup reads the security documents and knowledge base content your team has already uploaded, drafts descriptions for dozens of standard Trust Items, and links the relevant source documents to each one. The Trust Center launch goes from a multi-day writing project to a single review session. You stay in control: every AI-generated description lands in a review staging interface before anything publishes.
The launch work that takes the longest gets done by the AI. The work that requires judgment (review and approval) stays with you.
How It Works
Inside the Trust Center Editor, you click Generate Draft. The configuration wizard opens. You decide what to generate and whether to auto-link source documents (default = auto-link on).
Then the AI gets to work. It runs asynchronously, so you can keep using the Trust Center Editor while generation runs in the background. The system uses the same retrieval-augmented generation pipeline that powers single-item AI editing today, applied at scale.
When generation completes, every Trust Item description and linked document can be reviewed and edited before publishing.
What Stays In Your Hands
Speed without control is unacceptable for compliance content. We built AI Trust Center Setup around that constraint.
Using the review step-by-step process, Trust Items are never overwritten silently. New items default to Restricted access, so a bulk generation pass cannot accidentally make sensitive content public. Item types that require structured data (Sub-processors, Security Grades, Integration Items) are excluded from generation entirely, because low-quality AI output on structured items is worse than no output at all.
You control the process and determine when it's ready following review and approval.
Why This Matters Now
Trust Centers are an active sales asset. Buyers expect a self-serve link to your security posture before the first call. Procurement teams open access requests with timelines that compliance can't always meet manually.
Faster Trust Center launches mean faster customer activation and shorter sales cycles. For your compliance team, the benefit is more direct: hours back in the week. The work shifts from writing to validating; the team can focus on the parts of compliance that actually require their expertise.
Getting Started
AI Trust Center Setup is available now for customers with the GenAI setting enabled. If you're a current customer who’s ready to start launching your Trust Center, reach out to your account team. If you're evaluating Drata, ask for a demo of AI Trust Center Setup in your next call with our team. The fastest way to feel the difference is to watch a Trust Center go from empty to live in a single review session.
Original source - Jun 16, 2026
- Date parsed from source:Jun 16, 2026
- First seen by Releasebot:Jun 17, 2026
Drata Academy Is Here: On-Demand Training for Drata Customers
Drata launches Drata Academy, a self-serve training resource that helps customers learn the platform at their own pace, onboard faster, and build confidence with core workflows and new features.
Drata Academy is a new self-serve training resource designed to help customers learn the platform, onboard faster, and build confidence across key workflows.
Drata customers now have a new way to learn the platform on their own schedule.
We’re thrilled to introduce Drata Academy, a self-serve training resource built to help customers get more value from Drata—whether they’re just getting started, training new team members, or looking to sharpen their knowledge of key workflows and product updates.
Drata Academy is designed to make learning more flexible and practical. Instead of waiting for live sessions or digging through scattered resources, customers can move through training at their preferred pace and return to courses whenever they need a refresher.
What Customers Will Find in Drata Academy
With Drata Academy, customers can:
- Take courses at their own pace
- Learn how to use the core areas of Drata
- Get up to speed on new features and workflows
- Accelerate onboarding and implementation
- Train teammates more efficiently as their use of Drata grows
This launch is part of a broader effort to create a more scalable, intuitive learning experience that helps customers reach value faster, increase adoption of key product areas, and reduce friction during onboarding.
Built Around How Teams Actually Work
As teams implement and expand their use of the Drata platform, they often need training that fits around busy schedules, different roles, and evolving priorities. Drata Academy offers customers a central place to build product knowledge in a way that is self-directed, repeatable, and easier to scale across teams.
The Smarter Way To Ramp on Drata
Whether you’re onboarding for the first time or bringing additional team members, Drata Academy is meant to help you build confidence faster. Customers can explore guided learning on foundational areas of the platform, revisit lessons as needed, and stay current as new capabilities are introduced.
This is just the beginning—expect new courses and expanded content as Drata grows and evolves.
Getting Started With Drata Academy
If you’re a Drata customer, you’ll get an email explaining how to opt-in to the new Drata experience and access the Drata Academy. From there, you can start exploring available courses. And if you’re not a current Drata user, join the mission—get started by booking a demo now.
Original source - Jun 12, 2026
- Date parsed from source:Jun 12, 2026
- First seen by Releasebot:Jun 17, 2026
AI Policy Version Comparison for Faster Reviews
Drata introduces AI Policy Version Comparison, giving policy owners one-click change summaries that speed approvals, clarify employee updates, and highlight potential compliance risks across approval, version history, and publish workflows.
See how Drata’s AI Policy Version Comparison gives policy owners one-click change summaries to speed approvals, clarify updates for employees, and surface compliance risks.
Policy updates should strengthen your security posture—not stall it. Yet for many enterprise and commercial teams, every revision kicks off another round of manual comparison, redlines, and back-and-forth just to answer a basic question: what actually changed, and what does it mean for compliance?
AI Policy Version Comparison in Drata is built to answer that question clearly. By comparing policy versions and generating a structured, AI-generated change summary, it gives approvers, auditors, and employees a concise view of what changed and why it matters, without forcing teams to reread every line.
Why Policy Changes Create Friction
When a policy is revised, approvers often have to manually compare the old and new versions to understand the scope and impact of the changes. That can mean scrolling through long documents, lining up two browser windows, or relying on tracked changes that are hard to parse at scale. It’s slow, and it’s easy for details to slip through.
The same problem shows up again when an updated policy is published. Employees are asked to acknowledge updates, but there’s rarely a simple, standardized way to summarize what changed for them. People click “accept” with limited context, and compliance leaders miss a chance to reinforce key updates.
Finally, leaders responsible for risk and compliance need to understand whether policy changes introduce new gaps or create conflicts with existing frameworks. Without a structured view of changes and their potential implications, they have to piece this together manually, adding more time and uncertainty to every review cycle.
How AI Policy Version Comparison Works
AI Policy Version Comparison uses Drata AI to handle the comparison work while keeping your team fully in control of decisions. When you generate a change summary between two versions of a policy, Drata produces a three-part, structured overview:
- Executive summary: a high-level overview of what changed.
- Detailed change log: specific additions, removals, and modifications.
- Risk/compliance notes: potential compliance implications associated with the changes.
You can generate this summary in several places within Drata’s new experience:
- During the approval workflow: approvers can trigger a one-click Drata AI comparison while reviewing a policy in Needs Approval or Approved status.
- From version history: compliance teams can compare any previously published version against the latest published version for audits or periodic reviews.
- In the publish/notify flow: policy owners can generate a change summary as part of publishing an approved policy and decide whether to surface that summary to employees in My Drata.
The feature is available for policies that already have a prior published version, in the new Drata experience, and respects your AI settings and role-based permissions. Policy owners, compliance managers, and other designated roles can generate summaries; anyone with access to the policy can view them.
Where This Fits in Your Policy Workflow
For enterprise and commercial customers, AI Policy Version Comparison is designed around three recurring needs.
First, policy approvers need to approve updates without reading both versions in full. With AI Policy Version Comparison, they can trigger a one-click Drata AI comparison that surfaces an executive summary, detailed change log, and risk/compliance notes during the approval workflow. This gives approvers a focused view of what changed and where to pay attention, instead of forcing them through a complete reread.
Second, compliance and HR teams need to communicate policy changes clearly when publishing updates. When an updated policy is ready to go live, the Drata AI-generated change summary can be surfaced in the publish/notify modal and added to the message employees see in My Drata. Employees are shown what changed in plain language before they acknowledge the update, which strengthens understanding and reduces confusion around new expectations.
Third, CISOs and compliance leaders need visibility into whether a policy change introduces new compliance risks. The Risk/Compliance Notes section highlights potential impacts and areas that may require further review, so leaders can address issues before a policy is finalized and published. This connects policy governance more directly to your broader risk and control environment.
What This Unlocks for GRC and Security Leaders
Across these use cases, AI Policy Version Comparison helps teams move from manual, reactive policy reviews to a more structured, repeatable process. Approvers spend less time on low-value comparison work and more time on making informed decisions. Employees get concise, trustworthy context instead of opaque update notices. Security and compliance leaders gain a consistent lens for assessing the risk impact of policy changes.
This aligns with Drata’s Agentic Trust Management Platform: automating governance tasks that traditionally slow teams down, integrating risk insights into day-to-day workflows, and providing continuous, real-time evidence of how you manage security and compliance.
Moving Policy Governance Toward Continuous Trust
Policies are one of the clearest expressions of how your organization governs security, privacy, and compliance. When those policies change, stakeholders—from auditors to employees—need a reliable way to understand what’s different and why.
By using AI Policy Version Comparison, you give every policy update a consistent change summary that’s easy to review, easy to communicate, and grounded in potential compliance impact. That makes it easier to demonstrate to auditors how your policies have evolved, to show employees exactly what’s expected of them, and to give leadership confidence that changes are being evaluated through a risk-aware lens—all core elements of continuous, real-time trust.
Start Using AI Policy Version Comparison
If you’re already using Drata’s new experience for policy management, make sure the AI settings toggle is enabled and try AI Policy Version Comparison on your next policy update. Generate a change summary during approval, version history review, or publish—and see how much easier it is for approvers, employees, and leaders to stay aligned on what changed and why.
Ready to try it? Book some time with the Drata team now.
Original source
Curated by the Releasebot team
Releasebot is an aggregator of official release notes from hundreds of software vendors and thousands of sources.
Our editorial process involves the manual review and audit of release notes procured with the help of automated systems.