Skip to content

OneTrust AI Governance adapter

OneTrust's AI Governance module is purpose-built for AI risk and compliance evidence — different positioning from generic IRM tools.

Configuration

regulus:
  grc:
    onetrust-ai-gov:
      enabled: true
      base-uri: https://<tenant>.onetrust.com
      api-key: ${ONETRUST_API_KEY}

API key is a long-lived token; mint per environment and store in your secrets backend.

Endpoint

Default: POST /api/aigov/v1/evidence.

Field mapping

Default field mappings:

GrcEvidenceEnvelope field OneTrust field
eventId externalId
occurredAt collectedAt
controlFrameworkId framework
controlId controlReference
kind evidenceType
actor collectedBy
result outcome
auditEventLink sourceUri

OneTrust supports tenant-specific custom fields; supply a fieldMappings override if your tenant uses non-default field names.

What OneTrust does with it

The adapter populates the evidence intake; OneTrust's workflow attaches the evidence to the relevant control or risk record. From there:

  • Control testing is attestable directly from OneTrust's UI.
  • The Risk module surfaces AI-driven incidents with the same provenance.
  • The Data Mapping module receives the privacy-relevant slice.

Caveats

  • OneTrust + ServiceNow integration exists separately at the platform level (OneTrust can populate ServiceNow data inventories). Regulus emits to each adapter independently — there's no need to forward via OneTrust.
  • AI Governance module licensing. Customers without the AI Governance module need a custom field mapping to land evidence in the base Compliance or Risk Management module.