GRC: Entity Based Access for AI assets

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of GRC: Entity Based Access for AI assets

    The GRC: Entity Based Access (EBA) application for AI assets in ServiceNow provides granular, entity-level data access control within the AI Risk and Compliance application. It allows organizations to segregate sensitive AI risk and compliance data so that only authorized users can access it, while maintaining visibility into core business entities. This approach aligns with compliance and confidentiality needs by restricting record visibility based on business entities like departments or regions, rather than solely on roles.

    Show full answer Show less

    Key Features

    • Entity-Based Access Control: Enables record-level access restrictions based on entities such as AI systems, AI models, datasets, and their associated business units or groups.
    • Visibility Management: Entities remain visible to all users, but linked AI risk and compliance records (risks, controls, issues, AI asset tasks, attestations, etc.) are accessible only to authorized users.
    • Role and Entity Qualification: Users with proper roles and entity qualifications can access key AI asset tables including AI system, AI system entity mappings, and AI system tasks.
    • Configuration Utilities: Provides guided experiences and utilities to bulk update access restrictions and automatically apply access rules to new records.
    • Preconfigured Fields: Default user and group fields on AI Asset records and AI Asset tasks facilitate assigning access based on roles such as Analyst, Business Owner, and Assigned to.

    How to Get Started

    • Install the GRC: Entity Based Access application within your ServiceNow environment.
    • Enable or disable entity-based access properties for AI asset-related objects to control access scope.
    • Configure entity classes and entity types for AI asset linked objects to apply appropriate access restrictions based on asset categories (AI system, model, dataset).
    • Use the entity-based record access update utility for bulk setting of access restrictions on existing records.
    • Set up entity-based record access rules to enforce access restrictions automatically for new records.

    Benefits for ServiceNow Customers

    This application enhances data security and compliance by ensuring sensitive AI governance data is accessible only to authorized personnel aligned with organizational entities. It offers a flexible and scalable approach to access control beyond traditional role-based models, essential for managing complex AI asset portfolios and regulatory requirements.

    The GRC: Entity Based Access application enables you to segregate data on the AI asset records to ensure that only authorized users can access sensitive AI Risk and Compliance data while maintaining visibility into core entities. Entity-based access administrators can use this application to set up secure, controlled access to various AI assets and its related objects.

    GRC: Entity Based Access for AI assets

    Entity-Based Access (EBA) is a security feature designed to provide granular, data-level access control within AI Risk and Compliance application. Unlike role-based access control, EBA decides which records a user can access based on business entities such as departments, regions, or business units. This approach ensures that sensitive information is only accessible to authorized users, aligning with organizational compliance and confidentiality requirements.

    AI Risk and Compliance managers can access risks, controls, related entities, issues, indicators, AI asset tasks, risk assessments, attestations, and AI assets data through entity-based access. Entities themselves stay visible to all users, while visibility of linked records is limited to authorized users.

    When a user is qualified based on these configurations and has the minimum required roles, they have access to the following tables:
    • AI system [sn_grc_ai_gov_ai_system]
    • AI system entity [sn_grc_ai_gov_ai_system_entity_map]
    • AI system task [sn_grc_ai_gov_ai_system_task]

    Configure GRC: Entity Based Access

    The following tasks must be performed to enable and use GRC: Entity Based Access for the AI asset records.
    1. Install the GRC: Entity Based Access application. For more information, refer to Install the Entity Based Access application.
    2. Enable or disable the entity-based Access properties to control access to the objects that are associated with an AI asset. For more information, refer to Set up Entity Based Access properties.
    3. Configure an entity class for a linked object by using the GRC: Entity Based Access application. For more information, refer to Configure an entity class for a linked object.
      Note:
      Entities created with an AI asset are assigned an entity class such as AI system, AI model, or dataset depending on their category. To apply access restrictions to these entities, you must configure the appropriate entity class settings.
    4. Configure an entity type by using the GRC: Entity Based Access application. For more information, refer to Configure an entity type for a linked object.
    5. Set access restrictions for the existing records in bulk by using the entity-based record access update utility guided-experience. For more information, refer to Set access restrictions using an entity based record access update utility.
    6. Configure entity-based record access rules on record types to apply access restrictions to new records automatically. For more information, refer to Configure entity-based record access rules.
      Note:
      Three records are provided by default, each with specific field configurations. The AI Asset record (sn_grc_ai_gov_ai_system) includes Analyst and Business owner as user fields, and Analyst Group as a group field. For AI Asset task (sn_grc_ai_gov_ai_system_task), you can find Assigned to and Watch list as user fields. The Related Entity record (sn_grc_ai_gov_ai_system_entity_map) doesn’t have any user or group fields configured by default.