Practitioner writing & workflows.
Short articles, longer annotated walkthroughs, and long-form guides on compliance, risk, vendor management, AI in GRC, and audit prep — written from real screens, not slideware.
Looking for a topic we haven’t covered yet?
Vendor Management
17Every SaaS subscription is a vendor — see them by vendor, tie each to its contract
Your software subscriptions live in one list and your vendor contracts live in another, so nobody can answer 'which contract governs Bloomberg, and what did they promise us?' Talarity reframes every software subscription by the vendor behind it — seats, spend, and next renewal rolled up — and links each one to the contract that governs it.
Trust Center — turn your security program into a self-serve sales asset
Publish your certifications, security practices, and reports at a branded /trust URL. Prospects download public documents instantly and request gated ones (SOC 2, pen tests) behind an NDA; you approve with one click and they get a time-limited download link — no more emailing PDFs around.
Hold your vendors to their SLAs — track the promise, catch the breach
Every vendor contract has an SLA — 99.9% uptime, a four-hour response — and almost nobody tracks whether the vendor actually hits it. Talarity turns each SLA into a measured metric: define the targets, record performance, and the moment a vendor slips below contract you get a breach alert and a remediation work item, with an org-wide compliance scoreboard for the board.
Can your vendors actually recover? Track vendor DR coverage
Your disaster-recovery plan is only as strong as the vendors it depends on. You assess vendors for security every year — but have you ever verified that Cirrus Cloud, Keyhold Identity, or your payment processor can recover from a disaster on a timeline your business can survive? The Vendor DR Coverage page makes that gap visible and trackable. Mapped to ISO 22301 and DORA.
Vendor concentration risk — the danger isn't any one vendor, it's the shape of the portfolio
You can vet every vendor perfectly and still be one outage away from a very bad day — because half your portfolio runs on the same cloud, or three 'independent' vendors all sit on one sub-processor, or a single sole supplier has no alternative. Talarity scores concentration across seven dimensions and surfaces the cascade before it happens.
Offboarding a vendor — the wind-down is a control, not a status change
Deleting a vendor record is the easy part. Proving you got your data back, revoked every credential, and have the destruction certificate to show for it — that's the part auditors ask about. Talarity makes vendor termination a gated, evidenced wind-down: in-flight work is cancelled, exit evidence is required before the lights go out, and the whole thing is on the record.
Residual risk, done right — what a vendor's risk actually is after your controls
A vendor's inherent risk is the headline; your residual risk is what you actually carry once your controls are accounted for. Talarity computes residual from the compensating controls you link — but only counts the ones that have passed an effectiveness test, so the number you hand an auditor is defensible, not wishful.
Vendor risk attestation — the one artifact an auditor actually asks for
You can tier a vendor, chase its SOC 2, score its risk, and remediate its findings — and still have nothing you can hand an auditor. The attestation is the defensible record: a signed, auditor-ready PDF that turns a finished assessment into a piece of evidence, with the risk determination, the findings, the required sign-offs, and the frameworks it satisfies, all in one place.
Vendor contracts, obligations & renewals — the auto-renewal you forgot is a control gap
A vendor contract is a list of promises — SLAs, breach-notification windows, audit rights, exit terms — that nobody re-reads until something breaks or the contract auto-renews with stale security clauses. Talarity tracks the obligations, queues the renewals 90 days out, and makes the renew-or-walk decision a recorded one.
Vendor findings, tracked to closure — with a second set of eyes built in
A failed pentest item, a missing SOC 2, an overdue questionnaire — vendor findings pile up faster than anyone closes them. Talarity tracks each one through a remediation lifecycle, won't let the person who fixed it sign off on their own work, and turns 'we'll deal with it' into a time-bounded, recorded risk acceptance.
Onboarding a vendor — from a name in an email to a tiered, approved, defensible record
A vendor isn't onboarded when you've typed its name into a list. It's onboarded when someone owns it, the risk it carries is profiled, an approver has signed off, and the platform has computed a defensible risk tier. Talarity makes that the path of least resistance.
One vendor program, three depths — set it up once, let it grow with you
Most TPRM tools force a choice: a spreadsheet that can't survive an audit, or an enterprise suite that buries a ten-person team. Talarity's program mode is a single dial — start Simple, grow to Complex, never migrate data or re-learn the tool.
Vendor monitoring — your assessment was true the day you ran it
A point-in-time vendor assessment starts going stale the moment you finish it. Talarity's monitoring dashboard turns the events that happen between assessments — breaches, leadership changes, incidents — into alerts you triage and reassessment flags you act on.
Vendor questionnaires — send a real SIG or CAIQ, score it the same way every time
Talarity ships an industry questionnaire library (CAIQ, SIG, VSA) you can clone, send to a vendor through a secure portal, and have scored automatically — so due diligence is repeatable evidence, not an email thread with a spreadsheet attached.
Vendor risk tiering — stop treating your stock-photo SaaS like your payments processor
A defensible vendor program doesn't review every vendor the same way. Talarity computes a repeatable risk tier from weighted factors, and a tiering policy makes each tier mean something concrete — review cadence, required evidence, monitoring, and SLAs — so effort follows risk.
Vendor risk operations playbook
An operational playbook for running a TPRM program — tiering, intake, due diligence, contract management, ongoing monitoring, and offboarding. With realistic SLAs and the gotchas nobody documents.
The vendor questionnaire problem
You send a SIG. They send back a CAIQ. You wanted SOC 2. They want a phone call. Eight weeks later, the deal is stuck. Here's why third-party assessments are broken — and what actually fixes it.
Governance
18Change Advisory Board — raise a production change, route it through CAB, and approve it on the record
Production changes are where good intentions meet outages. Talarity's Change Advisory Board gives you a change-request register with automatic risk scoring, a submit-to-CAB workflow, a multi-role approval quorum you record decision-by-decision, and a change calendar — the auditable CC8.1 / A.8.32 evidence a manual change process never leaves.
ESG Program Management — track your metrics, disclosures, and initiatives against CSRD, SASB, GRI, TCFD, and CDP
ESG reporting has gone from a nice-to-have to a filing. Talarity's ESG module gives you a metric register with time-series values and targets, framework disclosures (CSRD / SASB / GRI / TCFD / CDP) you take from draft to published, an initiative tracker, and a program dashboard — so your sustainability statement is something you maintain, not something you assemble under deadline.
AI Governance — a real inventory of your AI systems, mapped to the EU AI Act, NIST AI RMF, and ISO 42001
Your AI footprint grew faster than your governance. Talarity's AI Governance module gives you a live register of every AI system, framework assessments against the EU AI Act / NIST AI RMF / ISO 42001, and control mappings you can attest with evidence — with a dashboard that shows coverage at a glance.
Export and verify your audit trail for SOC 2
Pull your full audit trail as a SOC 2 evidence file in any format, then prove it wasn't altered with a one-click tamper-evidence check — backed by a per-row hash chain and a Merkle root your auditor can re-verify offline.
Catch toxic access combinations with Segregation of Duties
Define the pairs of duties no single person should hold — approve and disburse, accept a risk and own its control — and Talarity flags every user who holds both, with ten framework-mapped starter rules out of the box.
The Governance Hub — your whole governance posture on one screen
RACI ownership, framework alignment, policy attestations, control exceptions, approvals, and workflows aggregated into a single posture view — then generated as a signed, board-and-auditor-ready governance package.
Operational procedures — turn your SOPs from documents into executed, evidenced runs
A procedure is only as good as the last time someone actually followed it. Author SOPs from a template library, then execute them step-by-step — keep, skip, or fail each step with a reason — and finish with a recorded run your auditor can trust.
Policy templates — a framework-mapped starting library, not a blank page
Writing policies from scratch is slow and inconsistent. Talarity ships 50 pre-built, framework-mapped policy templates across nine categories — preview the real content, fill in your organization's specifics once, and bulk-create your whole starter set as tailored drafts.
The RACI matrix — end the 'I thought you owned that' problem
Assign Responsible, Accountable, Consulted, and Informed across every control, policy, risk, and vendor — then let the Coverage Report show you exactly which ones still have no owner.
From quarter-end to a board-ready disclosure pack
Board season shouldn't mean rebuilding the deck from scratch. Talarity assembles the quarter's capstones — risk, compliance, resilience, vendor — into one board report, drafts the executive narrative, and generates a signed disclosure pack carrying the SEC, SOC 2, ISO, and NIST citations a board's oversight duty requires.
Policy sign-off — who signed, who's missing, and how to close the gap
Send a policy to a group and an individual, then track acknowledgement against your real employee roster: who signed the current version, who's still pending, and who was never sent it — with one click to chase the gap.
Supporting a policy with procedures — linking, unlinking, and keeping the metadata honest
A policy says what your organisation does and why; a procedure says how. Auditors expect both, and they expect the link between them to be explicit. This article works from the policy side: how to attach procedures from a policy's Procedures tab, what unlinking actually does (and doesn't), and how to keep the policy's own metadata current — owner, approver, category, cadence. The procedure's own fields get their own article.
Edit it, version it, or write a new one — three things customers conflate
There are three different ways to change a policy in Talarity — fix a draft in place, ship a new version of one that's already live, or start a brand-new policy. The right path depends on whether you've published yet, whether the doc lives in Talarity or as a file, and whether the change needs re-approval. Here's the map.
Sending a policy for acknowledgement — pick the people, pick the message, send
Type the email if you must, but pick from org members if you'd rather. Choose a template instead of writing the message from scratch. External addresses get a token portal — perfect for new hires who haven't started yet. The Send-for-Acknowledgement modal does three things customers ask for, all in one place.
Who acknowledged the policy — and who hasn't
Send a policy for acknowledgement to your whole workforce. Talarity shows you per-recipient status in real time, fires reminder tiers automatically, and writes an immutable signed proof for every (employee × version) — ready for the auditor before they ask.
Policy categories — assign once, filter every view
Give every policy a category, then slice the whole set by domain in one click. One canonical taxonomy — eight policy types plus your own — used across the Policies list, the detail page, and the Artifact Repository.
Stop chasing policies — Talarity tracks every one in two places at once
Upload a policy PDF once. Talarity stores it in the Artifact Repository, registers it in the Policies tab, sets the owner who'll be on the hook for review, and fires reminders 60 / 30 / 14 days before expiry — to the right people, automatically.
Policy attestation, automated — every employee, every year
Publish the policy once. Send for acknowledgement once. Talarity captures who read it, who didn't, and re-fires every year on cadence — with a per-version proof report saved as an audit-grade artifact.
Compliance
33Regulatory Change Management — an obligation register that keeps up when the rules change
Regulations don't hold still. Talarity's Regulatory Change Management gives you a living register of the obligations that apply to you, a log of every change against them, an impact-assessment workflow, and a horizon-scan watchlist for what's coming — so a new rule is a tracked item, not a fire drill.
System Configuration — turn a completed assessment into enforceable, drift-tracked baselines
Every safeguard you scored in an assessment becomes an enforceable expected value. Talarity re-checks the observed state, flags drift, opens remediation automatically, and lets you attach evidence per control — so your controls stay implemented, not just documented once.
Regulatory submissions — assemble the filing as a case file, not a last-minute scramble
A regulator filing isn't a deadline on a calendar — it's a defensible package: the right capstones, the supporting evidence, an authorized-officer attestation, and a record of exactly what you transmitted. Talarity runs each submission through a Draft → Finalized → Submitted → Acknowledged lifecycle and assembles a sealed dossier with a SHA-256 of what was filed.
One package, both domains: handing an auditor your assessments and your DR evidence together
Auditors don't want a folder of PDFs from one team and a separate folder from another. Talarity's evidence package bundles a finished compliance attestation and a disaster-recovery attestation into one immutable, watermarked, share-once package — assembled in a picker that browses every report by category, scales to thousands of artifacts, and saves the selection as a reusable grouping that re-pulls the latest version next year.
Framework crosswalk projection — answer once, see where you'd land on every other framework
You finished a CIS or NIST assessment. Now a customer wants SOC 2, a regulator wants FFIEC, the board wants NIST CSF. Talarity's crosswalk projection takes the answers you already gave and projects them onto any target framework — a likely score, requirement-by-requirement coverage, and exactly which items still need answering — so you start the next framework most of the way done instead of from a blank questionnaire.
Package your audit evidence once — for the auditor, regulator, or customer
An auditor asks for your evidence and it's scattered across framework reports, vendor attestations, policy sign-offs, and resilience tests. Evidence Distribution Packages assemble the signed artifacts you already produced into one immutable package, then hand it to each audience as a redacted, watermarked, time-limited copy — with a record of who received what.
Continuous compliance: prove your controls held every day, not just at audit
An audit is a photograph; your control environment is a film. Between assessments, controls drift — evidence goes stale, a maturity level slips, a config changes. Talarity establishes a baseline and watches it every day, so drift surfaces as an alert in March instead of a finding in November.
Your resilience program is audit evidence — mapped to ISO 22301 and SOC 2
Auditors don't ask 'do you have a DR plan?' — they ask 'show me the evidence for ISO 22301 clause 8.5 and SOC 2 A1.3.' Talarity turns your BIAs, recovery plans, and continuity tests into a DR Test Attestation that auto-cites the exact ISO 22301, SOC 2, ISO 27001, and NIST CSF clauses your resilience evidence satisfies.
Framework readiness to audit package — the whole cycle on one screen
Audit prep usually means a spreadsheet scramble — chasing evidence, tracking which controls are covered, re-checking what's expired. Talarity keeps a live readiness picture for every framework (SOC 2, ISO 27001, CIS, and more) — coverage, gaps, evidence freshness — and packages it into an auditor-ready export in one click.
One control library, every framework — adopt once, comply many
Most teams rebuild their controls for each framework — a SOC 2 set, an ISO set, a CIS set, all describing the same safeguards. Talarity's Common Control Library is one canonical set of 369 controls that maps to every framework at once: adopt a baseline, and your CIS work already counts toward NIST, PCI, SOC 2, and HIPAA.
Hand your auditor one BC/DR evidence package — not a folder of PDFs
When an auditor asks you to prove your business-continuity and disaster-recovery program, the evidence is scattered across reports, tests, and exercises. Evidence Distribution Packages assemble your signed BC/DR capstones into one immutable package and hand it to the auditor as a redacted, watermarked, time-limited link — no shared drives, no email attachments. Mapped to ISO 22301 and SOC 2.
How mature is your disaster recovery? Read your BC/DR readiness score
Coverage tells you what you've tested. The BC/DR readiness score tells you how good your recovery practice actually is — a 10-question maturity model across testing, RTO/RPO, backups, runbooks, and third-party DR, read as a waterfall, gauges, dimension rings, a risk heatmap, and a maturity roadmap. Mapped to ISO 22301 and NIST 800-34. (Extended Risk · early access / Beta.)
Bulk Import — load a year of evidence in one pass
Audit prep means dropping dozens of artifacts at once — SOC 2s, pen tests, ISO certs, BAAs, policies, procedures. Bulk Import takes the whole folder: drag everything in, give each file its document type and the metadata that type requires, and commit them in one validated pass.
Run a DR program, not just DR tests — scope policy, coverage, and a signed report
BIAs, recovery plans, continuity tests, and DR exercises are the artifacts. A DR program is the governance that makes them add up: one scope policy that decides what must be tested and how often, a live coverage number, the gaps surfaced for you, and a signed program report. Here's how Talarity runs it, mapped to ISO 22301, NIST SP 800-34, and DORA.
Assign DR testers — including the external vendors who respond without a login
A disaster-recovery test is only as good as the people who run it — and some of them don't work for you. Here's how Talarity assigns a tester to every critical asset (defaulting to its custodian), hands the test off to external vendors through a secure no-login portal, and folds their response straight back into your exercise. Mapped to ISO 22301 and NIST SP 800-34.
Business impact analysis at scale — a living BIA portfolio, not a binder that rots
One BIA is an afternoon's work. A BIA program — keeping dozens current, knowing which critical processes still have no recovery plan, and what's due for review — is the real discipline. Here's how Talarity turns your business impact analyses into a portfolio you manage at a glance. Mapped to ISO 22301, NIST SP 800-34, and DORA.
Business continuity, end to end — from impact analysis to tested recovery
One surface runs your whole resilience program: rank what matters with a BIA, write recovery plans against it, test them, coordinate asset-level DR exercises, and watch coverage on a single dashboard — mapped to ISO 22301, SOC 2, and NIST 800-34.
Run a DR exercise — test your whole critical-asset estate, and auto-open remediation for what fails
A continuity test proves one plan. A DR exercise tests recovery across every critical asset at once — and turns each failure into a tracked remediation work-item and, when it's serious enough, a scored risk. Here's how to run one in Talarity, mapped to ISO 22301, NIST SP 800-34, and SOC 2.
Run your first Business Impact Analysis — rank what matters before you plan recovery
A Business Impact Analysis is where a resilience program starts: it names your critical processes and sets the honest MTD, RTO, and RPO numbers every recovery plan and DR test inherits. Here's how to build one in Talarity in about ten minutes — mapped to ISO 22301, NIST SP 800-34, and SOC 2.
Test your recovery plan — schedule a continuity test and prove your RTO
A recovery plan you haven't tested is a hope. Schedule a continuity test in Talarity, record the outcome against the plan's target RTO/RPO, and let the result roll up to a recurring schedule — the evidence ISO 22301, NIST SP 800-34, and SOC 2 auditors ask for.
Write a recovery plan that survives an audit — scenario, steps, RACI, and a test
A recovery plan that's only RTO/RPO numbers fails an audit. Auditors want the ordered steps, who owns them, and proof you tested them. Here's how to build one in Talarity that holds up — mapped to ISO 22301, NIST SP 800-34, and SOC 2 A1.3.
The assessment that builds your GRC program for you
Most assessments end at a score. Talarity turns a completed assessment into the risks, remediation work items, and KRIs your gaps imply — you review them, apply with one click, and your register fills itself in.
From gap analysis to remediation you can actually track
A framework assessment tells you where you stand. Talarity's Gap Analysis turns that score into a prioritized, quantified plan — quick wins, critical fixes, and one-click remediation work items your team owns and tracks to closure.
From incident to root cause: closing the loop, not just the ticket
Most teams close an incident with a status change. Talarity's incident case file drives it to a real root-cause analysis — a 5-whys investigation, corrective and preventive actions you track to closure, and a post-mortem that becomes audit evidence.
Every certificate, report, and proof in one place — the Artifact Repository
Upload a SOC 2, a pen test, a policy, an insurance cert once. Talarity types it, tracks its expiry, reminds the owner before it lapses, governs who can see it, and lets you reuse it across every framework — from one repository.
Data retention, on a schedule — set it once, prove it forever
Tell Talarity how long every class of data lives, and it does the rest: schedules deletions, holds them for a second approver, freezes anything under legal hold, and keeps audit logs for the seven years your framework demands. One page, six tabs, a full deletion trail for the auditor.
One control, one level — how evidence unlocks a gated assessment
Every safeguard in a gated assessment shows a 0–5 maturity scale. You pick the single level that matches reality today, and Talarity unlocks the higher tiers only as you attach the evidence each one requires. Here's the model, end to end.
Lock down a document to one team — Artifact Repository access rules
Some artifacts shouldn't be visible to every member of your org — a customer credit application, a quarterly revenue forecast, a board-only PDF. Talarity gates each artifact by group or by named individual, evaluates the rules in SQL, and hides what shouldn't be seen — automatically.
Take an assessment together — multi-user, in real time
Two people on the same assessment used to be a recipe for lost progress and duplicate runs. Talarity now treats it as a presence-aware collaboration, with peer answers visible in seconds, typing indicators, per-question attribution, and a hard seven-editor cap.
Annual Disaster Recovery testing — end-to-end in Talarity
Build the questionnaire once. Schedule it once. Every year, Talarity fans the test out to your internal owners and external partners, collects evidence, and produces a single auditor-ready attestation report — saved for seven years.
SOC 2 readiness checklist
A practitioner's guide to getting audit-ready — what to do in months 1, 2, and 3 to land a clean Type I report and set up cleanly for Type II.
What the SEC cybersecurity disclosure rule actually requires
Two reporting obligations, one materiality call, and a four-business-day clock. Here's the operational reading of the SEC cyber rule — and the parts most companies are still getting wrong.
Continuous compliance is a tooling problem, not a process problem
Every compliance program eventually decides it needs to be 'continuous.' Most then try to fix it with process. The actual fix is upstream — in the tools that make evidence freshness a default, not a sprint.
Risk
13Incident management — from detection to root cause, with the whole chain linked
An incident isn't closed when the fire's out — it's closed when you know why it happened and the fixes are tracked. Talarity runs incidents through a full lifecycle, captures MTTD/MTTR, and links each one to its root-cause analysis, remediation, tasks, risks, and evidence.
Quantified risk (FAIR) — put a dollar figure on cyber risk, not a colored square
"High / Medium / Low" tells a board nothing about how much. Talarity models risk scenarios with the FAIR methodology and Monte Carlo simulation to produce dollar-value loss estimates — annualized loss expectancy, the probability of an incident this year, and exposure projected over time.
Risk scenario analysis — model the ROI of a control before you buy it
What-if modeling for risk decisions: start from your real risk baseline, model a control improvement (or a worsening threat, an insurance transfer, an avoidance), and see the projected risk reduction, ALE change, 3-year ROI, and payback — before you commit a dollar.
When a KRI breaches — from threshold alert to a tracked remediation
A key risk indicator is only worth measuring if a breach triggers action. Talarity watches each KRI against its thresholds, raises an alert the moment one goes red, and turns that alert into a remediation work item linked back to the indicator — so a breach becomes tracked work, not just a number on a dashboard that nobody owns.
Threat intelligence — correlate the feeds, surface the indicators, prioritize by exploit
Threat intelligence is only useful if it's connected to your environment. Talarity ingests the feeds you choose, correlates tactical indicators across all of them, and ranks vulnerabilities by what's actually being exploited — so 'there's a new threat' turns into 'here are the three CVEs already weaponized that you should patch first.'
From scanner finding to GRC — triage a vulnerability into controls, risk, and evidence
A scanner finding is noise until it's connected to the rest of your program — the control it threatens, the risk it represents, the evidence an auditor will ask for. Talarity's vulnerability management imports findings, triages them through a real state machine, and links each one to a control and a risk — turning a CVE into a tracked, accountable part of your GRC posture.
"Done" is not "fixed": verifying remediation before you close it
Anyone can mark a remediation done. Talarity's verification workflow makes a second person confirm the fix actually worked — record a pass or fail with evidence, send failures back for re-test, then route a closure sign-off to an approver who isn't the one who did the work. Nothing closes on one person's say-so.
Define and measure a Key Risk Indicator — the metric that warns you early
A KRI is inert until you define one correctly and feed it real measurements. Here's how to set the thresholds, record the values, and read the signal in Talarity — so a number tells you a control is slipping before an incident does.
The remediation portfolio: every fix you've committed to, tracked to closure
A risk register tells an auditor what's wrong. The remediation portfolio proves what you did about it — owned, milestoned, evidenced plans that close with a sign-off. It's your Plan of Action & Milestones (POA&M), and Talarity runs it as live data instead of a spreadsheet.
A risk, from the day you log it to the number your board asks for
Identify a risk, score it, treat it, and quantify it in dollars — Talarity runs the whole lifecycle on one record, so 'what's our exposure?' has a defensible answer instead of a guess.
Connect Microsoft Intune to Talarity — every laptop, every app, every person, in one inventory
Stand up the Intune connector once. Talarity pulls your managed devices, detected software, and directory users into a unified Asset Manager, stamps each row with owner, criticality and lifecycle state, and writes the whole graph to PostgreSQL so your controls, work items, and risks can finally join against real assets.
FAIR vs. stoplights: why your CFO doesn't trust your risk register
If your risk reports use red-yellow-green and your CFO still can't act on them, the problem isn't your CFO. Here's the case for quantified risk — in dollars, with confidence intervals.
FAIR for CISOs: a quick primer
How quantified risk works, why it produces better decisions than stoplight scoring, and how to operationalize it without retraining your whole team.
Workforce
10Access reviews — prove that everyone has exactly the access they should, and no more
Run periodic access certifications over employee SaaS and hardware: a reviewer keeps, revokes, or flags each assignment, and the result is a signed sign-off report your auditor can rely on.
Every SaaS app — one accountable owner, and an access review that signs itself off
From the Workforce section: add the SaaS apps your team uses, give each one a custodian (set directly or inherited from its category), track who has access with a per-user note, then run a one-click access review that lands a signed-off, audit-ready report — no spreadsheets.
Asset custodians — assign an owner once, let every asset inherit it
Every asset needs an accountable owner — for audits, for provisioning, for recovery when someone leaves. Assigning a custodian to each laptop one at a time doesn't scale. Talarity's model: assign a custodian to a category, and every asset under it inherits — with per-asset overrides where you need them, and a queue that routes the actual equipment work to the right person.
Software licenses, tracked like seats — 20 of 20 for Bloomberg, and exactly who has them
Pull a subscription from Talarity's catalog, set how many seats you bought, and assign them to named people. See what's used, what's free, who holds each one, and what you're spending — without a spreadsheet.
Least privilege in practice — build the group, then invite the user
Least-privilege access is a control in every framework (CIS 6, ISO 27001 A.5.15, SOC 2 CC6.1). Talarity makes it the easy path: groups define access page-by-page — read/write, dashboards, data scope — and you invite each user straight into the right group. Here's the two-page workflow end to end.
Every device accounted for — the equipment custodian's workflow
Own a category, and Talarity routes every equipment task to you — issue a new hire's laptop by serial, assign and upgrade gear, update the record, and recover or revoke it cleanly when someone leaves. One queue, a full audit trail, no spreadsheet.
New-hire onboarding, gated end-to-end — equipment, policies, and sign-off in one flow
Build one joiner bundle of equipment and policies, apply it to a new hire, and Talarity gates the whole thing: custodians issue the gear, the employee's policy acks and receipt confirmation unlock only once every item is provisioned, and the sender watches every stage.
Pre-built groups in Talarity — pick the role, then assign the work
Seven system groups ship with every Talarity org. Several are role-shaped on purpose: a Standard User does most of the work, an Assessment Contributor only sees the assessments they were assigned to, a Review Only auditor sees nothing they can change. This article walks through the catalog, the scoping rule that catches every admin once, and the one screen that fixes it.
New-hire pack vs. one updated policy — two flows, one campaign primitive
On day one a new hire needs to acknowledge five or six policies, not one. On the next quarterly update of the BCP an existing employee needs to re-ack that one policy. Talarity calls these the same thing under the hood — a campaign — but exposes two different triggers so HR doesn't pick six policies one by one, and the auditor still gets clean per-policy records.
Where your employee list comes from — and why that unfamiliar name is on it
Three sources populate the Talarity workforce roster — a manual add, a Microsoft Graph sync that pulls your whole tenant, and a one-click materialization of users who already have a Talarity login. The Source column on every row tells you which one this name came from, so 'who is this?' is a one-second answer.
Platform & AI
12Claiming your work — turn an org-wide pile of unassigned tasks into your own queue
Every control test, remediation, finding, and vendor review that no one owns yet lands in one claimable pool. Grab what you can run with — single or in bulk — and it becomes yours, tracked through a Create → Assign → Execute → Review → Verify workflow, with a one-click release back to the pool when plans change.
Linked accounts — run every subsidiary and client as its own governed workspace
Holding companies, MSPs, and franchisors don't have one org to govern — they have many. Talarity's Linked Accounts lets a parent organization create and oversee child workspaces, each with its own primary admin and a parent-side reviewer who gets read-only access scoped to just that account.
Onboarding on autopilot — every new user lands with their tasks already assigned
Set the onboarding once. When anyone joins your organization, Talarity automatically assigns the tasks, policy acknowledgements, document uploads, and checklists they need — surfaced in their My Work the moment they first sign in, with a popup or a blocking gate if it's required.
Recurring cross-org data subscriptions — set it once, share on every cycle
A standing subscription fans a child org's assessments, policies, controls, risks, KRIs, and evidence to its parent automatically — every new entity, every cycle — until someone revokes. Here's how the recurring primitive works, and how the data owner stays in control.
Connecting Talarity to your stack — SSO, provisioning, API keys & webhooks
A GRC platform shouldn't be an island. Talarity's integrations hub connects it to the systems you already run — sign-in through your identity provider, auto-provision users from your directory, hand out scoped API keys, and push events to your own automation over signed webhooks. Here's how each one works.
Notifications & SLAs — decide who gets told, how often, and when an item is late
A GRC platform throws off a constant stream of events — approaching deadlines, approvals, renewals, cross-org requests. Talarity lets an admin set, once, who gets notified, on which channel, how often, and what counts as 'late' — and lets every user fine-tune their own. Here's how to configure both.
The Calendar — every GRC deadline in one place, before it's overdue
Policy reviews, assessment due dates, vendor reassessments, remediation deadlines, control tests — in most programs each lives in its own corner and surprises you when it's late. Talarity's Calendar pulls every dated obligation across the platform into one view, flags what's overdue and what's due this week, and lets you add your own reminders — so nothing slips because it was filed somewhere you weren't looking.
Setting up a new organization — a guided checklist, not a blank slate
The first day on a GRC platform usually means staring at an empty dashboard wondering where to start. Talarity opens with a guided setup checklist that walks you through the basics — profile, branding, retention, frameworks, and per-module onboarding — and tracks your progress so the whole org gets to value fast.
Dashboards for every role — switch, tailor, and share your views
A risk analyst, a CISO, and a board member shouldn't see the same dashboard. Talarity ships eight role-based persona views out of the box — and lets anyone add pages from a library, tune the layout, and save a custom view (private or shared with the whole org) without a developer.
Sharing data across linked organizations — both sides of the request, end to end
Two primitives — one-shot requests and standing subscriptions — fan compliance, risk, and evidence data between parent and child orgs. Every cascade, every consent, every revoke is captured in an immutable audit log, on both sides.
Why we built Talarity
Compliance was a fire drill we'd run too many times. So we built one platform to replace four — with AI built in, not bolted on, and risk quantified in dollars.
Multi-entity GRC: when subsidiaries become a feature, not a bug
Most GRC tools were built for single companies. The moment you have subsidiaries, divisions, or regional entities, the tooling breaks in predictable ways. Here's the architecture problem — and what fixing it actually requires.
Results
0No matches.
Try a different search term, or clear the type filter.