AI Risk and Compliance roles

  • Release version: Yokohama
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of AI Risk and Compliance roles

    The AI Risk and Compliance application in ServiceNow Yokohama release provides a set of specialized roles designed to manage AI systems risk and compliance effectively across an enterprise. These roles facilitate operational tasks such as risk and impact assessments, AI system lifecycle management, control attestations, and AI case management within the platform.

    Show full answer Show less

    Key Roles and Their Functions

    • AI Risk and Compliance Admin: Responsible for setting up assessment frameworks, configuring methodologies, defining automation rules, profiling AI case types, and deleting AI systems. This role holds extensive administrative capabilities and includes multiple integrated risk and compliance permissions.
    • AI Risk and Compliance Manager: Has access to all AI systems and can initiate impact and risk assessments, manage AI system lifecycles, and start control attestations.
    • AI Risk and Compliance Analyst: Can perform tasks similar to the Manager but only on AI systems assigned to them, including initiating assessments and managing lifecycle activities.
    • AI Risk and Compliance User: Enables creation of AI cases through the Employee Center, handling assigned tasks, and performing control attestations.
    • AI Risk and Compliance Reader: Provides read-only access to AI systems and impact assessments.
    • AI System Reader: Grants read access specifically to AI systems within the AI Control Tower and AI Risk and Compliance workspaces.
    • AI Case Business User: Allows creation of AI cases and inquiries via the Employee Center.
    • AI Case Analyst: Reviews and manages AI cases and inquiries assigned to them, focusing on impacted areas like policies and compliance risks.
    • AI Case Manager: Reviews all AI cases, inquiries, and related data across the system.
    • AI Case Admin: Manages AI case type profiles, assignment rules, and case deletions.

    Role Structure and Security Model

    Many roles include feature-specific permissions (noted with an asterisk) that provide granular control over risk and compliance capabilities, replacing broader Integrated Risk Management (IRM) roles for enhanced security and domain-specific access. This model restricts non-IRM families such as Privacy Management and AI Risk and Compliance from accessing IRM-specific data, ensuring simplified governance and secure access across GRC applications.

    Practical Benefits for ServiceNow Customers

    • Enables clear segregation of duties and responsibilities related to AI risk and compliance management.
    • Supports configuring and automating risk and impact assessments tailored to enterprise needs.
    • Facilitates effective lifecycle management of AI systems with role-based access control.
    • Provides secure, granular access to AI compliance data and assessment processes.
    • Improves governance by aligning roles with specific tasks and limiting unnecessary permissions.

    The AI Risk and Compliance application installs the essential role to perform respective day-to-day operational tasks for managing AI systems across the enterprise.

    Table 1. Roles and their descriptions
    Role title [name] Description Contains roles

    AI Risk and Compliance Admin

    [sn_grc_ai_gov.ai_risk_and_compliance_admin]

    		 ​The AI Risk and Compliance Admin can perform the following tasks:
    • Set up risk and impact assessment frameworks. Configure risk assessment methodologies, risk contribution factors, and impact assessment templates.
    • Define automation rules for impact assessments to determine applicable risks and controls based on the assessment responses.
    • Set up and profile AI case types.
    • Delete AI systems.
    • sn_risk.admin
    • sn_smart_asmt.template_manager
    • sn_grc_ai_gov.ai_risk_and_compliance_manager
    • sn_smart_asmt.assessment_admin
    • sn_grc_workspace.state_model_admin
    • sn_smart_asmt.template_contributor
    • sn_compliance.admin
    • sn_compliance.control_framework_admin*
    • sn_compliance.library_admin*
    • sn_compliance.policy_admin*

    AI Risk and Compliance Manager

    [sn_grc_ai_gov.ai_risk_and_compliance_manager]

    		 ​The AI Risk and Compliance Manager can access all AI systems on the system and perform the following tasks:​
    • Initiate impact assessments.
    • Manage the lifecycle of an AI system.
    • Initiate risk assessments.
    • Initiate control attestations.
    • sn_grc_ai_gov.ai_risk_and_compliance_analyst
    • sn_smart_asmt.template_contributor
    • sn_smart_asmt.template_manager
    • sn_risk.manager
    • sn_compliance.control_framework_manager*
    • sn_compliance.library_manager*
    • sn_compliance.policy_manager*

    AI Risk and Compliance Analyst

    [sn_grc_ai_gov.ai_risk_and_compliance_analyst]

    		 The AI Risk and Compliance Analyst can access all AI systems assigned to them in the system and perform the following tasks only on the assigned records:
    • Initiate impact assessments.
    • Manage the lifecycle of an AI system.
    • Initiate risk assessments.
    • Initiate control attestations.
    • sn_smart_asmt.assessment_reader
    • sn_grc_ai_gov.ai_risk_and_compliance_business_user
    • sn_smart_asmt.template_reader
    • sn_risk_advanced.ara_approver
    • sn_grc_ai_gov.ai_risk_and_compliance_​reader
    • sn_grc_workspace.user
    • sn_risk.user
    • sn_risk_advanced.ara_assessor
    • sn_compliance.library_user*
    • sn_compliance.control_framework_user*
    • sn_compliance.policy_user*

    AI Risk and Compliance User

    [sn_grc_ai_gov.ai_risk_and_compliance_business_user]

    		 The ​AI Risk and Compliance User can perform the following tasks:
    • Create AI case on the Employee Center.
    • Work on the assigned tasks.
    • Perform control attestations.
    • sn_grc_workspace.assessment_template_configuration_reader
    • sn_smart_asmt.actor
    • sn_grc.business_user
    • sn_grc_workspace.user
    • sn_smart_asmt.assessment_reader
    • sn_compliance.control_framework_business_user*
    • sn_compliance.library_business_user*
    • sn_compliance.policy_business_user*

    AI Risk and Compliance Reader

    [sn_grc_ai_gov.ai_risk_and_compliance_reader]

    		 ​The AI Risk and Compliance Reader can have read access to the AI systems and AI impact assessments.
    • sn_risk.reader
    • sn_grc_workspace.user
    • sn_compliance.library_reader*
    • sn_compliance.control_framework_reader*
    • sn_compliance.policy_reader*

    AI System Reader

    [sn_grc_ai_gov.ai_risk_and_compliance_ai_system_reader]

    		 ​The AI System Reader can have read access to the AI systems on AI Control Tower workspace and AI Risk and Compliance workspace.​ NA​

    AI Case Business User

    [sn_ai_case_mgmt.ai_case_business_user]

    		 The AI Case Business User can create ​AI case and AI inquiry on the Employee Center. sn_grc_case_mgmt.grc_case_business_user​

    AI Case Analyst

    [sn_ai_case_mgmt.ai_case_analyst]

    		 The AI Case Analyst can review the AI cases and AI inquiries assigned to them in the system and perform the following tasks only on the assigned records:​
    • Identify and manage impacted and related areas such as policies, regulations, and enterprise wide compliance risks.
    • Identify and manage issues related to impacted areas to eliminate the root causes.
    • sn_grc_case_mgmt.grc_case_analyst
    • sn_ai_case_mgmt.ai_case_business_user

    AI Case Manager

    [sn_ai_case_mgmt.ai_case_manager]

    		 ​The AI Case Manager can review all the AI cases, AI inquiries, and its associated information.
    • sn_ai_case_mgmt.ai_case_analyst
    • sn_grc_case_mgmt.grc_case_manager

    AI Case Admin

    [sn_ai_case_mgmt.ai_case_admin]

    		 The AI Case Admin can manage type profiles to segregate AI cases. They can set up assignment rules and delete AI cases.
    • sn_grc_case_mgmt.grc_case_admin
    • sn_ai_case_mgmt.ai_case_manager
    Important:
    Roles indicated with an asterisk (*) indicate feature roles.
    Note:
    Feature Roles provide granular access to individual risk and compliance capabilities, enabling teams to share only the functionality they need. This capability replaces broad Integrated Risk Management (IRM) roles with feature-specific roles for better control. Non-Integrated Risk Management families like Privacy Management, Operational Sustainability Management, and AI Risk and Compliance are restricted from accessing IRM-specific data or core plugin features. This model ensures secure, domain-specific access and simplifies governance across GRC applications.

    For more information, see https://www.servicenow.com/products/employee-center.html.