Auditors and plaintiffs’ counsel don’t think in checklists. They think in toxic combinations — patterns of individually-acceptable findings that compose into something exploitable. Embedded AI in an HR SaaS, plus no documented impact assessment, plus a Colorado-resident employee population, plus an unowned vendor relationship is one risk in four checklist boxes. It is one toxic combination on a governance artifact. The difference is not stylistic. The toxic-combination framing is what an auditor uses to prioritize, what an underwriter uses to price, and what plaintiffs’ counsel uses to allege negligence. Four green checkboxes do not survive deposition. A documented severity ranking with named owners and remediation dates does.
Checklist tools and SIG (Standard Information Gathering) vendor questionnaires (SIG Lite ~133 questions, SIG Core ~810 questions) flag findings as binary pass / fail. They tell the customer “control X exists” or “control X does not exist.” They cannot tell the customer that three individually-Low findings compose into a High-severity exploitable posture — because compositional analysis is not the question the questionnaire is asking. Vanta, Drata, and Secureframe (which automate questionnaire workflows) inherit this structural limitation. The aggregate exposure that auditors prioritize, underwriters price, and plaintiffs’ counsel uses to allege negligence is the thing the questionnaire surface cannot see.
What to do. Use a severity model that flags toxic combinations explicitly. SanctumShield’s Executive Risk Report (severity taxonomy adopted from Wiz’s seven-category risk model) calls out TOXIC_COMBINATION findings in an explicit red callout — naming the composing risks, naming the specific regulatory consequence of the combination (which clause is implicated, in which framework), and naming the owner accountable for remediation with a dated 90-day action plan. The multi-LLM agentic synthesis layer (Claude + Gemini) performs the compositional analysis that no checklist-shaped tool can. Next step: see the TOXIC_COMBINATION callouts rendered in the Acme Health Executive Risk Report at /sample-outputs.