Note: These features, updates, and addressed issues are released first in Hyperproof US and Hyperproof EU on the date noted in the title. They are released in Hyperproof Gov one week later.
Added
System administrator role
A new top-level System Administrator role has been introduced! System Admins automatically have Manager-level access to every object in the organization without needing to join.
Admins can promote themselves to System Admin. System Admins can promote or demote users to any role, including other System Admins.
System Admins can view all objects, including unlinked objects such as proof or tasks.
To upgrade an Admin to a System Admin: Navigate to Settings > People, find your user, and update your role to System Admin.
The System Admin role is most relevant for admins who manually bulk-add themselves to objects to plan, report on, or audit compliance work across the organization. For example, if you need access to all programs, audits, and controls upon creation, upgrading to System Admin eliminates that overhead entirely.
Multi-step approvals in risk assessments
Multi-step approvals on risk assessments are generally available to all Hyperproof customers with the Risk Assessment module. Use approvals to automate and orchestrate the review and approval of proposed changes to risks during a risk assessment, eliminating the manual, ad hoc processes required today.
Approvals are configured when creating the risk assessment and support:
Sequential or Parallel approval rounds
Up to 6 steps
Requiring all approvers to approve in a round or only a specific number of approvers (e.g., add members from the Security department, only require approval from 1 of them)
The new capabilities also include an optional automation that updates the risk automatically when the approval process completes successfully with an approved outcome. If this option is not used, a user must click the Update risk button to apply the approved changes and finalize the evaluation, transitioning it to the approved state.
Base approval automations defined for the assessment can be updated on individual evaluations as needed to accommodate the evaluation's specific needs.
Support for multiple domains in SSO
Organization administrators can now associate multiple email domains with the organization's SSO configuration from the Settings menu. With this change:
SSO Required is enforced for any user whose email matches any of the organization's registered domains.
When the MFA required setting is on, all users in all of the organization's registered domains will be required to use MFA.
Users from any registered domain can authenticate via the configured Identity Providers and launch Hyperproof in the correct organization.
Improved
Work Item filtering
Evaluations and policies are now available options when filtering tasks by target type.
Filtering by ID is now available for all work items (previously unavailable on tasks and requests).
Monitoring System Events
Added the option to include an Authorization header when configuring a webhook from Hyperproof to a target URL.
Corrected errors found in the JSON payload schema.
Hypersyncs and integrations
Proof Types
New! Hypersync for Microsoft Entra ID: Privileged Identity Management proof:
Requires the following additional scopes:
RoleEligibilitySchedule.Read.DirectoryandRoleAssignmentSchedule.Read.DirectoryTo access this new proof type, you must add the required scopes and reauthenticate the Microsoft Entra ID connection. See Fixing an Unhealthy connection in Managing Hypersync connection health.
Updated! Hypersync for Crowdstrike: List of Hosts proof type - Added the following fields: Prevention Policy, Sensor Update Policy, and Device Control Policy.
Updated! HyperSync for Okta: List of Deactivated Users - Enhanced filtering support: filter by Deprovisioned Date and Status. Added additional fields: Job Title, Manager, Department, Last Login, User ID.
Updated! Hypersync for Workday: List of Employees with a Change in Status - Enhanced filtering support: added Year to Date to Time Range. Added additional field: Remote ID.
Note: The enhancements to this proof type are shared across all Merge HRIS Hypersyncs, so all of them will include these changes.
Programs
All new and updated program frameworks in Hyperproof include Controls and are fully crosswalked to the Hyperproof Crosswalk dataset.
New program frameworks
Centers for Medicare & Medicaid Services (CMS) Acceptable Risk Controls for Affordable Care Act (ACA), Medicaid, and Partner Entities (ARC-AMPE) v1.0.2
EU Data Act - EU Regulation 2023/2854
EU Regulation 2019/1020 on market surveillance and compliance of products
Personal Information Protection Act (PIPA) and its Regulation - Alberta, Canada
Personal Information Protection Act (PIPA) - British Columbia, Canada
Singapore Financial Services and Markets Act 2022
UK Financial Conduct Authority (FCA) Handbook, Act (FSMA), and Regulated Order (RAO)
Updated program frameworks
BSI Cloud Computing Compliance Controls Catalog (C5) 2026
CA Browser Forum Baseline Requirements v2.2.6
California Privacy Rights Act (CPRA)
Cloud Security Alliance (CSA) AI Controls Matrix (AICM) v 1.03
CSA Consensus Assessments Initiative Questionnaire (CAIQ) v4.1
ETSI EN 319 401 V3.2.1
ETSI EN 319 411-1 V1.5.1
Secure Controls Framework (SCF) - January 2026
TISAX VDA ISA 6.0.3
Addressed issues
Fixed an issue where files or images with special characters in their file names failed to upload to the Proof module or questionnaires, preventing users from attaching documentation. (Case # 00011368)
Fixed an issue where clicking Try Again on a failed task integration whose associated repeating task template had been deleted caused a full-page error rather than handling the failure gracefully. (Case # 00011955)
Fixed an issue where Confluence proof collection would fail silently without displaying an error message, leaving proof entries in a broken or unresponsive state without notifying the user of the failure. (Case # 00012003)
Fixed an issue where Limited Access Users were incorrectly permitted to create new contacts through the user picker interface, and added an inline warning to clarify that contacts are for reference only and will not receive notifications or have access to items. (Case # 00012134)
Fixed an issue where the Back to program hyperlink was missing when accessing a control from within a program. (Case # 00012086, 00012087)
Fixed an issue where hierarchical control scopes intermittently displayed stale or incorrect health status reasons. (Case # 00012149)
Fixed an issue with hierarchical scope assignments where the scope owner was not properly applied to the control scopes. (Case # 00012121)
Fixed an issue in risk evaluations where opening a risk evaluation without the required permissions displayed spinners and didn't provide a useful error message. (Case #00012176)
Fixed an issue where updating custom field values on a main control with a large number of linked hierarchical scopes resulted in an error, preventing users from saving changes. (Case # 00012152)
Fixed an issue where submitting a task configured with a sequential approval workflow and auto-close enabled failed to generate the approval records or advance the workflow status. (Case # 00012119)
Fixed an issue in the Assessments module where users couldn't change a control or requirement evaluation from an Approved status to any other status. (Case # 00012159)
Fixed errors generated when attempting to configure the Hypersync for Google Cloud Platform. (Case # 00012169)
Fixed an issue where no results were returned when filtering audit requests on a custom field that was of the type multi-line text. (Case # 00012193)
Fixed out-of-memory errors generated when accessing repeating tasks from the Work items window. (Case # 00012196)
.. plus other fit and finish, performance, stability, and security issues — as always!