GRC & AI Governance Glossary

Plain-language answers to the terms that come up most when teams start evaluating GRC and AI governance software.

What is GRC (governance, risk, and compliance)?

GRC is the set of practices an organization uses to align its activities with business goals (governance), identify and manage uncertainty (risk), and meet legal, regulatory, and contractual obligations (compliance). Most organizations start doing all three in spreadsheets and email, then move to dedicated software once the number of frameworks, controls, and stakeholders makes that unmanageable.

A GRC platform centralizes this work: a risk register, a control library, evidence collection, and framework mapping in one place instead of scattered documents.

See how AssuranceGrid structures GRC →

What is a risk register?

A risk register is a structured record of the risks an organization has identified, along with each risk's likelihood, potential impact, owner, and mitigation status. It's the foundation most risk management programs are built on, since reporting, heat maps, and remediation tracking all depend on risks being documented in one consistent place.

AssuranceGrid's risk register tracks inherent vs. residual risk on a 5x5 heat map, so you can see which risks controls have actually brought down and which still need attention.

See the risk register →

What is a control library?

A control library is a catalog of the safeguards, policies, and processes an organization has in place to manage its risks and satisfy compliance requirements. Well-run control libraries map a single control to every framework it satisfies, so one access-review control can count toward SOC 2, ISO 27001, and HIPAA at once instead of being tracked three separate times.

This is where most of the manual duplication in compliance work comes from, and it's the first thing a control library should eliminate.

How AssuranceGrid maps controls across frameworks →

What is AI governance?

AI governance is the set of policies, oversight, and controls an organization uses to manage the risks introduced by AI systems, such as models making consequential decisions, agents taking autonomous actions, or vendor AI tools operating without visibility. It typically includes an inventory of AI systems in use, risk classification, human oversight requirements, and enforcement policies for how AI is allowed to behave.

AI governance is increasingly treated as an extension of GRC rather than a separate discipline, particularly as regulations like the EU AI Act apply directly to it.

Take the free EU AI Act readiness assessment →

What is the EU AI Act?

The EU AI Act is the European Union's regulation governing the development and use of AI systems, based on a tiered risk classification: prohibited, high-risk, limited, and minimal. It applies to organizations that place AI systems on the EU market or whose AI outputs are used in the EU, regardless of where the organization is headquartered, with enforcement phasing in through August 2, 2026 and beyond.

Most organizations start by inventorying their AI systems and classifying each one against these risk tiers, since every other obligation depends on that.

Check your EU AI Act readiness →

What is continuous compliance?

Continuous compliance is the practice of maintaining evidence of compliance on an ongoing basis, rather than reconstructing it in the weeks before an audit. It relies on automated evidence collection from the systems where the work actually happens, such as identity providers, cloud infrastructure, and code repositories, instead of manual screenshots and spreadsheet updates.

AssuranceGrid connects directly to tools like GitHub, Okta, BambooHR, and AWS to collect this evidence automatically as controls run.

See how evidence connectors work →