• Rationalization process is now automatically created when selecting the Rationalize button in the control objective page.

• The recommendation workflow has been simplified into a two-step process: Step 1 identifies duplicates by accepting or dismissing recommendations; Step 2 finalizes by retaining one recommendation or creating a new common control objective.
• Approvals for the rationalization process are skipped for owners who are reviewers, and levels where all reviewers are owners are automatically approved.

• Owners and approvers can add comments and justifications directly on recommendation cards and reply to existing comments.

• The user interface has been updated with better navigation, quick summaries, visual improvements, and clear error messages.

• For policy exception and extension requests, approvers can now view key details, such as justification, reason, and validity period, within a pop-up before approving or rejecting a policy exception or policy exception extension.
• For manual indicators, if the associated control is marked as exempt, no indicator task is generated.
• When a policy exception is in the Analyze state and the Awaiting Requested Information sub-state, the interface now includes a Send Information button that allows the requester to provide additional details or clarifications requested by the approver.
• Previously, an issue-based exception required a linked policy or control objective for additional approvals. Now, it requires any one of the following: a linked policy, control objective, or control. The control must be linked to the policy exception itself, not just to the issue.

The GRC Approval Configurator can now be used to manage both policy exception and extension approvals. It allows verification, approval, and extension rules to be defined based on state, sub-state, and other filter conditions, with support for multiple user groups and multi-level approvals. This enhancement provides greater flexibility in assigning appropriate approvers at each level based on defined conditions, facilitating structured and collaborative reviews. For extension approvals, users can now configure multiple approvers, overcoming the previous limitation of a single default approver (Compliance Manager).

When entity based record access rules are enabled on the Entity Based Access Configuration Properties page, any newly created controls, control attestations, indicators, and indicator tasks associated with a configured entity will automatically inherit the entity-based access (EBA) value from that entity. Previously, users had to run bulk access updates to apply EBA restrictions whenever new objects were created.

Additionally, when a standard control is converted to a common control, the Entity based access restriction option is inactive by default. Users can manually enable the EBA option for common controls directly from the Access Settings section in the Details tab of the respective control.

• Redesigned the rationalization UI with a reordered layout and highlighted primary actions.
• Validations added for deactivated and deleted control objectives. Introduced the “Restart Analyze” option to support reevaluation of recommendations.
• Introduced support for Azure OpenAI, Amazon Bedrock, and Google Gemini for recommendations of control objectives.
• Updated the Consolidate state UI to show the recommendation panel with retained and accepted control objectives and their associated items.