Roles installed with AI Risk and Compliance

  • Release version: Yokohama
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Roles installed with AI Risk and Compliance

    The AI Risk and Compliance solution in ServiceNow Yokohama release provides a set of predefined roles essential for managing AI systems and associated risk and compliance activities across the enterprise. These roles enable users to perform operational tasks such as risk assessments, impact assessments, control attestations, AI case management, and lifecycle management of AI systems. They ensure proper segregation of duties and access control aligned with organizational governance.

    Show full answer Show less

    Key Roles and Their Capabilities

    • AI Risk and Compliance Admin: Manages setup and configuration of risk and impact assessment frameworks, defines automation rules, profiles AI case types, and controls entity-based access settings (requires GRC Entity Based Access app). This role includes extensive administrative permissions.
    • AI Risk and Compliance Manager: Has broad access to all AI systems and can initiate impact and risk assessments, manage AI system lifecycle, and control attestations. Also manages bulk access configurations (requires GRC Entity Based Access app).
    • AI Risk and Compliance Analyst: Works on assigned AI systems to perform impact assessments, lifecycle management, risk assessments, and control attestations with read and write access limited to assigned records.
    • AI Risk and Compliance User: Creates AI cases via Employee Center, works on assigned tasks, and performs control attestations with limited permissions.
    • AI Risk and Compliance Reader: Provides read-only access to AI systems and AI impact assessments for monitoring and review purposes.
    • AI System Reader: Grants read-only access to AI systems within AI Control Tower and AI Risk and Compliance workspaces, suited for users requiring visibility without modification rights.
    • AI Case Business User: Allows creation of AI cases and inquiries through Employee Center, supporting business-level case initiation.
    • AI Case Analyst: Reviews assigned AI cases and inquiries, identifies impacted areas such as policies and compliance risks, and manages related issues to address root causes.
    • AI Case Manager: Oversees all AI cases and inquiries, including associated information, enabling broader case management capabilities.
    • AI Case Admin: Manages AI case type profiles, sets assignment rules, and can delete AI cases, providing administrative control over case management configurations.

    Practical Implications for ServiceNow Customers

    Assigning these roles appropriately ensures effective governance and operational management of AI systems within your enterprise. The roles align with common organizational functions from administration to business users, enabling structured workflows and compliance adherence. Integration with the GRC Entity Based Access application enhances security controls for sensitive AI-related data.

    Understanding the scope and permissions of each role helps you configure user access to AI risk and compliance processes properly, ensuring that users can perform their tasks without over-privileging. This setup supports risk mitigation, regulatory compliance, and efficient AI system lifecycle management within the ServiceNow platform.

    The AI Risk and Compliance installs the essential roles to perform respective day-to-day operational tasks for managing AI systems across the enterprise.

    Table 1. Roles and their descriptions
    Role title [name] Description Contains roles

    AI Risk and Compliance Admin

    [sn_grc_ai_gov.ai_risk_and_compliance_admin]

    		 ​The AI Risk and Compliance Admin can perform the following tasks:
    • Set up risk and impact assessment frameworks. Configure risk assessment methodologies, risk contribution factors, and impact assessment templates.
    • Define automation rules for impact assessments to determine applicable risks and controls based on the assessment responses.
    • Set up and profile AI case types.
    • Delete AI systems.
    • Enable or disable Entity-Based Access for record types associated with entity properties, and configure the Entity-Based Access settings as needed.
      Note:
      GRC: Entity Based Access application must be installed to use this feature.
    • sn_risk.admin
    • sn_smart_asmt.template_manager
    • sn_grc_ai_gov.ai_risk_and_compliance_manager
    • sn_smart_asmt.assessment_admin
    • sn_grc_workspace.state_model_admin
    • sn_smart_asmt.template_contributor
    • sn_compliance.admin
    • sn_compliance.control_framework_admin*
    • sn_compliance.library_admin*
    • sn_compliance.policy_admin*
    • sn_grc_ent_access.admin
      Note:
      GRC: Entity Based Access application must be installed.

    AI Risk and Compliance Manager

    [sn_grc_ai_gov.ai_risk_and_compliance_manager]

    		 ​The AI Risk and Compliance Manager can access all AI systems on the system and perform the following tasks:​
    • Initiate impact assessments.
    • Manage the lifecycle of an AI system.
    • Initiate risk assessments.
    • Initiate control attestations.
    • Write and update access to the bulk access update configuration.
      Note:
      GRC: Entity Based Access application must be installed to use this feature.
    • sn_grc_ai_gov.ai_risk_and_compliance_analyst
    • sn_smart_asmt.template_contributor
    • sn_smart_asmt.template_manager
    • sn_risk.manager
    • sn_compliance.control_framework_manager*
    • sn_compliance.library_manager*
    • sn_compliance.policy_manager*
    • sn_grc_ent_access.bulk_access_config_admin
      Note:
      GRC: Entity Based Access application must be installed.

    AI Risk and Compliance Analyst

    [sn_grc_ai_gov.ai_risk_and_compliance_analyst]

    		 The AI Risk and Compliance Analyst can access all AI systems assigned to them in the system and perform the following tasks only on the assigned records:
    • Initiate impact assessments.
    • Manage the lifecycle of an AI system.
    • Initiate risk assessments.
    • Initiate control attestations.
    • sn_ai_case_mgmt.ai_case_analyst
    • sn_smart_asmt.assessment_reader
    • sn_grc_ai_gov.ai_risk_and_compliance_business_user
    • sn_smart_asmt.template_reader
    • sn_risk_advanced.ara_approver
    • sn_grc_ai_gov.ai_risk_and_compliance_​reader
    • sn_grc_workspace.user
    • sn_risk.user
    • sn_risk_advanced.ara_assessor
    • sn_compliance.library_user*
    • sn_compliance.control_framework_user*
    • sn_compliance.policy_user*

    AI Risk and Compliance User

    [sn_grc_ai_gov.ai_risk_and_compliance_business_user]

    		 The ​AI Risk and Compliance User can perform the following tasks:
    • Create AI case on the Employee Center.
    • Work on the assigned tasks.
    • Perform control attestations.
    • sn_grc_workspace.assessment_template_configuration_reader
    • sn_smart_asmt.actor
    • sn_grc.business_user
    • sn_grc_workspace.user
    • sn_smart_asmt.assessment_reader
    • sn_compliance.control_framework_business_user*
    • sn_compliance.library_business_user*
    • sn_compliance.policy_business_user*

    AI Risk and Compliance Reader

    [sn_grc_ai_gov.ai_risk_and_compliance_reader]

    		 ​The AI Risk and Compliance Reader can have read access to the AI systems and AI impact assessments.
    • sn_risk.reader
    • sn_grc_workspace.user
    • sn_compliance.library_reader*
    • sn_compliance.control_framework_reader*
    • sn_compliance.policy_reader*

    AI System Reader

    [sn_grc_ai_gov.ai_risk_and_compliance_ai_system_reader]

    		 ​The AI System Reader can have read access to the AI systems on AI Control Tower workspace and AI Risk and Compliance workspace.​ NA​

    AI Case Business User

    [sn_ai_case_mgmt.ai_case_business_user]

    		 The AI Case Business User can create ​AI case and AI inquiry on the Employee Center. sn_grc_case_mgmt.grc_case_business_user​

    AI Case Analyst

    [sn_ai_case_mgmt.ai_case_analyst]

    		 The AI Case Analyst can review the AI cases and AI inquiries assigned to them in the system and perform the following tasks only on the assigned records:
    • Identify and manage impacted and related areas such as policies, regulations, and enterprise wide compliance risks.
    • Identify and manage issues related to impacted areas to eliminate the root causes.
    • sn_grc_case_mgmt.grc_case_analyst
    • sn_ai_case_mgmt.ai_case_business_user

    AI Case Manager

    [sn_ai_case_mgmt.ai_case_manager]

    		 The AI Case Manager can review all the AI cases, AI inquiries, and its associated information.
    • sn_ai_case_mgmt.ai_case_analyst
    • sn_grc_case_mgmt.grc_case_manager

    AI Case Admin

    [sn_ai_case_mgmt.ai_case_admin]

    		 The AI Case Admin can manage type profiles to segregate AI cases. They can set up assignment rules and delete AI cases.
    • sn_grc_case_mgmt.grc_case_admin
    • sn_ai_case_mgmt.ai_case_manager