What’s New in MetricStream’s AI-First Connected GRC: May 2026 Product Updates

Introduction

I’m excited to announce the next release of MetricStream: May 2026 Euphrates-II Update 7. Powered by AI across risk, compliance, cyber, audit, and third-party workflows, this release continues to update MetricStream so that your GRC teams work faster, reduce manual effort, and experience smooth, connected workflows.

The release focuses on capabilities that solve real operational pain points: answering policy questions, completing surveys faster, prioritizing critical cyber assets, reducing friction in third-party workflows, simplifying audit execution, and strengthening the platform foundation for future AI innovation.

Here are some of the key highlights of the new release and how they offer value for you.

1. MetricStream Assistant: AI Guides You in Real-Time Within the Platform

Your GRC team uses the platform daily for several things – the IT manager responding to a scoping survey, the finance analyst updating a control, the vendor completing an assessment. Many are occasional users. They may log in only to complete a survey, update an assessment, respond to a task, or provide evidence. For these users, finding the right screen or understanding the next step can create friction.

In this product release, we bring AI closer to where your GRC platform users work every day. Embedded directly in your workflows, MetricStream Assistant guides users to the right screen, explains what's needed next, and helps complete forms. Your team no longer has the need to raise a helpdesk ticket or ask a colleague. Users can navigate workflows, understand what to do next, and complete forms more efficiently. Conversational Q&A with contextual help enables users to find the right answers instantly.

Here's how it works:

You type what you need in plain language, and the Assistant guides you. Here’s what MetricStream Assistant can do for you:

• Navigate for you. Just say "Take me to the screen to capture a new issue" or "Where are my pending tasks?" and it'll take you there.
• Explain fields and workflows. Not sure what a field is asking for? Ask the Assistant. It gives you a plain-language explanation based on your documentation.
• Help you capture data faster. Describe what you need to record — a risk, an issue, a control test — and the Assistant can suggest values for the relevant fields. You review and confirm before anything gets saved.

What’s more, the MetricStream Assistant comes pre-loaded with Issue Management and GRC Library guides, so it’s ready to use from day one . You can also configure it with your own playbooks, process guides, and documentation during implementation.

The result? Better adoption, faster task completion, fewer support tickets, and users who feel confident in the GRC platform.

2. Policy Assistant: Get Policy Answers at Your Fingertips

olicy Assistant is an embedded AI Assistant inside MetricStream Policy Management. Now, users can ask questions in plain language — and get an answer grounded in your approved, current policy content, with the source right there for verification. They can also pin, rename, and save their chat history.

Some examples of what users can ask:

• "What is our password policy?"
• "Can I store company files on a personal device?"
• "What's the process for reporting a security incident?"
• "What's the approval threshold for vendor contracts?"
• "Where can I find the data retention policy?"

Every answer comes with citations so users can see exactly where the information came from. The Assistant can also summarize policy sections, and handle follow-up questions in the same conversation.

Policy Assistant is a self-service tool, not a replacement for your policy team. Policy owners and compliance professionals still own interpretation, governance, approvals, and the policy lifecycle.

The Assistant handles the common, repetitive questions so your team can focus on the more complex stuff. This helps organizations:

• Improve policy self-service
• Reduce dependency on policy teams
• Strengthen policy adoption
• Provide more consistent policy interpretation
• Help employees make faster, more confident decisions

3. AI Survey/ Questionnaire Autofill: Faster Responses with Less Manual Effort

Your team already has the answers. Now, MetricStream AI Autofill helps them find the right information and drafts the responses for them.

Surveys and questionnaires are a major source of repetitive work across cyber, compliance, third-party, and audit workflows.

Often, GRC teams are required to manually fill in the same questions, quarter after quarter. Most of the answers, however, already exist in previous submissions, in policy documents, in evidence files, in internal reports. By using your uploaded documents, it generates draft survey responses. This is especially useful for teams that regularly complete similar assessments across different programs.

Here's how it works:

• Upload your reference documents (policies, SOPs, compliance reports, certifications, previous submissions — PDFs, DOCX, XLSX, PPTX all work), select which ones to use, and let AI draft the survey responses.
• You can upload multiple docs at a time. AI picks the right one. You instantly get responses cited to their source document.
• The best part – You stay in control throughout! You can review the AI-generated drafts, see the confidence scores, edit the responses, and accept or reject in bulk before anything is submitted. AI does the drafting. You do the deciding.
• You can even distinguish AI-generated responses from a manually entered response. Each answer comes with a confidence score and a citation so you know exactly where it came from.

With MetricStream, GRC teams can now complete questionnaires faster while improving consistency and traceability.

What does it mean on the ground? For cyber teams, this means fewer late nights on vendor security questionnaires. For compliance teams, this means faster certifications. For internal audit, pre-engagement scoping now takes just hours instead of days.

4. A Modernized Experience for Third-Party, Regulatory, and Case Management

Some of the most important GRC work is often complex.

Third-party risk workflows can span procurement, security, compliance, vendor owners, and risk teams.

Regulatory exams, cases, and investigations often demand clarity and speed. The May 2026 release modernizes the daily experiences of your GRC team

A. UI/UX Modernization to improve the third-party risk management experience.

The May 2026 TPRM UI/UX modernization is designed to remove friction at every step: a redesigned portal, smarter search, unified views across vendors and engagements, and a cleaner 360-degree vendor profile that shows you what you need without multiple clicks to get there.

B. Regulatory Engagement & Case Management UI/UX Enhancement

For regulatory engagement and case management, compliance teams now get to work with modernized forms, simpler navigation, personalized dashboards, and streamlined task handling — so managing exams, incidents, and investigations work becomes much easier.

The new UI/UX aren't just cosmetic updates. With a simpler interface, teams move faster, adoption improves, and the work gets done faster.

5. Crown Jewel Asset Visibility: Focus Cyber Efforts Where They Matter Most

Not every asset carries the same level of business impact.

Some systems, applications, and data assets are critical to business operations, customer trust, regulatory compliance, or revenue continuity. These are often referred to as Crown Jewel Assets.

In this release, we extend Crown Jewel visibility directly into IT & Cyber Risk and Compliance workflows.

Your cyber and compliance teams can now filter, analyze, and report on compliance gaps, risks, controls, and assessment outcomes specifically for Crown Jewel Assets. That means less noise, more focus, and a more risk-based approach to cyber governance overall.

This helps teams:

• Prioritize risk assessments and control testing around what matters most
• Accelerate remediation on business-critical asset issues
• Report to leadership with confidence — not just comprehensiveness
• Improve visibility into critical asset governance
• Align cyber governance to actual business risk

The result is a more risk-based approach to cyber governance and compliance oversight. The systems most critical to your revenue, customer trust, and regulatory continuity stay front and center.

6. Internal Audit Enhancements: Better Documentation, Less Setup, Easier Execution

This release includes three meaningful improvements for Internal Audit Management.

AI-Powered Content Refinement

Writing audit narratives and refining them for clarity, consistency, and review-readiness takes time. AI-powered content refinement is now available for key narrative fields across audit and workpaper forms, including:

• Purpose/Rationale on the Audit Form
• Work Done on Control, Design Effectiveness Testing (DET), Operating Effectiveness Testing (OET), Checklist, and Other Workpaper forms

Auditors, reviewers, and approvers can use it to produce clearer, more concise documentation saving time on back-and-forth edits.

Faster Checklist Workpaper Creation

Setting up a checklist workpaper shouldn't take as long as it does. This release introduces smart auto-population during setup:

• If only one checklist is available for the selected Audit and Workpaper Type, it's auto-filled
• The latest published version is selected automatically
• Mandatory sections are pre-populated based on the selected version

You can still override any of these defaults — the auto-fill just removes the repetitive steps for the common case.

Redesigned Checklist Task Execution

Working through a checklist workpaper with 50+ sections and hundreds of questions is a tiresome experience.

This release brings you collapsible and searchable section navigation, a hamburger menu, sticky section headers, section-level progress indicators, and Previous/Next buttons for sequential navigation. You can also filter by status: All, Pending, Completed, or Needs Clarification.

It provides a much better experience for fieldwork execution, especially on large or complex checklists.

7. MetricStream GRC Platform Enhancements: A Stronger Foundation for scalability, security, and innovation

The May 2026 release also strengthens the AI and platform foundation behind MetricStream’s Connected GRC strategy. A few improvements worth calling out include:

A. Context Engine – Semantic Search

GRC content is spread across policies, regulations, evidence, procedures, and internal documents. Without the right context, AI responses may not as relevant as you need them to be.

Context Engine – Semantic Search gives AI a semantic understanding of your GRC content. Instead of keyword matches, it understands meaning and relationships across policies, regulations, evidence, and procedures.

This supports more accurate and grounded AI experiences within MetricStream. That's what makes Policy Q&A accurate, Survey Autofill relevant, and document analysis actually useful.

B. Document Reasoning API

GRC teams often spend significant time reviewing long documents and manually extracting key information. MetricStream changes that.

The Document Reasoning API helps transform complex, unstructured documents into structured, usable intelligence. It supports AI-assisted extraction and reasoning with human review before final outputs are used. AI does all the reading. You do the review!

This helps reduce manual document review and supports AI use cases across multiple GRC workflows.

C. Platform Enhancements

MetricStream continues to strengthen the platform with usability, security, integration, and technology stack enhancements. These foundational improvements help make the platform easier to use, more secure, more reliable, and easier to support over time.

Key platform updates include:

• Transparent Form Locking: Users can now see when a form is locked, who is editing it, and request access directly. They also receive a notification when the form becomes available. This reduces confusion and prevents conflicting updates.
• Lock Visibility in Reports: Lock indicators now appear in reports, so users can see which records are being edited by others and request access directly from the report.
• Field-Level Help: Help icons can appear next to configured fields, giving users simple guidance on what information to enter without leaving the form.
• Copy in View and Edit Mode: Users can copy records directly from View Mode or Edit Mode, based on configuration and permissions. This saves clicks and speeds up repeat record creation.
• Better Validation Messages: For forms with multiple rows of data, validation messages now show more detail so users can quickly find and fix the exact row with an error.
• Improved Group Assessment Notifications: Browser notifications now show the correct Virtual Assessment name, reducing confusion in shared assessment workflows.
• Improved Bulk Upload Templates: Drop-down fields in SDU upload templates now work consistently across all rows. SDU refers to structured data upload templates used for bulk data imports. This reduces manual entry errors and failed uploads.
• Profile Page Enhancements: Profile headers can now show additional summary fields, such as Overall Risk Score and Risk Rating, giving users key information at a glance.
• Low-Code API Enhancements: New APIs give implementation teams more flexibility to configure Tree and Cartridge menu labels with less manual effort. An API is a controlled way for systems or configuration tools to interact with platform components.
• Security and Integration Updates: MetricStream now supports OAuth 2.0 for Microsoft Outlook Calendar integration. OAuth 2.0 is a secure way to connect systems using tokens instead of stored passwords. The release also adds password dictionary checks to block weak or commonly used passwords.
• Technology Stack Updates: MetricStream has updated key underlying platform components, open-source libraries, and certifications. These updates help keep the platform secure, current, and supportable over time.
• Modern Reusable UI Components: MetricStream continues to invest in reusable user interface components. In simple terms, these are standardized building blocks that help deliver more consistent, scalable, and easier-to-maintain user experiences across products.