Key Concepts
Understand Governance Studio’s key concepts — and the most common actions associated with them — to jumpstart your GRC efforts on the platform.
Projects
Section titled “Projects”Projects represent a distinct scope of work — a product, initiative, system, or agent — that your team wants to bring into compliance.
- Learn how to create a project.
Policies
Section titled “Policies”A policy is a structured set of compliance requirements. Policies may represent regulations, RMFs, or internal SOPs.
Applying a policy to a project activates the policy’s controls, enabling your team to start tracking compliance.
- Learn how to create a policy.
- Learn how to apply a policy.
Controls
Section titled “Controls”A control is a discrete mandate within a policy.
Your team builds compliance to a policy control by control, and each one undergoes its own implementation and audit. As that process progresses, users mark the control with a status to provide a snapshot of its current state.
- Learn more about controls.
A control’s status is always informed by the latest declaration or review made against it.
Declarations and Reviews
Section titled “Declarations and Reviews”Declarations and reviews are written statements used to describe a control’s compliance status.
Declarations are typically made by those responsible for implementing a control — such as an engineer, project manager, or security lead. Reviews are typically made by those responsible for validating the implementation is satisfactory — such as an internal auditor or compliance lead.
Optionally, users can upload attachments to a declaration or review to support their statement.
Declarations
Section titled “Declarations”A declaration is a statement describing how a control has been implemented.
- Learn how to make a declaration.
Reviews
Section titled “Reviews”A review is a statement describing whether a control’s implementation is satisfactory.
- Learn how to make a review.
Monitoring
Section titled “Monitoring”Often, a control requires not only that its requirements are met at implementation, but that they remain met over a fixed period of time. Governance Studio provides a monitoring feature that enables users to continuously and automatically evaluate this type of control.
Indicators
Section titled “Indicators”Indicators form the foundation of Governance Studio’s monitoring feature.
An indicator is an automated evaluation that determines whether a system, environment, or function matches machine-readable criteria you define.
Indicators connect to an ingestion endpoint. Your systems send events to that endpoint, and the indicator evaluates each one against its criteria — returning success or failure.
- Learn how to create an indicator.
Credentials
Section titled “Credentials”A credential is an attestation that a project has met a specific policy.
Credentials are typically issued once an auditing team deems the policy’s requirements have been implemented to a satisfactory degree. When issuing a credential, the issuer must always specifiy an expiration date. An active credential can also be revoked at any time.
- Learn how to issue credentials.
Reports
Section titled “Reports”A Governance Studio report is a point-in-time record of a project’s compliance status toward a specific policy.
Each report comes in a .zip and includes a complete record of the project’s compliance process towards a given policy — including every declaration, review, and any associated attachments.
Organization and Project Owners can generate this shareable, audit-ready document at any time.
- Learn how to export a report.
Key Terms
Section titled “Key Terms”To build integrity throughout your compliance process, many of the actions you take in Governance Studio are cryptographically hashed and signed — this helps make your report independently verifiable and tamper-evident. You’ll find the following terms across various interfaces in Governance Studio as they relate to the cryptographic capabilities the solution offers. See here for a full glossary.
A CID (Content Identifier) is a unique fingerprint derived from a piece of content — whether that be an image, snippet of code, or just a plain block of text. Because the identifier is generated from the content itself, any change to that content produces a different CID — making tampering immediately detectable.
In this context, CIDs are primarily used to establish integrity for any statements or attachments uploaded to Governance Studio, then validate that integrity at any time thereafter.
A DID (Decentralized Identifier) is a unique identifier for a user, organization, or even system.
In this context, DIDs are primarily used to sign actions such as declarations and reviews — like adding your signature to a document to prove it was created by you and not forged.
Governance Manifest
Section titled “Governance Manifest”When you export a report from Governance Studio, a governance manifest is included in your downloadable .zip. This file (manifest.json) contains a comprehensive, machine-readable record of the key components of your compliance process.
In this context, the manifest is used to confirm that the report is authentic and unaltered by listing the CIDs and DIDs of every declaration, review, and attachment, along with the cryptographic proofs that bind them together.
Verified
Section titled “Verified”A record is verified when its cryptographic proof is confirmed intact — meaning its content matches its original CID and its signature traces back to the signer’s DID. A verified status confirms the record is authentic and has not been altered since it was created.