Term describing frameworks for managing governance policies, enterprise risk management, and regulatory compliance. Traditional GRC relies on organizational controls (such as written policies, training, procedures, and attestations) that work because humans read, understand, and follow them. In contrast, written policies do not constrain an AI model; the policy must be translated into technical controls such as guardrails, system prompts, tool permissions, and monitoring that govern actual system behavior. Effective AI governance requires mapping organizational controls (which govern humans who build and oversee AI) to technical controls (which govern what AI systems can do). Organizations with mature GRC functions can accelerate AI governance, but AI governance requires enforcement mechanisms beyond those designed for human compliance.
See: AI governance; CORE; Controls; Guardrails; Risk assessment