You are here:
Continuous Risk Monitoring for IT Compliance
Background agents continuously watch your IT environment and your controls, flagging new risks and re-running evaluations the moment something changes, so your team always works from a current view of the risk landscape.
Required Editions
| Available in: Lightning Experience |
| Available in: Enterprise, Performance, and Unlimited Editions with AI IT Compliance add-on. |
How Record Updates Trigger Background Agents
The agent monitors records mapped to each risk and starts a new evaluation when it detects one of these changes.
- A new version of a mapped policy clause is activated and the previous version is retired.
- A mapped control rolls forward to a new version, or is marked as ineffective.
- A new scope item—such as a vendor, business unit, configuration item, or asset—is linked to the risk.
- A new child scenario is added under a parent risk.
Each trigger produces its own independent Risk Evaluation record, even when multiple triggers occur on the same risk at the same time. If a single change affects more risks than your configured guardrail threshold allows, the agent pauses and sends an in-app notification so your team can evaluate those risks manually.
How the Agent Runs the Evaluation
Once a trigger is detected, the agent runs the following steps, grounding each one in your existing risk data.
| Step | Action |
|---|---|
| Create the evaluation | The agent assesses how the change affects the risk and creates a Risk Evaluation record in Draft status. The evaluation is named following the format [Auto] Assess Impact of [Trigger Type]: [Record Name]—for example, [Auto] Assess Impact of Policy Clause: Retention Schedule_V2. The Description field summarizes what changed and why a fresh evaluation is needed. |
| Send a survey | The agent selects the most relevant survey template and sends it to the relevant stakeholders with a note explaining why their input is needed. If no matching template is found, the agent skips this step and moves directly to treatment. |
| Recalculate scores | When responses are received—or the due date passes for a risk assessment, whichever is earlier—the agent recalculates likelihood and impact using your active scoring expression set and updates the evaluation record. |
| Recommend a treatment | Based on the new scores and existing controls, the agent sets a treatment type—Mitigate, Accept, Transfer, or Avoid—and writes a brief rationale. |
| Attach an action plan | If the treatment is Mitigate, the agent attaches the published Mitigate Action Plan Template with all its tasks to the evaluation record to create a new action plan. The template must be in Published status. It is deployed via Setup and requires an admin to publish it manually. If no published template is found, the flow ends without creating an action plan. |
The agent grounds its analysis in the most recent completed evaluation for the risk, the updated record, and the related controls and policies.
How Teams Track Agent Activity
The agent posts an update at each step to both the Risk record and the Risk Evaluation record's feed, giving your team a full audit trail on either record.
These are the types of posts that the agent shares on the feed based on the step executed.
- "Automated signal detected from [Trigger Name]. A new evaluation assessment has been drafted."
- "Risk Assessment sent to @[Stakeholder] with due date as [Date]."
- "Likelihood and Impact re-computed. cc: @[Risk Owner], to review."
- "Treatment type is suggested as [Treatment Type]. Please review the evaluation summary."
- "A treatment plan was created with tasks. [Treatment Plan Name]."
How Human Decisions Work with Background Agents
The agent handles data gathering and scoring, but the steps that carry compliance and audit weight stay with the risk manager. These tasks are carefully supervised by the compliance team.
- The agent uses the updated policy clause or control for analysis but doesn't remap it to the risk. The risk manager makes the mapping decision so the audit trail reflects a human-driven impact assessment.
- The evaluation stays in Draft status and the risk manager reviews and moves it forward. The agent's output is a starting point, not a final answer.
- The risk manager has full control over the suggested treatment type and action plan tasks.
Cumulus Bank's compliance team manages a risk Failure to Purge Data after Retention Period. The risk tracks the potential for regulatory penalties if customer data is not deleted on schedule.
The existing posture before the change:
- The risk is mapped to Retention Schedule_V1, a policy clause requiring customer data to be deleted after one year.
- A completed Q1 evaluation rates the risk with Medium likelihood and Medium impact.
- A control DC_01_Data_Retention_Customer_Content_V1 is active and mapped to the risk, reducing the residual score.
- Overall, the risk is treated as Mitigated and closed for the quarter.
The compliance team publishes Retention Schedule_V2, which tightens the deletion window from 1 year to mandatory 30-day deletion. Retention Schedule_V1 is retired. The existing control, DC_01, still enforces a 1-year deletion schedule and no longer satisfies the new clause.
The background agent is triggered by the new active policy clause mapped to the risk and these steps are performed automatically.
- A new risk evaluation, [Auto] Assess Impact of Policy Clause: Retention Schedule_V2, with a description summarizing the change from 1-year to 30-day deletion and the compliance gap, is created. The evaluation is set to Draft status.
- An assessment survey is sent to the control owner of DC_01 and the assigned risk manager, asking them to evaluate whether the current control still meets the updated requirement.
- When responses come in confirming that DC_01's deletion schedule has not been updated, the system recalculates the scores to High likelihood and Very High impact and updates the evaluation record.
- The treatment type for the risk is set to Mitigate and the Mitigate Action Plan Template with tasks to update the deletion schedule in DC_01 is attached to the risk evaluation.
The risk manager opens the evaluation, reviews the agent's analysis and the survey responses, confirms the treatment type, and assigns the action plan tasks to the control owner to update DC_01 to enforce 30-day deletion. The risk manager then maps Retention Schedule_V2 to the risk manually to update the audit trail.
