A common language for insider risk program capability.

The Insider Risk Capability Framework™ helps organizations understand, assess, improve, and communicate the capabilities required to manage insider risk with clarity, consistency, and executive-ready evidence.

IRCF™ v1.0 is a public, practitioner-informed reference model maintained by ITMG®. It defines the core components and capabilities insider risk teams need to move from fragmented activity to defensible exposure management.

Concept & Definition

What is the Insider Risk Capability Framework™?

The Insider Risk Capability Framework™ is a public reference model for understanding the capabilities required to build, manage, and mature an insider risk program.

It organizes insider risk capability into practical components that help teams evaluate governance, monitoring, analysis, investigations, data protection, identity and access management, personnel assurance, oversight, compliance, training, and related program functions.

The framework is designed for CISOs, insider risk program leaders, security teams, legal, HR, privacy, compliance, and executive stakeholders who need a clearer way to understand program capability, identify gaps, prioritize improvement, and communicate progress.

The framework defines the capabilities. RiskTKO® operationalizes them.

The public framework helps teams understand what good looks like. RiskTKO® helps teams assess where they stand, prioritize what to fix, build the roadmap, align actions to risk, and generate executive-ready evidence.

The Problem Space

Why insider risk teams need a capability framework

Most organizations engage in insider risk management activities, but activities do not always equal capability. A program may have monitoring tools, investigation processes, access controls, training, or compliance requirements in place, yet still struggle to answer basic leadership questions:

01

What capabilities do we actually have?

02

Where are we exposed?

03

What should we prioritize next?

04

Are we improving?

05

Can we prove progress to executives?

The Insider Risk Capability Framework™ helps close that gap by giving teams a structured way to understand the building blocks of an effective insider risk program.

!

Fragmented activity

Insider risk responsibilities often span security, HR, legal, privacy, compliance, investigations, and business units without a shared operating model.

!

Unclear capability

Teams may have tools and processes in place but lack a consistent way to evaluate maturity, coverage, ownership, and evidence.

!

Weak prioritization

Without a capability model, gaps are often treated equally instead of being prioritized based on exposure, urgency, and organizational context.

!

Limited executive proof

Leaders need more than activity reports. They need evidence of current state, improvement actions, risk alignment, and measurable progress.

Public framework. Practitioner-informed. ITMG® maintained.

IRCF™ v1.0 is intended to help establish a shared language for insider risk program capability. It is public-facing, practitioner-informed, and maintained by ITMG® for use by organizations seeking to assess and improve their programs.

Public-facing

The framework is available as a public reference model so teams can understand core insider risk capabilities without starting from a blank page.

Practitioner-informed

The framework reflects practical insider risk program needs across governance, operations, monitoring, investigations, access, data protection, assurance, training, and reporting.

Maintained by ITMG®

ITMG® maintains the framework, reviews proposed updates, and preserves a clear boundary between public capability guidance and proprietary RiskTKO® logic.

The framework is not a compliance certification, legal standard, or complete public assessment tool. It is a reference model designed to help teams understand capability areas, ask better questions, identify common gaps, and connect program improvement to recognized expectations.
Framework Structure

Explore the framework components

The Insider Risk Capability Framework™ is organized into 10 components. Each component includes specific capabilities, maturity indicators, common gaps, mapped standards, and RiskTKO® operationalization guidance.

COMPONENT 01

Governance

Defines the authority, ownership, decision rights, escalation paths, and executive oversight needed to manage insider risk as an accountable program.

"Who owns insider risk decisions, and how are those decisions governed?"

Explore Governance
COMPONENT 02

Monitoring

Defines the capabilities required to responsibly observe, correlate, prioritize, and oversee insider risk signals across digital, physical, behavioral, privileged-access, and data movement environments.

"Are we monitoring the right signals, and can we explain what matters?"

Explore Monitoring
COMPONENT 03

Analysis

Defines how insider risk information is interpreted, correlated, enriched, and converted into findings that support defensible decisions.

"Can we turn fragmented information into actionable insider risk insight?"

Explore Analysis
COMPONENT 04

Investigation

Defines the processes, roles, evidence practices, and escalation pathways required to investigate insider risk concerns consistently and defensibly.

"Can we investigate concerns consistently, lawfully, and with usable evidence?"

Explore Investigation
COMPONENT 05

Identity and Access Management

Defines how identity, access, privilege, lifecycle events, and entitlement controls support insider risk prevention, detection, and mitigation.

"Do users have the right access, for the right reasons, at the right time?"

Explore Identity and Access Management
COMPONENT 06

Data Protection

Defines the capabilities required to identify, protect, monitor, and govern sensitive data that could create insider risk exposure.

"Do we know what data matters most and how it is protected?"

Explore Data Protection
COMPONENT 07

Personnel Assurance

Defines how workforce lifecycle, suitability, behavioral, role-based, and contextual factors are managed to reduce insider risk exposure.

"Are workforce risk factors identified and managed before they become program exposure?"

Explore Personnel Assurance
COMPONENT 08

Oversight and Compliance

Defines the review, audit, policy alignment, legal, privacy, and compliance mechanisms needed to ensure insider risk practices are appropriate and defensible.

"Can we prove the program is operating responsibly and within defined boundaries?"

Explore Oversight and Compliance
COMPONENT 09

Training

Defines the awareness, role-based education, leader enablement, and program communication capabilities needed to support insider risk prevention and response.

"Do employees, managers, and program stakeholders know what to recognize, report, and do?"

Explore Training
COMPONENT 10

Risk Management and Reporting

Defines how insider risk findings, capability gaps, recommendations, roadmap progress, metrics, and executive evidence are connected to program-level exposure management.

"Can we prioritize insider risk exposure and prove progress over time?"

Explore Risk Management and Reporting
User Blueprint

How to use the framework

The framework is designed to support practical program improvement. Teams can use it to understand capability areas, evaluate where gaps may exist, align stakeholders around common language, and connect improvement work to evidence and executive reporting.

01

Explore the components

Start with the 10 framework components to understand the major areas required for insider risk program capability.

02

Review the capabilities

Each component includes specific capabilities that describe what the organization should be able to do.

03

Identify common gaps

Use the weak and mature capability indicators to understand where the program may be fragmented, underdeveloped, or difficult to defend.

04

Connect to standards

Review mapped standards and framework references to connect capability areas to recognized security, privacy, compliance, and insider risk expectations.

05

Operationalize in RiskTKO®

Use RiskTKO® to assess current state, prioritize recommendations, build the roadmap, align actions to risk, and generate executive-ready evidence.

Program Evolution

Framework maturity levels

Each framework component can be evaluated using a consistent five-level maturity model. The levels help teams describe whether a capability is informal, developing, repeatable, operational, or optimized.

1

Nascent

LEVEL 1.0

Informal, reactive, and inconsistent. The capability depends on individual effort and provides limited visibility into insider risk exposure.

2

Limited

LEVEL 2.0

Basic activity exists, but roles, workflows, tools, and governance are only partially defined or inconsistently applied.

3

Functional

LEVEL 3.0

The capability is formally defined, governed, and repeatable, but may not be fully integrated across teams, risks, and reporting.

4

Operational

LEVEL 4.0

The capability is actively managed, risk-informed, and connected to coordinated decisions, evidence, and improvement actions.

5

Mature

LEVEL 5.0

The capability is integrated, measurable, and continuously improved, supporting proactive risk management and executive-ready decisions.

*Presented as public capability guidance. Does not represent a RiskTKO® proprietary scoring output.
Compliance & Alignment

Mapped to recognized standards and guidance

The framework includes mapped standards and framework references to help teams connect insider risk capability to recognized security, privacy, compliance, and program management expectations.

Standard / GuidelineControl Expectations & Mapping References
NIST SP 800-53
Provides control references related to governance, monitoring, audit, access control, incident response, program management, privacy, and continuous monitoring.
CERT Common Guide
CERT Common Sense Guide to Mitigating Insider Threats
Provides insider-threat-specific guidance related to governance, prevention, detection, monitoring, response, privileged access, and organizational coordination.
ISO/IEC 27002
Provides information security control guidance relevant to logging, monitoring, access control, awareness, asset protection, supplier relationships, incident management, and compliance.
Regulations & Context
Privacy, labor, and sector-specific requirements
Provides legal and regulatory context for employee monitoring, workforce privacy, data handling, investigation practices, retention, and governance.

Disclaimer: Standards mappings are provided for reference only. They do not represent a compliance determination, certification, or legal conclusion. Organizations should validate applicability based on their regulatory environment, workforce locations, data types, internal policies, and legal obligations.

Modern Risk Landscape

AI changes the insider risk capability conversation

AI introduces new insider risk considerations across monitoring, data protection, identity, governance, analysis, investigations, training, and oversight.

Employees may use AI tools to process sensitive information, accelerate data movement, generate unauthorized summaries, bypass established workflows, or create new forms of accidental or intentional exposure.

At the same time, insider risk teams may use AI-enabled tools to improve triage, analysis, alert prioritization, reporting, and program visibility.

The framework helps organizations evaluate whether their insider risk capabilities are prepared for both sides of this shift: managing AI-enabled insider risk and responsibly using AI-enabled program capabilities.

Defensibility of Evidence

AI-related insider risk capability requires strict governance, active monitoring, thorough oversight, structured human review, precise privacy alignment, and defensible evidence.

01

AI as a risk source

The framework helps teams consider how AI tools may create new data exposure, policy, monitoring, access, and governance challenges.

02

AI as a program enabler

AI can support triage, analysis, summarization, alert prioritization, roadmap planning, and executive reporting when governed responsibly.

03

AI oversight and defensibility

AI-related insider risk decisions require transparency, oversight, human review, privacy alignment, and auditable evidence.

04

AI-ready capability maturity

Programs need capabilities that can adapt as AI usage changes how employees access, transform, move, and disclose sensitive information.

The Platform Layer

How RiskTKO® operationalizes the Insider Risk Capability Framework™

The public framework defines the capabilities organizations should understand. RiskTKO® turns those capabilities into an operating model for insider risk exposure management.

RiskTKO® helps teams assess current capability, identify gaps, prioritize recommendations, build and manage roadmaps, align findings to risk register items, and generate executive-ready evidence.

Instead of treating the framework as a static checklist, RiskTKO® helps organizations turn capability insight into measurable action and defensible reporting.

Operational vs. Static Checklists

"The public framework defines what good looks like. RiskTKO® helps teams assess where they stand, prioritize what to fix, build the roadmap, align actions to risk, and generate executive-ready evidence."

1

Assess capability

Evaluate current-state capability using structured insider risk inputs.

2

Identify gaps

Surface weaknesses in ownership, process, coverage, documentation, governance, controls, or evidence.

3

Prioritize action

Translate capability gaps into prioritized recommendations based on organizational context and exposure.

4

Build the roadmap

Connect recommended actions to owners, milestones, timelines, and measurable progress.

5

Align to risk

Map capability weaknesses and recommended actions to risk register items and executive exposure narratives.

6

Generate evidence

Create executive-ready outputs that show current state, planned action, progress, and remaining exposure.

*RiskTKO® does not claim live integrations, API ingestion, automatic ingestion, or autonomous decisions unless explicitly configured for specific customer platforms.
Feedback Loop

Contribute feedback to the framework

The Insider Risk Capability Framework™ is maintained by ITMG® and designed to evolve through practitioner feedback.

ITMG® welcomes suggested improvements, capability refinements, implementation observations, and mapped standards recommendations from insider risk, security, legal, HR, privacy, compliance, and investigations professionals.

All proposed changes are reviewed by ITMG® before inclusion in a future framework version.

Public repository coming soon

ITMG® plans to publish a public GitHub repository for the Insider Risk Capability Framework™ to support transparency, version history, practitioner feedback, and easier community reference. Until that repository is available, the official public version of IRCF™ v1.0 is maintained on this site. Repository access, contribution guidelines, and licensing terms will be published separately.

Contribution Disclaimer: Submitting feedback does not guarantee inclusion in the framework. ITMG® retains editorial control to preserve clarity, consistency, quality, and alignment with the framework’s purpose.
FAQ

Insider Risk Capability Framework™ FAQ

Important framework disclaimer

The Insider Risk Capability Framework™ is provided as a public reference model. It does not constitute legal advice, compliance certification, regulatory guidance, or a complete assessment of any organization’s insider risk program. Standards mappings are provided for reference only. Organizations should validate applicability based on their regulatory environment, workforce locations, data types, internal policies, and legal obligations.

© ITMG®. All rights reserved. Use, reproduction, redistribution, or modification of the Insider Risk Capability Framework™ is subject to terms that will be published with the official repository and licensing model. RiskTKO®’s proprietary scoring, prioritization, recommendation, risk-mapping, roadmap-generation, and dynamic update logic are not included in the public framework.

Turn insider risk capability into action.

The framework helps teams understand what good looks like. RiskTKO® helps teams assess where they stand, prioritize what to fix, build the roadmap, align actions to risk, and generate executive-ready evidence.