A common language for
insider risk program capability.
The Insider Risk Capability Framework™ helps organizations understand, assess, improve, and communicate the capabilities required to manage insider risk with clarity, consistency, and executive-ready evidence.
IRCF™ v1.0 is a public, practitioner-informed reference model maintained by ITMG®. It defines the core components and capabilities insider risk teams need to move from fragmented activity to defensible exposure management.
What is the Insider Risk Capability Framework™?
The Insider Risk Capability Framework™ is a public reference model for understanding the capabilities required to build, manage, and mature an insider risk program.
It organizes insider risk capability into practical components that help teams evaluate governance, monitoring, analysis, investigations, data protection, identity and access management, personnel assurance, oversight, compliance, training, and related program functions.
The framework is designed for CISOs, insider risk program leaders, security teams, legal, HR, privacy, compliance, and executive stakeholders who need a clearer way to understand program capability, identify gaps, prioritize improvement, and communicate progress.
The framework defines the capabilities. RiskTKO® operationalizes them.
The public framework helps teams understand what good looks like. RiskTKO® helps teams assess where they stand, prioritize what to fix, build the roadmap, align actions to risk, and generate executive-ready evidence.
Why insider risk teams need a capability framework
Most organizations engage in insider risk management activities, but activities do not always equal capability. A program may have monitoring tools, investigation processes, access controls, training, or compliance requirements in place, yet still struggle to answer basic leadership questions:
What capabilities do we actually have?
Where are we exposed?
What should we prioritize next?
Are we improving?
Can we prove progress to executives?
The Insider Risk Capability Framework™ helps close that gap by giving teams a structured way to understand the building blocks of an effective insider risk program.
Fragmented activity
Insider risk responsibilities often span security, HR, legal, privacy, compliance, investigations, and business units without a shared operating model.
Unclear capability
Teams may have tools and processes in place but lack a consistent way to evaluate maturity, coverage, ownership, and evidence.
Weak prioritization
Without a capability model, gaps are often treated equally instead of being prioritized based on exposure, urgency, and organizational context.
Limited executive proof
Leaders need more than activity reports. They need evidence of current state, improvement actions, risk alignment, and measurable progress.
Public framework. Practitioner-informed. ITMG® maintained.
IRCF™ v1.0 is intended to help establish a shared language for insider risk program capability. It is public-facing, practitioner-informed, and maintained by ITMG® for use by organizations seeking to assess and improve their programs.
Public-facing
The framework is available as a public reference model so teams can understand core insider risk capabilities without starting from a blank page.
Practitioner-informed
The framework reflects practical insider risk program needs across governance, operations, monitoring, investigations, access, data protection, assurance, training, and reporting.
Maintained by ITMG®
ITMG® maintains the framework, reviews proposed updates, and preserves a clear boundary between public capability guidance and proprietary RiskTKO® logic.
Explore the framework components
The Insider Risk Capability Framework™ is organized into 10 components. Each component includes specific capabilities, maturity indicators, common gaps, mapped standards, and RiskTKO® operationalization guidance.
Governance
Defines the authority, ownership, decision rights, escalation paths, and executive oversight needed to manage insider risk as an accountable program.
"Who owns insider risk decisions, and how are those decisions governed?"
Explore GovernanceMonitoring
Defines the capabilities required to responsibly observe, correlate, prioritize, and oversee insider risk signals across digital, physical, behavioral, privileged-access, and data movement environments.
"Are we monitoring the right signals, and can we explain what matters?"
Explore MonitoringAnalysis
Defines how insider risk information is interpreted, correlated, enriched, and converted into findings that support defensible decisions.
"Can we turn fragmented information into actionable insider risk insight?"
Explore AnalysisInvestigation
Defines the processes, roles, evidence practices, and escalation pathways required to investigate insider risk concerns consistently and defensibly.
"Can we investigate concerns consistently, lawfully, and with usable evidence?"
Explore InvestigationIdentity and Access Management
Defines how identity, access, privilege, lifecycle events, and entitlement controls support insider risk prevention, detection, and mitigation.
"Do users have the right access, for the right reasons, at the right time?"
Explore Identity and Access ManagementData Protection
Defines the capabilities required to identify, protect, monitor, and govern sensitive data that could create insider risk exposure.
"Do we know what data matters most and how it is protected?"
Explore Data ProtectionPersonnel Assurance
Defines how workforce lifecycle, suitability, behavioral, role-based, and contextual factors are managed to reduce insider risk exposure.
"Are workforce risk factors identified and managed before they become program exposure?"
Explore Personnel AssuranceOversight and Compliance
Defines the review, audit, policy alignment, legal, privacy, and compliance mechanisms needed to ensure insider risk practices are appropriate and defensible.
"Can we prove the program is operating responsibly and within defined boundaries?"
Explore Oversight and ComplianceTraining
Defines the awareness, role-based education, leader enablement, and program communication capabilities needed to support insider risk prevention and response.
"Do employees, managers, and program stakeholders know what to recognize, report, and do?"
Explore TrainingRisk Management and Reporting
Defines how insider risk findings, capability gaps, recommendations, roadmap progress, metrics, and executive evidence are connected to program-level exposure management.
"Can we prioritize insider risk exposure and prove progress over time?"
Explore Risk Management and ReportingHow to use the framework
The framework is designed to support practical program improvement. Teams can use it to understand capability areas, evaluate where gaps may exist, align stakeholders around common language, and connect improvement work to evidence and executive reporting.
Explore the components
Start with the 10 framework components to understand the major areas required for insider risk program capability.
Review the capabilities
Each component includes specific capabilities that describe what the organization should be able to do.
Identify common gaps
Use the weak and mature capability indicators to understand where the program may be fragmented, underdeveloped, or difficult to defend.
Connect to standards
Review mapped standards and framework references to connect capability areas to recognized security, privacy, compliance, and insider risk expectations.
Operationalize in RiskTKO®
Use RiskTKO® to assess current state, prioritize recommendations, build the roadmap, align actions to risk, and generate executive-ready evidence.
Framework maturity levels
Each framework component can be evaluated using a consistent five-level maturity model. The levels help teams describe whether a capability is informal, developing, repeatable, operational, or optimized.
Nascent
LEVEL 1.0Informal, reactive, and inconsistent. The capability depends on individual effort and provides limited visibility into insider risk exposure.
Limited
LEVEL 2.0Basic activity exists, but roles, workflows, tools, and governance are only partially defined or inconsistently applied.
Functional
LEVEL 3.0The capability is formally defined, governed, and repeatable, but may not be fully integrated across teams, risks, and reporting.
Operational
LEVEL 4.0The capability is actively managed, risk-informed, and connected to coordinated decisions, evidence, and improvement actions.
Mature
LEVEL 5.0The capability is integrated, measurable, and continuously improved, supporting proactive risk management and executive-ready decisions.
Mapped to recognized standards and guidance
The framework includes mapped standards and framework references to help teams connect insider risk capability to recognized security, privacy, compliance, and program management expectations.
| Standard / Guideline | Control Expectations & Mapping References |
|---|---|
NIST SP 800-53 | Provides control references related to governance, monitoring, audit, access control, incident response, program management, privacy, and continuous monitoring. |
CERT Common Guide CERT Common Sense Guide to Mitigating Insider Threats | Provides insider-threat-specific guidance related to governance, prevention, detection, monitoring, response, privileged access, and organizational coordination. |
ISO/IEC 27002 | Provides information security control guidance relevant to logging, monitoring, access control, awareness, asset protection, supplier relationships, incident management, and compliance. |
Regulations & Context Privacy, labor, and sector-specific requirements | Provides legal and regulatory context for employee monitoring, workforce privacy, data handling, investigation practices, retention, and governance. |
Disclaimer: Standards mappings are provided for reference only. They do not represent a compliance determination, certification, or legal conclusion. Organizations should validate applicability based on their regulatory environment, workforce locations, data types, internal policies, and legal obligations.
AI changes the insider risk capability conversation
AI introduces new insider risk considerations across monitoring, data protection, identity, governance, analysis, investigations, training, and oversight.
Employees may use AI tools to process sensitive information, accelerate data movement, generate unauthorized summaries, bypass established workflows, or create new forms of accidental or intentional exposure.
At the same time, insider risk teams may use AI-enabled tools to improve triage, analysis, alert prioritization, reporting, and program visibility.
The framework helps organizations evaluate whether their insider risk capabilities are prepared for both sides of this shift: managing AI-enabled insider risk and responsibly using AI-enabled program capabilities.
Defensibility of Evidence
AI-related insider risk capability requires strict governance, active monitoring, thorough oversight, structured human review, precise privacy alignment, and defensible evidence.
AI as a risk source
The framework helps teams consider how AI tools may create new data exposure, policy, monitoring, access, and governance challenges.
AI as a program enabler
AI can support triage, analysis, summarization, alert prioritization, roadmap planning, and executive reporting when governed responsibly.
AI oversight and defensibility
AI-related insider risk decisions require transparency, oversight, human review, privacy alignment, and auditable evidence.
AI-ready capability maturity
Programs need capabilities that can adapt as AI usage changes how employees access, transform, move, and disclose sensitive information.
How RiskTKO® operationalizes the Insider Risk Capability Framework™
The public framework defines the capabilities organizations should understand. RiskTKO® turns those capabilities into an operating model for insider risk exposure management.
RiskTKO® helps teams assess current capability, identify gaps, prioritize recommendations, build and manage roadmaps, align findings to risk register items, and generate executive-ready evidence.
Instead of treating the framework as a static checklist, RiskTKO® helps organizations turn capability insight into measurable action and defensible reporting.
Operational vs. Static Checklists
"The public framework defines what good looks like. RiskTKO® helps teams assess where they stand, prioritize what to fix, build the roadmap, align actions to risk, and generate executive-ready evidence."
Assess capability
Evaluate current-state capability using structured insider risk inputs.
Identify gaps
Surface weaknesses in ownership, process, coverage, documentation, governance, controls, or evidence.
Prioritize action
Translate capability gaps into prioritized recommendations based on organizational context and exposure.
Build the roadmap
Connect recommended actions to owners, milestones, timelines, and measurable progress.
Align to risk
Map capability weaknesses and recommended actions to risk register items and executive exposure narratives.
Generate evidence
Create executive-ready outputs that show current state, planned action, progress, and remaining exposure.
Contribute feedback to the framework
The Insider Risk Capability Framework™ is maintained by ITMG® and designed to evolve through practitioner feedback.
ITMG® welcomes suggested improvements, capability refinements, implementation observations, and mapped standards recommendations from insider risk, security, legal, HR, privacy, compliance, and investigations professionals.
All proposed changes are reviewed by ITMG® before inclusion in a future framework version.
ITMG® plans to publish a public GitHub repository for the Insider Risk Capability Framework™ to support transparency, version history, practitioner feedback, and easier community reference. Until that repository is available, the official public version of IRCF™ v1.0 is maintained on this site. Repository access, contribution guidelines, and licensing terms will be published separately.
Insider Risk Capability Framework™ FAQ
Important framework disclaimer
The Insider Risk Capability Framework™ is provided as a public reference model. It does not constitute legal advice, compliance certification, regulatory guidance, or a complete assessment of any organization’s insider risk program. Standards mappings are provided for reference only. Organizations should validate applicability based on their regulatory environment, workforce locations, data types, internal policies, and legal obligations.
© ITMG®. All rights reserved. Use, reproduction, redistribution, or modification of the Insider Risk Capability Framework™ is subject to terms that will be published with the official repository and licensing model. RiskTKO®’s proprietary scoring, prioritization, recommendation, risk-mapping, roadmap-generation, and dynamic update logic are not included in the public framework.
Turn insider risk capability
into action.
The framework helps teams understand what good looks like. RiskTKO® helps teams assess where they stand, prioritize what to fix, build the roadmap, align actions to risk, and generate executive-ready evidence.