Control Libraries Keep Growing
If you manage a control library, you know this: duplicates accumulate. Control objectives that say the same thing in different ways, inherited from different frameworks, carried forward through audits, mergers, and regulatory updates. Rationalization — identifying and retiring the redundant control objectives — is the task that always gets deferred. The analytical lift is significant, the cost of retiring the wrong control is real, and there’s always a more pressing compliance deadline.
We built two GenAI skills inside Now Assist for IRM to address this issue with controls and control objectives. They share the same rationalization workflow but differ in when to use each one.
Two GenAI Skills, Two Entry Points to Rationalize Control Libraries
On-Demand Rationalization (Generally Available with Zurich, Q4 2025 release) starts from a single record. A Compliance Manager suspects duplicates around a specific control objective, starts the, or has been tasked with, rationalization. Now Assist uses Retrieval-Augmented Generation (RAG) to surface similar records from your Control Library. The Compliance Manager reviews the matches, confirms duplicates, and consolidates them. Think of this as the control-by-control approach you’d use during day-to-day library maintenance or adding a new control pursuant to a regulatory change.
Proactive Clustering (Innovation Lab as at Australia, Q1 2026 release) starts from the full library. The Compliance Manager activates the Control Objective Clustering skill, configures a run frequency, and using the Now Assist Group Action Framework (GAF) to group similar control objectives across the library into clusters. Each cluster gets an AI-generated common description. Instead of inspecting records one by one, the Compliance Manager can see the full map of redundancy upfront and select which clusters, if any, to rationalize. This is the approach to use when planning a broader cleanup — a post-merger consolidation, annual or periodic library review, or new framework adoption.
The key difference is the entry point. On-demand rationalization starts from a single control objective — that the Compliance Manager may already be looking at and wants to use Now Assist to check for duplicates. Clustering starts from a full-library view — Now Assist groups similar objectives into clusters, and the Compliance Manager selects which clusters to rationalize. Both are user-initiated; clustering just gives the broader picture upfront.
Once either trigger fires, the rationalization workflow is the same: Initiate → Analyze (identify duplicates, finalize) → Consolidate → Close. The compliance manager reviews AI recommendations, provides feedback, and the system retires confirmed duplicates.
|
|
On-Demand Rationalization (GA) |
Proactive Clustering (Innovation Lab) |
|
Use Case |
“I’m looking at this control and want to find its duplicates.” |
“Show me all redundancy across my library before I start.” |
|
Entry point |
Starts from a single control objective and looks outward for duplicates to that control objective |
Starts from a clustered view of similar objectives across the full library |
|
Now Assist technology |
RAG — retrieves and matches similar records from your enterprise data |
GAF — groups similar records at scale, generates common descriptions per cluster |
|
Availability |
Generally Available |
Innovation Lab — early access, actively being validated with customers |
|
Demo |
Review this feature demo or a Speed Learning video to implement |
(Coming soon!) |
What Clustering adds to the Rationalization process
On-demand rationalization works well for maintaining a library over time — compliance manager encounters a control, checks for duplicates, and consolidates. Clustering adds a layer on top of that: it provides visibility into redundancy across the entire library before rationalizing individual records. In practice, this means compliance managers can prioritize which clusters to address first based on volume, risk, or framework alignment rather than working through controls sequentially.
Clustering skill is in Innovation Lab because we are still validating how compliance teams want to use it in practice. The workflow and AI are functional, but we want to understand how teams prioritize clusters, how frequently they want the system to re-cluster, and whether the AI-generated common descriptions are useful for planning. If this resonates with how your team thinks about rationalization, we’d like to work with you on shaping the final experience.
Prerequisites and How to Activate
Both skills require the Now Assist for IRM plugin (v21.0.2 or later) on a Yokohama Patch 3+ instance with IRM application version 21.x or higher. For on-demand rationalization, activate the “Recommendation of similar control objectives” and “Common control objective creation” skills in the Now Assist Admin Console. For clustering, activate the “Control objective clustering” skill — your ServiceNow contact can help you enroll in Innovation Lab if you’re not already.
Work with Us to Shape What Comes Next
The on-demand rationalization skill is live and ready to use. The clustering skill is in active validation. If you work with control libraries, we’d value your input:
- Have you tried the on-demand rationalization skill? What worked, what didn’t?
- Does “see all redundancy upfront, then rationalize” match how your team would approach a library cleanup?
- How large is your control library, and how often do you run into duplicate objectives?
For technical details, review the product documentation.
To share feedback or explore these capabilities for your environment, drop a comment on this blog.
