Skip to content

Governance

Pages for the audience that owns the AI governance program: CISO, Chief AI Officer, Chief Risk Officer, Head of Model Risk, 2nd Line of Defence, and Internal Audit. The developer-first sections elsewhere stay the runtime truth; this section is the program layer.

New to Regulus? Start at Why Regulus for the framing, then come back here.

If you've not read Concepts → What is AI governance? and Concepts → What is GRC? yet, do so first. Pages here lean on that vocabulary.

What lives in this section

  • Frameworks — how Regulus maps to NIST AI RMF (1.0 + GenAI Profile + Agent Interop Profile), ISO/IEC 42001, ISO/IEC 23894, ISO/IEC 23053.
  • Three Lines of Defence — how Regulus serves 1L (engineering), 2L (risk + compliance), 3L (internal audit).
  • GRC integration — pluggable adapters that fan Regulus evidence into ServiceNow IRM, OneTrust AI Governance, MetricStream, or a generic webhook receiver.
  • Evidence schema — the canonical GrcEvidenceEnvelope that all adapters emit.
  • Program operating model — RACI for an AI governance program with Regulus underneath.

What Regulus is in one diagram

                            ┌────────────────────────────────┐
                            │     Your AI governance         │
                            │     program (off-Regulus)      │
                            │   policy / risk / audit / etc. │
                            └────────────────────────────────┘
                                          │ evidence flow
                                          │ (GrcEvidenceEnvelope)
       ┌──────────────────┐       ┌───────┴────────┐       ┌──────────────────┐
       │  ServiceNow IRM  │◄──────┤ Regulus GRC    │──────►│  OneTrust /      │
       │                  │       │ adapters       │       │  MetricStream /  │
       └──────────────────┘       └───────┬────────┘       │  Webhook         │
                                          │                └──────────────────┘
                       ┌──────────────────────────────────────┐
                       │   Regulus plugins on ADK App         │
                       │   policy / privacy / audit / kill    │
                       │   switch / model risk / residency    │
                       └──────────────────────────────────────┘
                       ┌──────────────────────────────────────┐
                       │      Google ADK 1.x application      │
                       └──────────────────────────────────────┘

Two layers downstream of your program: Regulus enforces controls at runtime; Regulus' adapters fan evidence back upstream into the GRC tool your program already uses.

Read order

  1. Concepts → What is AI governance?
  2. Concepts → What is GRC?
  3. Frameworks → NIST AI RMF
  4. Three Lines of Defence overview
  5. GRC integration overview
  6. Program operating model