This control plane turns vendor risk data into one buyer-readable surface: evidence health, access and privacy gaps, workflow readiness, stale reviews, and the approval packets needed before renewals, exceptions, or procurement trust slip.
| Lane | Owner | Focus | Status | Findings | Next action |
|---|---|---|---|---|---|
| Access review lane Access evidence still carries unresolved approval and owner pressure. |
Identity Governance | Privileged access evidence, role attestations, and owner approval. | red | 2 | Reconcile privileged review evidence and role attestations before the next renewal window. |
| Resilience evidence lane Resilience evidence is recoverable, but recovery proof is still stale. |
Vendor Risk Operations | BCDR proof, incident history, and recovery testing completeness. | yellow | 7 | Refresh disaster recovery evidence and verify restore testing. |
| Privacy and subprocesser lane Privacy evidence is incomplete and subprocesser posture is drifting. |
Privacy Operations | DPA coverage, subprocesser mapping, and transfer posture. | red | 4 | Repair privacy appendix coverage and confirm subprocesser posture before sign-off. |
| Review workflow lane Workflow drift and evidence ownership are still below the desired bar. |
Procurement Governance | Exception routing, renewal sign-off, and escalation readiness. | red | 9 | Repair exception sequencing and close the stale evidence queue. |