Skip to content

Key Concepts

Understand Governance Studio’s key concepts — and the most common actions associated with them — to jumpstart your GRC efforts on the platform.

Projects represent a distinct scope of work — a product, initiative, system, or agent — that your team wants to bring into compliance.

A policy is a structured set of compliance requirements. Policies may represent regulations, RMFs, or internal SOPs.

Applying a policy to a project activates the policy’s controls, enabling your team to start tracking compliance.

A control is a discrete mandate within a policy.

Your team builds compliance to a policy control by control, and each one undergoes its own implementation and audit. As that process progresses, users mark the control with a status to provide a snapshot of its current state.

A control’s status is always informed by the latest declaration or review made against it.

Declarations and reviews are written statements used to describe a control’s compliance status.

Declarations are typically made by those responsible for implementing a control — such as an engineer, project manager, or security lead. Reviews are typically made by those responsible for validating the implementation is satisfactory — such as an internal auditor or compliance lead.

Optionally, users can upload attachments to a declaration or review to support their statement.

A declaration is a statement describing how a control has been implemented.

A review is a statement describing whether a control’s implementation is satisfactory.

Often, a control requires not only that its requirements are met at implementation, but that they remain met over a fixed period of time. Governance Studio provides a monitoring feature that enables users to continuously and automatically evaluate this type of control.

Indicators form the foundation of Governance Studio’s monitoring feature.

An indicator is an automated evaluation that determines whether a system, environment, or function matches machine-readable criteria you define.

Indicators connect to an ingestion endpoint. Your systems send events to that endpoint, and the indicator evaluates each one against its criteria — returning success or failure.

A credential is an attestation that a project has met a specific policy.

Credentials are typically issued once an auditing team deems the policy’s requirements have been implemented to a satisfactory degree. When issuing a credential, the issuer must always specifiy an expiration date. An active credential can also be revoked at any time.

A Governance Studio report is a point-in-time record of a project’s compliance status toward a specific policy.

Each report comes in a .zip and includes a complete record of the project’s compliance process towards a given policy — including every declaration, review, and any associated attachments.

Organization and Project Owners can generate this shareable, audit-ready document at any time.

To build integrity throughout your compliance process, many of the actions you take in Governance Studio are cryptographically hashed and signed — this helps make your report independently verifiable and tamper-evident. You’ll find the following terms across various interfaces in Governance Studio as they relate to the cryptographic capabilities the solution offers. See here for a full glossary.

A CID (Content Identifier) is a unique fingerprint derived from a piece of content — whether that be an image, snippet of code, or just a plain block of text. Because the identifier is generated from the content itself, any change to that content produces a different CID — making tampering immediately detectable.

In this context, CIDs are primarily used to establish integrity for any statements or attachments uploaded to Governance Studio, then validate that integrity at any time thereafter.

A DID (Decentralized Identifier) is a unique identifier for a user, organization, or even system.

In this context, DIDs are primarily used to sign actions such as declarations and reviews — like adding your signature to a document to prove it was created by you and not forged.

When you export a report from Governance Studio, a governance manifest is included in your downloadable .zip. This file (manifest.json) contains a comprehensive, machine-readable record of the key components of your compliance process. 

In this context, the manifest is used to confirm that the report is authentic and unaltered by listing the CIDs and DIDs of every declaration, review, and attachment, along with the cryptographic proofs that bind them together.

A record is verified when its cryptographic proof is confirmed intact — meaning its content matches its original CID and its signature traces back to the signer’s DID. A verified status confirms the record is authentic and has not been altered since it was created.