Is policy-level entity scoping in IRM always a bad idea?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 hours ago
Been deep in ServiceNow IRM Policy & Compliance lately and wanted to gut-check my approach with people who've actually built this out in production.
Here's the architecture I've landed on:
Policy
└── Parent Control Objective ← governance/traceability only, Auto-create OFF
├── Child Control Objective: Patch servers → scoped to Server entities
├── Child Control Objective: Annual training → scoped to Department entities
└── Child Control Objective: Encrypt data → scoped to Database entities
↓ Controls (auto-generated per record)
My assumptions going in:
- Entity type scoping belongs at the Child Control Objective level — not the Policy, not the Parent Control Objective
- Parent Control Objectives are purely for governance and reporting rollup — no operational controls hanging off them
- Auto-create controls stays OFF on Parent Control Objectives to avoid noise in the dashboard
- Child Control Objectives should not be directly associated to the Policy — the Parent Control Objective relationship already covers traceability, and double-linking just risks duplicate control generation and broken rollups
ServiceNow mention policy-level entity scoping is "technically possible but uncommon" without really explaining why it's uncommon in practice.
What I'd love to know from anyone who's implemented this:
- Does this hold up in real enterprise implementations, or does it fall apart at scale?
- Any edge cases where you did end up scoping at the Policy level and it actually made sense?
- Am I right to never associate Child Control Objectives directly to the Policy?
Thanks in Advance!
