Change a risk scenario control's controlType
Change the controlType on an existing risk-scenario / control
association.
Body: { controlType }. The server atomically moves the resolved control
between the treatment-plan and existing-control sets in a single update —
there is no intermediate unlinked state. PATCH { "controlType": "EXISTING" }
removes the control from the treatment plan but keeps it linked as an
existing control; use DELETE to unlink it entirely.
Returns 404 if the control is not currently associated with the scenario.
Setting the controlType it already has is a 200 no-op.
Authorizations
Bearer authentication header of the form Bearer <token>, where <token> is your auth token.
Body
The new relationship state. TREATMENT_PLAN moves the control into the
risk's treatment plan; EXISTING removes it from the treatment plan while
keeping it linked as an existing control (use DELETE to unlink entirely).
EXISTING, TREATMENT_PLAN Response
Ok
A control's association with a risk scenario.
The relationship identity is (riskScenarioId, controlId); controlType
is mutable state on that relationship. A given control can have at most one
association per risk scenario.
The control's shorthand identifier (e.g. "A.12.2.1") when it has one,
falling back to the canonical Vanta control id (Mongo object id) otherwise.
TREATMENT_PLAN for controls that are part of the risk's treatment plan
(planned mitigations); EXISTING for controls linked to the risk without a
treatment-plan designation.
EXISTING, TREATMENT_PLAN