North Engineer

Vetting New Technology Without Becoming the Department of No

17 min read

A new tool walks into your organization. Maybe a SaaS platform a director already signed for on a corporate card. Maybe an LLM gateway someone in product wants to wire into a customer-facing workflow. Maybe a network appliance the facilities team bought to solve a building-automation problem. The pattern repeats: someone identifies a need, someone identifies a product, and the question of whether the product is safe to bring into the environment shows up as an afterthought, usually in the form of a meeting invite to security with an attached PDF.

You have two ways to fail at this meeting. You can rubber-stamp it, and discover six months later that the vendor’s third subprocessor stores tokens unencrypted, the integration has read-write access to a data store nobody knew it could reach, and there is no clean way to remove it. Or you can reflex-deny it, and discover six months later that the business unit bought it anyway, on a personal credit card, and is now operating it outside every control you have. Both failures end at the same place: a tool you do not control, processing data you cannot see, with privileges you cannot audit.

The job is the middle path. Deliberate friction, proportional to risk, anchored in published consensus standards, applied consistently enough that the rest of the organization can predict the answer. The previous post on this site argued that you should stop inventing security and use the benchmarks. The same argument applies here. There is a settled framework for assessing new technology — pieces of it sit in the CIS Controls, in NIST CSF 2.0, and in NIST SP 800-161. You do not have to invent your vetting process either.

The two failures, stated plainly

Rubber-stamp adoption happens when nobody owns the question. Procurement looks at price, legal looks at the MSA boilerplate, IT looks at SSO compatibility, and the cumulative effect is an environment where the security implications were never assessed by anyone who actually understood them. Three years later, when you map your data flows, you find personally identifiable customer data in a system nobody remembers approving.

Reflex-deny adoption happens when the security function is structurally rewarded for saying no and never penalized for being slow. The business unit, who has a number to hit and a quarter to hit it in, learns to route around the function entirely. Shadow IT is not a moral failing of users. It is the predictable consequence of a security process that costs more than it delivers.

Both are the same root cause: the absence of a framework. With a framework, the question is no longer “will security let us?” It becomes “what does the assessment require?” That is a fundamentally different posture, and it is the posture that lets adoption move at the speed the business needs while keeping your environment defensible.

What good vetting actually anchors to

Three documents do most of the work. You do not have to memorize them, but you should know what they are and where the relevant safeguards sit.

CIS Critical Security Controls v8.1 — eighteen control areas, 153 specific safeguards, organized into three Implementation Groups. v8.1 added a Govern function aligned to NIST CSF 2.0. The controls most directly relevant to technology adoption are Control 1 (Inventory of Enterprise Assets), Control 2 (Inventory of Software Assets), Control 3 (Data Protection), Control 5 (Account Management), Control 6 (Access Control Management), and Control 15 (Service Provider Management). Control 15 in particular reads like a vendor-vetting checklist on its own.

NIST Cybersecurity Framework 2.0 — six functions (Govern, Identify, Protect, Detect, Respond, Recover), 22 categories, 106 subcategories. The 2024 release added the Govern function as a peer to the others, and it is the function that turns “we have controls” into “someone is accountable for those controls.” For technology adoption, GV.SC (cybersecurity supply chain risk management), GV.OC (organizational context), and GV.OV (oversight) are the relevant categories.

NIST SP 800-161 Rev. 1 (with the November 2024 update) is the deep version of the supply chain story. It is more operational than CSF and integrates directly with NIST 800-53 Rev. 5 and the NIST Risk Management Framework. If you are in a regulated environment, this is where your supply chain controls eventually have to map.

You are not building from scratch. You are wiring these documents into a process that the rest of the organization can use without needing to read them.

The assessment spine

What follows is the runbook — five gates, in order. If a tool fails an early gate, you do not waste time on the later ones. The gates are deliberately sequential, because each one assumes the previous one has been answered.

Gate 1 — Need

Before any technical question, the business unit has to articulate, in writing, what outcome the tool exists to produce. Not what it does. What it changes about how the unit operates.

There is a difference between we want this and we need this for a measurable reason. If the requester cannot finish the sentence “we will know this tool succeeded when ___”, the request is not ready. Send it back. This is not gatekeeping for its own sake; without a stated outcome, you cannot calibrate any of the trade-offs that follow. You do not know how much friction is acceptable. You do not know which controls would defeat the value. You do not know what success looks like, so you cannot tell when to retire the tool.

The need question also surfaces alternatives that almost always exist and almost never get raised. Is there an existing tool that could do this with a configuration change? Is there a shared platform the BU did not know about? Is the underlying need actually a process problem dressed up as a tooling problem? You are not asking these to be obstructive. You are asking because tools accumulate, and every tool you do not adopt is one you do not have to inventory, license, secure, monitor, and eventually decommission.

This gate maps to CIS Controls 1 and 2 (you cannot govern what you have not catalogued) and CSF GV.OC (organizational context — what is this tool for in the mission of the organization).

Gate 2 — Vendor and supply chain due diligence

If the tool is internally built, this gate is light. If the tool is a third-party product, it is the heaviest gate in the process, and rightly so. You are about to extend your trust boundary outward. You should know what is on the other side of it.

The minimum artifacts to request and review:

  • A current SOC 2 Type II report, ISO 27001 certification, or equivalent. Read it; do not just file it. Pay attention to scope, exceptions, and the auditor’s qualifications.
  • A data processing addendum or BAA where regulated data is involved. Confirm the contract obligations match the technical reality the vendor describes.
  • A list of subprocessors and their function. Every subprocessor is a transitive trust extension, and you are responsible for evaluating that chain whether the contract puts that obligation on you or not.
  • A description of where data is stored, where it is processed, who in the vendor’s organization can access it, and under what circumstances. Vague answers here are a finding.
  • A software bill of materials (SBOM), or an explanation for why one is not available. SBOMs are increasingly available even from commercial vendors and are required in many federal contexts. The absence of one in 2026 is a signal about the vendor’s posture.
  • A documented incident notification process with a stated timeline. “We will notify you” is not a clause; “we will notify you within seventy-two hours of confirming an incident affecting your data” is.
  • Audit rights. Whether you ever exercise them is a separate question. Whether you have them is non-negotiable for any tool above the lowest risk tier.
  • Contract terms covering data return and secure deletion at termination. If you cannot get your data out cleanly, you cannot leave cleanly.

This gate maps to CIS Control 15 (Service Provider Management — particularly safeguards 15.1 through 15.7), NIST CSF GV.SC (supply chain risk management as a governed function), and NIST SP 800-161 (the operational depth, especially the multi-level approach to enterprise, mission, and system-level supply chain controls).

Gate 3 — Implementation versus piloted rollout

The default posture should be that no new tool gets a broad rollout without a scoped pilot first. The cost of running a pilot is almost always less than the cost of unwinding a botched rollout, and the asymmetry only gets worse as integration depth grows.

A pilot is not a vague phase. It has the following properties, all of them documented before the tool is enabled:

  • A bounded population — usually a single team, sometimes a single role within a team. Not “anyone who wants it.”
  • A bounded data scope — synthetic data, internal-only data, or a defined production subset. Confidential data does not enter a pilot tool by default.
  • A bounded time window — a real end date, not a soft target. The end date forces a go/no-go decision.
  • Instrumentation — logs flowing somewhere you can read them. If you cannot tell what the tool is doing during the pilot, you have no basis for evaluating it.
  • Defined exit criteria — what does the tool need to demonstrate to graduate to broad rollout, and what would cause you to terminate the pilot early.
  • A rollback plan that has been tested at least once. Not described. Tested.

Some tools can skip a pilot. A read-only marketing analytics workbench used by three people on already-public data is not a tool that benefits from a six-week pilot. The right calibration is not “every tool goes through every gate at full weight.” It is “every tool goes through every gate at the weight justified by its risk.” But the default has to be the heavier path, with the lighter path requiring justification — not the other way around. Otherwise the friction collapses asymmetrically the moment anyone is in a hurry, which is most of the time.

This maps to CSF ID.IM (improvement — the process of learning from what you deploy and adjusting) and the broader risk-management posture in GV.OV (oversight).

Gate 4 — Least privilege as architecture

Least privilege is not a setting you toggle after deployment. It is the architecture of how the tool gets connected to your environment, and the decisions that determine it are made before the first user logs in.

Four planes need explicit thought, every time.

Identity. The tool integrates with your identity provider via SAML or OIDC, with SCIM provisioning where supported. Local accounts inside the tool are exceptional, not standard, and every one of them is documented. Admin accounts inside the tool are separated from everyday user accounts, and the population of tool-admins is not the same as the population of IDP-admins. Service accounts used by the tool to reach back into your environment are scoped, rotated, and have no human user attached.

Network. Where does this tool talk to, on what ports, in what direction. Egress is constrained where you can constrain it. Inbound integrations from the tool into your environment go through the same review you would apply to any other inbound channel. The tool does not get a network exception because it is “trusted.” Trust is what you are about to establish, not the starting condition.

Data. Classify what is allowed to flow into this tool before it goes live, and put technical controls in place that enforce the classification. Tools without DLP-style controls on what users paste into them require behavioral controls, training, and monitoring instead. Tools that integrate directly with your data stores get scoped read access at the lowest level that delivers the stated outcome from Gate 1, not the level that would be most convenient.

Administration. Who can change the tool’s configuration, who can add users, who can enable new integrations. These are three different permissions, and they should be three different role assignments. The tool should produce audit logs of administrative actions and those logs should land somewhere your existing log review process can see.

This gate maps to CIS Controls 5 (Account Management), 6 (Access Control Management), and 3 (Data Protection); NIST CSF PR.AA (identity management, authentication, and access control); and the AC family of NIST 800-53 controls. None of these are exotic. All of them are routinely skipped, because skipping them is faster.

Gate 5 — Detection and exit

Before you say yes, you have to be able to answer four questions in the affirmative.

Can you see what is happening inside this tool, in something approximating real time, through a process you actually run — not a theoretical capability. Can you revoke access cleanly, all the way down to service accounts and API tokens, in an amount of time appropriate to the risk. Can you get your data out, in a form you can actually use, without depending on the vendor’s continued cooperation. And can you prove the tool is decommissioned when you eventually retire it — including data destruction, account removal, integration removal, and asset record updates.

If any of those answers is no, the tool is not ready for deployment, no matter how the previous gates went. A tool you cannot watch, cannot revoke, cannot leave, and cannot retire is a permanent extension of your trust boundary, and you should treat the decision to install it with the gravity that implies.

This maps to CIS Controls 8 (Audit Log Management) and 15.7 (Secure Decommissioning), and CSF DE.CM (continuous monitoring) and RC.RP (recovery planning).

Calibrating the friction

The five gates are not five identical bricks stacked on every tool. The work expands and contracts with the risk.

Risk in this context is a function of four dimensions. Blast radius — how many people are affected, how much data is reachable, how integrated does the tool become with the rest of the environment. Data sensitivity — public, internal, confidential, regulated. Recoverability — if the tool fails or the vendor fails, how hard is it to restore the function it was performing. Integration depth — does this tool become load-bearing in workflows that other tools depend on, or does it sit at the edge.

A tool that is high on all four dimensions warrants the heaviest version of every gate, including a formal risk acceptance documented at the executive level. A tool that is low on all four can pass through a one-page assessment in a single meeting. The framework does not change. The artifacts and the level of scrutiny do.

The point of calibrating is to make the friction defensible. When the BU asks why the rollout of a back-office reporting tool was approved in two weeks while their AI integration is in its third month of review, you need an answer that is not “because.” The risk dimensions give you an answer. So does the documentation that comes out of each gate.

Operationalizing without bureaucratizing

The framework is only valuable if it lives in the actual adoption process. That means the gates are wired into procurement, not parked in a wiki. The vendor questionnaire is mandatory before contract signing, not after. The pilot scoping is part of the project plan, not a security afterthought. The least privilege architecture is a deliverable from IT engineering before go-live, with a named owner.

Three artifacts make this real:

  • A short adoption assessment — one page for low-risk tools, several pages for higher-risk ones — with the same structure every time. The structure is the framework.
  • A named owner for each gate. Need is owned by the BU. Vendor and supply chain by procurement and security jointly. Pilot by the project team. Least privilege by IT engineering and identity. Detection and exit by security operations.
  • A periodic re-review cadence. Tools that pass review in 2026 do not stay reviewed forever. CIS Control 15 has explicit safeguards on periodic reassessment of service providers. Annual at minimum for mid-risk and above; more frequent if anything material has changed.

This is also where the Govern function in CSF 2.0 actually earns its keep. Govern is not paperwork. It is the layer that decides who is accountable for which gate, who reviews the assessments, and who has the authority to override the framework when an override is genuinely warranted. Without that layer, the framework drifts back into ad-hoc decisions and the cycle starts again.

The posture this enables

Done well, the vetting process is not the place where adoption goes to die. It is the place where adoption gets clarified. The BU walks in with a request and walks out with a path: here is what we need from you, here is the order we need it in, here is the timeline, here are the conditions. That is a different conversation than “no.” It is also a different conversation than “yes, with caveats nobody documented.” It is a conversation that you and the BU can both refer back to.

You do not become the function of yes by lowering your standards. You become it by being predictable. The same gates, the same artifacts, the same calibration, every time. When the BU knows what to expect, they bring you in earlier — before the contract is signed, before the integration is built, before the data is in. That is the moment when good security work is cheap. After that, it is expensive, and after enough of it accumulates, it stops being possible at all.

Closing thoughts

The benchmarks article on this site argued that you should not invent security from scratch when better documents already exist. The same argument applies to your adoption process. The CIS Controls describe what good service provider management looks like. NIST CSF 2.0 tells you how to govern it. NIST 800-161 fills in the supply chain depth. The framework is sitting there, free, peer-reviewed, and updated. You do not need to write your own.

What you need to do is wire the gates into the process the rest of the organization actually uses, calibrate the friction to match the risk, and be consistent enough that adoption gets faster, not slower, over time. The reward for doing this well is not that you stop being asked hard questions about new tools. It is that the questions get easier to answer, the answers get easier to defend, and the BUs stop routing around you.

The next person trying to onboard a new tool in your environment should not have to wonder what the process is. The framework should already be a stack of rocks at the trailhead.

Footnotes and references

Backlinks