Generate risks and controls from entity types

Release version: Australia

Updated March 12, 2026

2 minutes to read

Create and edit entity types and map them to existing ServiceNow® tables for which you must track compliance (applications, departments, regions, processes, systems, etc.). Entities are assigned to control objectives and risk statements, which generate controls and risks for every entity type.

Before you begin

Role required:

sn_compliance.admin or sn_compliance.manager
sn_risk.admin or sn_risk.manager
sn_audit.admin or sn_audit.manager

About this task

An entity type provides you a method to group Entities together. An entity type can be explained in the following example: Assume that you want to generate a risk of earthquake for all the data centers in a particular region. You could simply create an entity type called "Data Center" and associate all the entities of that region to the risk of earthquake based on the risk statement.

Procedure

Navigate to one of the following locations.
- Policy and Compliance > Scoping > Entity Types.
- Risk > Scoping > Entity Types.
- Audit > Scoping > Entity Types.

Do one of the following actions.

Option	Description
To create a new entity type	Click New.
To edit an entity type	Open the entity type from the list.
To delete an entity type	Open the entity type from the list and click Delete. The item generation process executes these actions in the background. With the legacy implementation of the item generation process (v1), the entity type that was marked for deletion would get deleted instantly. With the implementation of the item generation process (v2), an entity type that is marked for deletion is not deleted instantly by the item generation process, but it is marked for deletion. When the nightly scheduled job runs, it deletes the entity type. For more information on the item generation process, see Using the item generation process to generate controls and risks.

Option

Description

To create a new entity type

Click New.

To edit an entity type

Open the entity type from the list.

To delete an entity type

Open the entity type from the list and click Delete.

The item generation process executes these actions in the background. With the legacy implementation of the item generation process (v1), the entity type that was marked for deletion would get deleted instantly.

With the implementation of the item generation process (v2), an entity type that is marked for deletion is not deleted instantly by the item generation process, but it is marked for deletion. When the nightly scheduled job runs, it deletes the entity type.

For more information on the item generation process, see Using the item generation process to generate controls and risks.

Fill in the fields on the form, as appropriate, and click Submit or Update.

Table 1. Entity type
Name	Description
Name	Name of the entity type.
Description	Explanation of the entity type with any additional information that a user finds helpful.

Once the entity type is saved, click the Entity filters tab and On the form, fill in the fields.

Table 2. Entity filters
Name	Description
Entity Type	Indicates the entity type that the filters belong to.
Table	Table that contains the records to be queried.
Filter condition	Filter conditions for the source table to generate entities.
Owner field	Person who owns any new entities generated from the entity type. Identify the user reference field on the source table to automatically identify risk and control owners. Use default owner to assign risks to a single user when the owner field is empty.
Empty owner	Create Do not create Use default

Click Submit.
From the Entity type form, click Update Entities from Filters.
An informational message appears: Updating entities for this entity type.