GRC integration¶
How Regulus' evidence stream lands in your GRC tool.
The model¶
RegulusGovernanceEvidencePlugin runs downstream of RegulusAuditPlugin.
For every audit event whose mechanism is bound to a control by the
active GovernanceFramework, the plugin builds a
GrcEvidenceEnvelope and dispatches it to every configured
GrcEvidenceAdapter.
audit event
│
▼
RegulusAuditPlugin → audit topic (always)
│
▼
RegulusGovernanceEvidencePlugin
│
├──► ServiceNowIrmAdapter → sn_grc_control_evidence
├──► OneTrustAiGovernanceAdapter → /api/aigov/v1/evidence
├──► MetricStreamAdapter → /api/v1/intake/<app>/evidence
├──► WebhookAdapter (HMAC) → arbitrary endpoint
└──► KafkaAdapter → topic for any subscriber
Adapters are opt-in: no adapter is wired by default. Each is enabled and configured per-tenant in YAML.
Pages¶
Why pluggable¶
Two reasons:
- Vendor diversity. ServiceNow / OneTrust / MetricStream / LogicGate / Riskonnect / RSA Archer / IBM OpenPages all have valid customer bases. A single canonical format would lose half of them.
- Tenant schema variance. Even within one vendor, customers have
custom fields, custom apps, custom workflows. Every adapter exposes a
fieldMappingsoverride so a deploying team can bind to their tenant without forking Regulus.
See ADR-011 for the rationale.
Fail-loud at startup¶
AdapterHealthCheck runs before the ADK App activates. If any
configured adapter can't reach its target — bad URL, bad credentials,
firewall rule — the application refuses to start. Same shape as
residency by construction.
What an adapter does not do¶
- Define the controls. The GRC tool's control library does that. Adapters reference controls by id.
- Determine whether a control "passed." Regulus emits the audit
fact (
result=pass,result=fail, etc.). The GRC tool's testing workflow decides what to do with it. - Push policies into the agent. Policy flow is the other direction. Regulus enforces policy in code; the GRC tool stores the canonical text.
Authentication¶
| Adapter | Auth |
|---|---|
| ServiceNow IRM | Basic auth or OAuth2 bearer token |
| OneTrust AI Governance | API key (X-OneTrust-API-Key) |
| MetricStream | Bearer token |
| Webhook | HMAC-SHA256 signature in X-Regulus-Signature header |
Credentials are supplied via Spring properties (regulus.grc.<vendor>.*)
and should come from a secrets store (Vault, GSM, Secret Manager) — not
the YAML file itself. Resist the temptation.