Risk Vector Data in Framework Intelligence Erin Conry Framework Intelligence integrates Bitsight Risk Vector data into its compliance evaluation model for VRM, CM, and SPM. This integration combines real-time cyber performance data with AI-driven documentation analysis to provide objective risk intelligence, inform compliance decisions, and prioritize action.How does this work?Mapped Risk Vectors offer real-time view of how each control is performing where applicable.Control performance data from Risk Vectors is cross-referenced with AI-driven documentation analysis to identify alignment or gaps in compliance.Compliance StatusesThe final compliance status is determined by combining the artifact evaluation and the real-time Risk Vector performance.Compliant: the compliance evaluation model provides sufficient and direct evidence that the control is met.Not Compliant: the compliance evaluation model provides inadequate evidence and is unable to confirm the control is met.Needs Review: the compliance evaluation model provides partial, ambiguous, or informational content that makes the control outcome unclear, meaning:Controls that are only partially addressed.Responses that involve assumptions or unclear phrasing.The LLM recommends manual review to determine applicability and intent.Compliance Outcome Logic1. When Artifact Evaluation and RV Performance AlignWhen the artifact evaluation and RV grade are consistent, the RV grade reinforces the result:Negative RV grades (D or F) confirm a Non-Compliant outcome.Positive RV grades (A or B) confirm a Compliant outcome.Neutral RV grades do not change the original artifact evaluation.2. When Artifact Evaluation and RV Performance ConflictWhen the artifact evaluation and the RV grade contradict each other, the final compliance status is adjusted based on the following conflict resolution logic:Compliant Artifact / Poor RV Grade (D or F): The status shifts down to Needs Review.Needs Review Artifact / Strong RV Grade (A or B): The status moves up to Compliant.Needs Review Artifact / Poor RV Grade (D or F): The status moves down to Not Compliant.Not Compliant Artifact / Strong RV Grade (A or B): The status moves up to Needs Review.3. No Risk Vector DataIf there is no risk vector data, the compliance status will default to artifact evaluation analysis.Configuration & Opt-OutAdmins can opt-out of including Risk Vector data in your evaluation. This is done from the accounts setting page. The setting is applied to all control frameworks going forwardMay 12, 2026: Published. Related articles Bitsight TMH: Getting Started with Bitsight Trust Management Hub Feedback 0 comments Please sign in to leave a comment.