the department that asks uncomfortable questions nobody else wants to ask and then gets blamed when the answers are bad.
Governance, Risk & Compliance. Operationalised through Shield S1 in the AI Control Index: AI System Inventory, Evidence Factory, Policy Enforcement Engine, Lifecycle Governance Workflow, and the Versioned Legal & Standards Register. GRC is not where governance happens — governance happens in operational layers. GRC is where governance becomes demonstrable, enforceable, and auditable.
Why It Matters
GRC is the most misunderstood function in AI governance. It is frequently dismissed as bureaucratic overhead — the department that creates forms, demands documentation, and slows things down. This misunderstanding is precisely why AI governance fails in most organisations. GRC does not create governance. It creates the infrastructure that makes governance work.
Without GRC, every other governance function operates in isolation. Ethics teams conduct reviews but have no mechanism to enforce their findings. Engineering teams run tests but results are not retained or tracked. Risk teams assess risks but have no system to ensure mitigations are implemented. Legal teams track regulations but have no process to translate regulatory requirements into operational controls. GRC provides the connective tissue: the inventory that knows what systems exist, the evidence factory that retains proof, the policy engine that enforces rules, the lifecycle workflow that embeds governance into operations, and the legal register that tracks what regulations apply.
The EU AI Act does not use the term “GRC,” but its requirements map directly to GRC functions. Article 17 requires a quality management system. Article 9 requires a risk management system. Article 11 requires technical documentation. Article 72 requires post-market monitoring. These are not engineering requirements. They are governance infrastructure requirements. They are GRC.
The Stress Test
A supervisory authority contacts your organisation. They have received a complaint about an AI system you operate. They request: (1) a complete list of all AI systems you deploy, (2) the risk classification of the system in question, (3) the technical documentation, (4) evidence of testing and validation, (5) the post-market monitoring records, and (6) the incident response procedure.
Without GRC infrastructure, each request triggers a different search in a different system owned by a different team. The AI system inventory does not exist in a centralised form. The risk classification was done informally. The technical documentation is partial and distributed. Testing evidence is in engineering repositories that compliance cannot access. Post-market monitoring data is in observability dashboards with no governance overlay. The incident response procedure has never been tested.
With GRC infrastructure (Shield S1), the AI System Inventory returns the system record. The Evidence Factory retrieves the associated documentation, testing evidence, and monitoring records. The Versioned Legal & Standards Register confirms which regulations apply. The response is assembled in hours, not weeks. The difference is not competence. The difference is infrastructure.
In the Wild
The financial services industry operationalised GRC through the Three Lines of Defence model over the past fifteen years: first line (business operations), second line (risk management and compliance), third line (internal audit). Banks with mature three-lines models consistently perform better in regulatory examinations — not because they have fewer risks, but because they can demonstrate how risks are identified, managed, and overseen. The infrastructure makes governance visible.
AI governance is now being grafted onto this same model, with GRC (S1) functioning as the second-line infrastructure for AI-specific risks.
Financial services did not invent GRC for philosophical reasons. They built it because regulators demanded proof and the fines for not having proof were existential.
Clinical governance — the systematic approach to maintaining and improving the quality of patient care — became mandatory in the UK NHS after a series of high-profile failures in the 1990s, including the Bristol heart scandal and the Harold Shipman case. The pattern was identical: individual practitioners operated without systematic oversight infrastructure. Once clinical governance frameworks were mandated, incidents did not disappear, but they became detectable, investigable, and preventable.
AI governance is at the same inflection point. The incidents are occurring. The question is whether the governance infrastructure to detect, investigate, and prevent them exists.
Healthcare learned that governance infrastructure is not overhead. It is the mechanism by which a system detects its own failures. AI governance is learning the same lesson.
Article 17 of the EU AI Act requires providers of high-risk AI systems to implement a quality management system that includes, at minimum: a strategy for regulatory compliance, design and development control techniques, quality control and assurance systems, examination and testing procedures, data management practices, a risk management system, post-market monitoring, and incident reporting procedures. This is a comprehensive GRC mandate expressed in regulatory language.
Organisations that have GRC infrastructure can map these requirements to existing capabilities. Organisations that do not have GRC infrastructure must build it from scratch — under regulatory deadline pressure, with enforcement consequences for non-compliance.
Article 17 does not say “you need GRC.” It describes every component of GRC and says you need all of them. The terminology differs. The requirement is identical.
How to Govern It
GRC is not a team or a department. It is the infrastructure layer that makes all other governance activities demonstrable and enforceable.
Shield S1 (GRC) in the AI Control Index comprises five core components:
- AI System Inventory — A centralised register of all AI systems under governance. Includes system identity, risk classification, lifecycle stage, ownership, and links to associated evidence and mandatory artifacts. You cannot govern what you have not inventoried.
- Evidence Factory — The centralised repository that collects, indexes, and retains all evidence artifacts. Transforms scattered documentation into an audit-ready evidence chain.
- Policy Enforcement Engine — Automated application of governance policies to AI systems based on their risk classification, lifecycle stage, and applicable regulations. Policies are versioned, enforced, and auditable.
- Lifecycle Governance Workflow — Stage-gate governance embedded in the AI system lifecycle. Ensures that governance obligations are satisfied at each transition point, from development through decommissioning.
- Versioned Legal & Standards Register — Tracks applicable regulations (EU AI Act, GDPR, sector-specific rules), standards (ISO/IEC 42001, NIST AI RMF), and internal policies with version control. When a regulation changes, the register identifies which systems and controls are affected.
When It's Relevant
Every organisation deploying AI systems, from the first system onward. GRC infrastructure scales with the AI portfolio; the first system requires a basic inventory and evidence process; twenty systems require the full Shield S1 stack. The mistake most organisations make is waiting until the portfolio is large before building GRC infrastructure. By that point, the evidence gap is too wide to close retroactively.
GRC is particularly critical when:
- The organisation operates high-risk AI systems subject to the EU AI Act
- Multiple teams and business units are deploying AI systems independently
- External audit, regulatory examination, or conformity assessment is anticipated
- The organisation cannot answer the question “how many AI systems do we have in production?” with confidence
- Governance evidence is scattered across tools, teams, and repositories with no single source of truth
Related Terms
References
- [1] European Parliament and Council (2024) Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI Act). Official Journal of the European Union, L series. Articles 9, 11, 17, 72.
- [2] ISO/IEC (2023) ISO/IEC 42001:2023 — Artificial intelligence — Management system. International Organization for Standardization.
- [3] OCEG (2023) GRC Capability Model (Red Book) 4.0. Open Compliance and Ethics Group. Principled Performance framework.
- [4] Institute of Internal Auditors (2020) The IIA’s Three Lines Model. The Institute of Internal Auditors, Lake Mary, FL.
- [5] NIST (2023) Artificial Intelligence Risk Management Framework (AI RMF 1.0). National Institute of Standards and Technology, U.S. Department of Commerce. GOVERN function.
- [6] Scally, G. and Donaldson, L.J. (1998) ‘Clinical governance and the drive for quality improvement in the new NHS in England’, BMJ, 317(7150), pp. 61–65.
- [7] Raji, I.D., Smart, A., White, R.N., Mitchell, M., Gebru, T., Hutchinson, B., Smith-Loud, J., Theron, D. and Barnes, P. (2020) ‘Closing the AI Accountability Gap: Defining an End-to-End Framework for Internal Algorithmic Auditing’, Proceedings of the 2020 Conference on Fairness, Accountability, and Transparency (FAT*), pp. 33–44.
AI Control Index v6.0 · Glossary · June 2026 · i-DEPOT 158508 (BOIP) · CC BY-NC-ND 4.0
By Jeroen Janssen, Apparens