GRC: Entity Based Access for AI assets

  • Release version: Yokohama
  • Updated December 1, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of GRC: Entity Based Access for AI assets

    The GRC: Entity Based Access (EBA) application in ServiceNow’s AI Risk and Compliance solution provides granular, entity-based data access control. It ensures that only authorized users can view sensitive AI asset records—such as risks, controls, and assessments—while maintaining visibility of core business entities to all users. Unlike traditional role-based access, EBA restricts access based on business entities like departments or regions, supporting compliance and confidentiality requirements.

    Show full answer Show less

    Key Features

    • Entity-Based Access Control: Controls access to AI asset data at the record level based on associated business entities, not just user roles.
    • Visibility Management: Entities remain visible to all users, but linked AI asset records are accessible only to qualified users with the necessary roles.
    • Supported AI Asset Tables: Access can be managed for AI system records, AI system entity mappings, and AI system tasks.
    • Configurable Entity Classes and Types: Assign entity classes (e.g., AI system, AI model) and types to linked objects to enforce access restrictions accurately.
    • Bulk and Automated Access Updates: Use guided utilities to set access restrictions on existing records and configure rules to apply restrictions automatically to new records.

    Enabling and Configuring EBA for AI Assets

    • Install the GRC: Entity Based Access application.
    • Enable or disable entity-based access properties to control access to AI asset-related objects.
    • Configure entity classes and entity types for linked objects to apply appropriate access controls.
    • Set bulk access restrictions on existing records using the entity-based record access update utility.
    • Configure entity-based record access rules to enforce restrictions on new records automatically.

    Practical Considerations

    • By default, AI Asset records include user and group fields (e.g., Analyst, Business Owner, Analyst Group) to help configure access.
    • AI Asset task records include fields like Assigned to and Watch list for user-based access considerations.
    • Related Entity records do not have default user or group fields and require configuration for access control.

    Key Outcomes

    Implementing GRC: Entity Based Access for AI assets enables your organization to securely manage sensitive AI risk and compliance data, ensuring that users only access information relevant to their assigned entities. This approach enhances data confidentiality, supports compliance mandates, and provides controlled visibility into AI asset governance across departments or business units.

    The GRC: Entity Based Access application enables you to segregate data on the AI asset records to ensure that only authorized users can access sensitive AI Risk and Compliance data while maintaining visibility into core entities. Entity-based access administrators can use this application to set up secure, controlled access to various AI assets and its related objects.

    GRC: Entity Based Access for AI assets

    Entity-Based Access (EBA) is a security feature designed to provide granular, data-level access control within AI Risk and Compliance application. Unlike role-based access control, EBA decides which records a user can access based on business entities such as departments, regions, or business units. This approach ensures that sensitive information is only accessible to authorized users, aligning with organizational compliance and confidentiality requirements.

    AI Risk and Compliance managers can access risks, controls, related entities, issues, indicators, AI asset tasks, risk assessments, attestations, and AI assets data through entity-based access. Entities themselves stay visible to all users, while visibility of linked records is limited to authorized users.

    When a user is qualified based on these configurations and has the minimum required roles, they have access to the following tables:
    • AI system [sn_grc_ai_gov_ai_system]
    • AI system entity [sn_grc_ai_gov_ai_system_entity_map]
    • AI system task [sn_grc_ai_gov_ai_system_task]

    Configure GRC: Entity Based Access

    The following tasks must be performed to enable and use GRC: Entity Based Access for the AI asset records.
    1. Install the GRC: Entity Based Access application. For more information, refer to Install the Entity Based Access application.
    2. Enable or disable the entity-based Access properties to control access to the objects that are associated with an AI asset. For more information, refer to Set up Entity Based Access properties.
    3. Configure an entity class for a linked object by using the GRC: Entity Based Access application. For more information, refer to Configure an entity class for a linked object.
      Note:
      Entities created with an AI asset are assigned an entity class such as AI system, AI model, dataset, or MCP server, depending on their category. To apply access restrictions to these entities, you must configure the appropriate entity class settings.
    4. Configure an entity type by using the GRC: Entity Based Access application. For more information, refer to Configure an entity type for a linked object.
    5. Set access restrictions for the existing records in bulk by using the entity-based record access update utility guided-experience. For more information, refer to Set access restrictions using an entity based record access update utility.
    6. Configure entity-based record access rules on record types to apply access restrictions to new records automatically. For more information, refer to Configure entity-based record access rules.
      Note:
      Three records are provided by default, each with specific field configurations. The AI Asset record (sn_grc_ai_gov_ai_system) includes Analyst and Business owner as user fields, and Analyst Group as a group field. For AI Asset task (sn_grc_ai_gov_ai_system_task), you can find Assigned to and Watch list as user fields. The Related Entity record (sn_grc_ai_gov_ai_system_entity_map) doesn’t have any user or group fields configured by default.