Continuous Compliance
Compliance programs break down when evidence collection, monitoring, and remediation live across disconnected tools. This quarter, Drata introduced platform updates that strengthen continuous compliance—giving teams better visibility into control health, faster remediation, and expanded automation across cloud infrastructure and vulnerability monitoring.
CCPA 2026 Framework Updates
Drata now supports updated CCPA 2026 requirements directly within the platform, aligning to new CPPA rules for privacy risk assessments, cybersecurity audits, ADMT governance, and Sensitive Personal Information.
Teams can operationalize these requirements alongside existing frameworks by mapping them to controls, policies, and evidence—reducing duplication and maintaining a unified view of compliance as regulations evolve.
ISO 27701:2025 Framework Support
Drata now supports ISO 27701:2025 as the latest standard for Privacy Information Management Systems, extending ISO 27001 to clarify controller and processor responsibilities and strengthen privacy governance. Programs can enable the updated framework and map their privacy controls and evidence to stay aligned with evolving expectations.
Drata Test Library
The new Drata Test Library introduces a centralized catalog of 1,000+ infrastructure tests across AWS, Azure, and GCP.
Teams can:
Browse and discover prebuilt tests
Bulk provision automated checks directly within Drata
Continuously monitor infrastructure configurations and surface failures in real time
This helps programs expand automation coverage quickly—without custom rules or scripts.
Test Library – Multi-Provider Support for Imported Tests
Imported infrastructure tests can now run across multiple providers (AWS, Azure, and their organizational structures) from a single configuration.
Instead of duplicating tests per environment, teams run one test across multiple providers and accounts, simplifying setup, improving consistency in control monitoring, and increasing coverage across complex cloud footprints.
Insights with MTTR
The Insights dashboard now includes Mean Time to Resolution (MTTR) tracking for failed monitoring tests.
This gives teams clearer visibility into remediation performance so they can identify bottlenecks, assign ownership faster, and reduce time spent resolving control failures.
Internal Audits in Drata
Drata now supports end-to-end internal audits directly within the platform.
Teams can create internal audit programs, assign auditors and owners, collect and review evidence with a built-in viewer, and track remediation work without spreadsheets or external tools.
Workflows and evidence stay centralized and traceable, improving collaboration between internal audit teams and control owners.
Custom Pre-Audit Packages (Audit Hub)
Within Audit Hub, teams can now configure pre-audit evidence packages with fine-grained control.
Teams can:
Decide whether to include a pre-audit package (or not)
Select specific evidence categories (control mapping, connections, vendors, assets, personnel, infrastructure access, and more)
Update or regenerate packages as audit scope or requirements change
Drata automatically regenerates packages when attributes or categories change and removes outdated versions so auditors always see the latest, least-privilege view of your environment.
Cloud Connection Scoping Across AWS, Azure, and GCP
Cloud monitoring is easier to scale when Drata mirrors how your environments are actually organized via:
AWS & AWS Organizational Units: Automatically synchronize accounts under your AWS Organization into Drata for centralized compliance monitoring, including data from Security Hub, GuardDuty, Config, Inspector, and Macie.
Azure Management Groups: Connect multiple Azure subscriptions via Management Groups for read-only infrastructure visibility and continuous evidence collection, with support for tagging-based inclusion/exclusion.
GCP Integration (Script Setup): Connect at the organization or project level using an automated script or Terraform, so IAM users and infrastructure resources feed into access reviews and monitoring with one setup.
This improves performance, clarifies environment boundaries, and keeps monitoring aligned with the right accounts, subscriptions, and projects.
Custom Fields for Framework Requirements
Drata’s Custom Fields now extend to framework requirements, in addition to risks, controls, vendors, and personnel.
Teams can store implementation notes, owners, scores, and other structured metadata directly on requirement records for both out-of-the-box and custom frameworks, all searchable in the requirements index and exportable through standard reporting.
Vendor & Internal Risk Management
Risk management is only effective when teams can coordinate reviews, documentation, and remediation in one place. This quarter’s updates introduce stronger workflows for third-party risk, vulnerability monitoring, and vendor review visibility.
Agentic TPRM Assessment
Agentic TPRM Assessment brings an AI-powered, criteria-driven, evidence-first model to third-party security reviews.
The TPRM Agent:
Ingests vendor documentation (SOC 2 reports, policies, questionnaires, Trust Center artifacts, and more)
Maps that evidence to your predefined security and risk criteria
Produces standardized outcomes (Met, Partially Met, Not Met, Inconclusive) with cited sources and residual risk scoring
Your team reviews findings, validates analysis, adds observations, and makes the final decision. The agent does the assessment work; humans remain the decision-makers.
Key benefits include higher quality, criteria-based assessments across all vendors, faster reviews and onboarding by eliminating manual document review, scalable coverage without additional headcount, and audit-ready, evidence-linked outputs for every assessment.
Embedded Trust Centers for Vendor Profiles
Drata now supports embedded Trust Centers within third-party profiles, giving reviewers immediate awareness of a vendor’s available assurance resources.
Teams can see whether a vendor maintains a Trust Center and what types of security documentation and artifacts are available—speeding up evidence discovery and reducing back-and-forth during assessments.
TPRM Workflow Enhancements
To support scaling Agentic TPRM Assessment, Drata released several workflow improvements around communication and documentation, including custom questionnaire subject lines, expanded email character limits, enhanced AI SOC 2 field support/summaries, and improved vendor filtering.
Together, these updates make it easier to manage vendor communication, track progress, and keep large vendor ecosystems organized.
Vulnerability Scanning Integrations: Upwind and Orca Security
Drata now integrates with Upwind Security and has released Orca Security Vulnerability Scanning integration as generally available.
These integrations automatically import vulnerability findings into Drata, tie issues to compliance controls and risk workflows, and provide a unified view of vulnerability risk and evidence across tools.
Rename Vendor Security Reviews
You can now rename Security Reviews, SOC report reviews, and uploaded reviews to match real-world projects, systems, or engagements.
Custom titles appear consistently across the review page header and vendor Security Reviews table, making it easier to scan vendor portfolios, align reviews with business context, and keep reporting clear for stakeholders and auditors.
Automated Governance
As compliance programs grow, governance becomes harder to coordinate across policies, controls, risks, and people. This quarter’s updates introduce new capabilities that simplify operational governance and reduce manual work.
Self-Serve Bulk Import
Teams can now perform bulk creation and updates for Risks, Controls, Trainings, and Background Checks directly in Drata using CSV imports.
AI-powered column mapping and data transformation make it easier to migrate large datasets without SQL scripts or support tickets, significantly reducing onboarding friction for large programs.
Control Page Action Panel
A new Control Action Panel surfaces control readiness blockers in one centralized workspace.
From this panel, teams can quickly see failed monitoring tests, overdue evidence, missing approvals, and policy dependencies.
Instead of jumping across multiple pages, users get a focused view of what needs attention to restore control readiness.
Enhanced Tables, Search, and Custom Fields
Drata introduced high-performance search powered by OpenSearch and fuzzy matching, plus the ability to search across custom fields on vendors, risks, and controls.
Combined with customizable table columns and saved preferences, these improvements make it easier to operate large GRC datasets and quickly find the information teams need.
Bulk CSV Import for Custom Tasks
Bulk Import for Custom Tasks brings the same scale and structure to task creation.
Teams can now:
Upload a CSV, paste from existing spreadsheets, or type rows directly into a guided, spreadsheet-style sheet
Mix one-time and recurring tasks in the same import
Link tasks to controls or risks
Validate titles, task types, owners, due dates, and schedules in real time before creation
This makes it significantly easier to stand up recurring reviews, operational checklists, and cross-functional workflows without one-by-one task creation.
Security Assurance
Security assurance isn’t just about audits—it’s about demonstrating trust across your ecosystem. This quarter’s updates focus on reducing friction in security reviews and scaling assurance workflows through automation.
AI Trust Center Item Generation
AI can now generate Trust Center item descriptions automatically using existing documentation and knowledge base entries.
Instead of manually writing each item, teams can generate descriptions with one click, review them, and publish—dramatically reducing the time required to launch or expand a Trust Center.
Portal-Agnostic Questionnaire Parsing (Chrome Extension)
Throughout Q1, Drata expanded portal-agnostic questionnaire capabilities via the Chrome Extension, enabling teams to import and answer security questionnaires from virtually any portal. Now they can pull questions from proprietary or unsupported vendor portals, generate responses using centralized Trust Center and AIQA content, and paste answers back into the original portal. This eliminates manual copy-paste workflows and enables faster, more consistent responses across customer environments.
Content Collections for AI-Generated Responses
With Content Collections, GRC teams can precisely control what data powers AI-generated questionnaire responses.
You can filter your Trust Library by product, framework, tags, or content type, and AI Questionnaire Assistance will reference only content from that collection—ensuring every answer is relevant, consistent, and audit-ready. The result: faster questionnaire completion, higher accuracy, and full confidence in what your AI is using behind the scenes.
Evidence Library Sync to Trust Center
Evidence Library Sync automatically pushes selected evidence from Drata’s Evidence Library into the SafeBase Trust Library over a secure, one-way connection.
Any updates you make in Drata are reflected in the Trust Library, while SafeBase controls what’s actually published to your external Trust Center. This keeps external stakeholders aligned with the latest, reviewed artifacts—without double-managing documents across tools.
Multi-Select Answers in AI Questionnaire Assistance
“Select all that apply” questions are now fully supported in AI Questionnaire Assistance (AIQA).
Reviewers can choose multiple valid answers for a single prompt, so multi-select questions are handled correctly without manual editing. The feature is live for all AIQA customers with no configuration required, improving answer quality and reducing friction on more complex questionnaires.
What’s Coming Next
Drata continues expanding automation, AI capabilities, and platform scalability to support modern GRC programs.
Upcoming work will focus on deeper automation across risk management and third-party workflows and expanded integrations across the security ecosystem.
From continuous compliance to automated governance and scalable security assurance, every release is designed to help teams turn trust into a business accelerator. Book a demo to learn more about the continuous evolution of the new Drata experience.
