Skip to content

What is GRC?

GRC stands for Governance, Risk, and Compliance. Three disciplines that organisations historically ran separately and now run as a single operating model:

  • Governance — who's accountable, what the policy says.
  • Risk — what could go wrong, how big, how likely.
  • Compliance — which laws and regulations apply and whether we satisfy them.

In a Fortune-500-shaped enterprise, GRC is its own function with its own software stack — a "GRC tool" — that runs policy management, risk registers, control libraries, audit management, and evidence repositories all in one place.

The GRC tool landscape (2026)

Top platforms by adoption: Riskonnect, OneTrust, MetricStream, ServiceNow IRM, LogicGate. Plus the security-GRC variants (Drata, Vanta, Secureframe) and the enterprise-incumbent IBM OpenPages and RSA Archer. ServiceNow's "AI Control Tower" launched in 2026 specifically for AI risk.

What these tools do:

  • Policy management. Draft, approve, lifecycle, distribute policies.
  • Risk register. Catalogue risks with owner, severity, likelihood, treatment plan.
  • Control library. The set of controls the firm has decided to implement, mapped to frameworks (NIST AI RMF, ISO 42001, etc.).
  • Control testing. Periodic verification that each control is operating — usually evidence-based.
  • Audit management. Plan, scope, run, report internal and external audits.
  • Evidence repository. Where the control-testing records live.

What these tools do not do:

  • Enforce a control at runtime. They don't sit in the AI agent's request path. They consume evidence that the control fired.
  • Generate the evidence. Something has to produce the records they catalogue.

That's where Regulus comes in.

Where Regulus fits

Regulus is the runtime substrate of a GRC program for AI agents:

  • Generates evidence per agent invocation — the audit event stream is the raw material.
  • Maps evidence to controls — every event carries the regulation citation (e.g. Art. 25) and the framework control id (e.g. NIST GAI-4, ISO 42001 A.7.3).
  • Pushes evidence to your GRC tool — pluggable adapters for ServiceNow IRM, OneTrust AI Governance, MetricStream, generic webhook (LogicGate, Riskonnect, RSA Archer, IBM OpenPages, internal bespoke).

What you keep getting from your GRC tool:

  • Policy authoring and approval workflows.
  • The canonical risk register.
  • Control mapping and gap analysis.
  • Audit planning.

Regulus and the GRC tool are complementary, not competing. The pitch to a buyer with an existing GRC stack: "you already have a GRC tool; the gap is that it doesn't enforce or evidence anything at runtime — that's what Regulus is for."

Three Lines of Defence

GRC operates inside a three-lines-of-defence model:

Line Who What
1L Engineering, business unit Owns risk at source; runs controls
2L Risk, compliance, model risk Independent oversight; policy enforcement
3L Internal audit Independent assurance

Each line consumes the same Regulus evidence stream differently — see Three Lines of Defence.

In one sentence

Regulus produces the structured, control-mapped, framework-aware evidence your GRC tool needs to do its job; your GRC tool produces the policy and risk view Regulus enforces against.