Ctrl+K
tatersecurity.com Open App

Entity Templates

Reusable scaffolds for "create new X" surfaces - risks, vendors, audits, BCP/DR plans, control tests, training campaigns, POAMs, and more. Built-in templates ship with TATER. Custom org templates accumulate over time. AI agents follow a Template-First Rule that compounds compliance knowledge.

What Entity Templates Are For

Compliance work is full of repeated patterns. The risk register entries for "Phishing exposure" and "Ransomware exposure" share 80% of their structure. Annual SOC 2 audits start the same way each year. POAMs follow a fixed OMB A-130 schema. Without templates, every new entity gets authored from a blank page - introducing inconsistency, slowing down work, and losing institutional knowledge each time someone leaves.

TATER's entity templates address this with two layers:

  • Built-in templates - curated scaffolds that ship with TATER for common scenarios (Phishing risk, Third-Party Compromise risk, SOC 2 audit, Annual Awareness training, Standard Audit Finding POAM). Read-only; same set across every org.
  • Custom org templates - saved by your team (or AI agents on your behalf) when you encounter a pattern worth reusing. Org-scoped; visible only inside your organization.

Supported Entity Types

Templates are available for 18 entity types:

  • GRC core: risk, exception, audit, vendor, bcpdr-plan, control-test, training, change-request
  • Compliance: data-classification, regulatory-change, access-review, framework, standard, compliance-zone
  • Documentation: wiki, config-doc, questionnaire
  • Federal / ATO: poam

Using Templates in the UI

Five GRC create modals expose templates today: Risk, Vendor, Audit, BCP/DR Plan, and Control Test. Each "+ Add" button is paired with a 📋 From template button.

  1. Click 📋 From template. A picker modal opens listing all templates for that entity type, with built-ins flagged.
  2. Click a template card. The picker closes and the regular create modal opens with fields pre-filled from the template.
  3. Edit any field as needed. The template values are starting points, not locked-in.
  4. Save. The new entity is created normally - nothing in the persisted record indicates which template seeded it (templates are just authoring conveniences, not lineage tracking).

Want to start blank? Click + Add directly, or click Start blank in the picker.

AI Agents and the Template-First Rule

The TATER MCP server exposes 3 dedicated tools for templates, and the MCP instructions enforce a Template-First Rule for write actions:

ToolPurposeRequired Role
list_entity_templates(entityType)Discover what scaffolds exist before creatingViewer
create_entity_from_template(templateId, overrides)Create a new entity from a template, with optional field overridesAuditor
save_entity_as_template(entityType, name, description, templateData)Promote a successful pattern into a reusable org templateAdmin

The Template-First Rule says: before calling create_risk, create_poam, create_change_request, or any other create_X tool, an agent MUST first call list_entity_templates. If a template covers ≥70% of the situation, the agent uses create_entity_from_template instead of building from scratch.

The compounding loop: when an agent successfully resolves a novel scenario without a fitting template, it calls save_entity_as_template to seed the library for the next session. Compliance knowledge accumulates instead of being re-discovered each time.

API Reference

GET    /api/entity-templates?entityType=risk           # List built-ins + org templates
POST   /api/entity-templates                           # Create or update (Admin)
DELETE /api/entity-templates/:id                       # Soft-delete (Admin)

Templates are stored in the EntityTemplates Cosmos container, partitioned by tenantId. Built-ins are not persisted - they ship as a static const in entityTemplates.ts and are merged into list responses server-side. The templateData field is capped at 50 KB.

Best Practices

  • Save templates that encode decisions, not just data. A template for "VIP vendor onboarding" that includes the standard fields, the standard criticality default, and the standard data-access classification - that's worth promoting. A template that's just "Vendor X with their actual contract details" is not.
  • Description matters more than name. When and why an agent or human should pick this template. Future readers (humans and AI) decide whether to use a template based on its description, not its data.
  • Keep templateData generic. Use placeholders like "Q… Audit" rather than "Q3 2026 Audit". The user adjusts dates and specifics on save.
  • Don't bypass the picker for one-offs. If a record is genuinely unique, click + Add directly. Saving every one-off as a template clutters the library.
  • GRC Guide - how risks, exceptions, audits, and other GRC modules work
  • MCP Setup Guide - connect Claude Desktop or M365 Copilot to TATER
  • POA&M Guide - one of the entity types templates support