Industry Vocabulary Reference

GRC, ESG & Enterprise Risk Management

Comprehensive enumeration library for the GRC, ESG & Enterprise Risk Management vertical. This is the capstone vertical — it provides the governance, risk, and compliance vocabulary that applies to the agentic AI GRC portal itself, and to any organisation deploying agentic AI at enterprise scale. Covers: ISO 31000:2018 / COSO ERM 2017 risk assessment and treatment lifecycle, NIST AI RMF 1.0 implementation tiers and function mapping, ISO/IEC 42001:2023 AI management system requirements, AI governance maturity modelling, third-party AI vendor risk management (SR 11-7, EU AI Act supply chain), ESG programme governance and double materiality, internal audit and assurance for AI systems (IIA Standards, ISAE 3000), enterprise risk appetite and tolerance framework, incident and near-miss management, board and executive AI governance obligations, and the regulatory cross-reference matrix linking the core SDK enumerations to the major AI governance frameworks. Designed for use as OTel span attributes in an agentic AI SDK and as policy vocabulary in an OPA Rego GRC portal.

v2026.03.1621 enum categories2.2 schema8 subdomains37 standards

Back to industry coverage library

Download mirrored JSON Open vertical SDK quick start Get API access

How to use this reference

Start with the core file if you need the cross-industry governance baseline.
Then move into the vertical file to see the regulated workflow vocabulary, policy surfaces, and implementation pressure unique to this market.
Use the OTel attributes and policy paths here as the common language across SDK instrumentation, governance review, and evidence export.

March 2026 deployment context

As of March 2026, agentic AI in GRC, ESG, and enterprise risk management is deployed across: automated risk assessment and risk register maintenance (ISO 31000 / COSO ERM), continuous control monitoring and automated evidence collection (NIST SP 800-53, SOX 404), AI-driven regulatory horizon scanning and obligation mapping, AI governance maturity assessment and gap analysis (ISO/IEC 42001, NIST AI RMF), third-party AI vendor risk evaluation and due diligence, AI model risk management under SR 11-7 (model inventory, validation, performance monitoring), ESG data collection, materiality assessment, and disclosure preparation (CSRD, ISSB, SEC Climate Rule), internal audit AI (AI-assisted audit planning, continuous transaction monitoring, anomaly detection), AI incident and near-miss reporting (EU AI Act Article 62, DORA), board-level AI governance reporting and dashboard generation, and enterprise AI programme governance (Chief AI Officer enablement, AI use case inventory under OMB M-24-10). ISO/IEC 42001:2023 is the emerging certification standard for AI management systems — analogous to ISO 27001 for information security — and is driving significant GRC platform investment in 2025–2026. The EU AI Act Article 9 risk management system requirement and Article 17 quality management system requirement are the most operationally demanding regulatory obligations for providers of high-risk AI, applying from August 2026.

Risk note: ISO/IEC 42001:2023 is the first certifiable AI Management System standard. It requires organisations to establish context, define AI policy, conduct AI risk assessments, implement controls from Annex A, and undergo third-party certification audits. Several EU member state regulators and the EU AI Office are signalling that ISO 42001 certification may satisfy (or substantially support) the EU AI Act Article 17 quality management system requirements for providers of high-risk AI. The EU AI Act Article 62 serious incident reporting obligation requires providers to report serious incidents (death, serious harm, fundamental rights violations) to market surveillance authorities without undue delay — AI GRC platforms must build automated incident classification and regulatory notification workflows. DORA Article 28 requires EU financial entities to maintain a register of all ICT service providers, including AI vendors — AI GRC portals are the natural home for this register. SR 11-7 model risk management guidance, while US banking-focused, has become the de facto global standard for AI model governance in financial services and is increasingly applied by non-financial regulators by analogy.

Loading Model

Mirrored file: 12_vertical_grc_esg_enterprise_risk.json
Kind: vertical

OTel Namespaces

grc

Primary Standards

ISO 31000:2018 — Risk Management Guidelines
ISO 31010:2019 — Risk Assessment Techniques
COSO ERM 2017 — Enterprise Risk Management — Integrating with Strategy and Performance
COSO Internal Control — Integrated Framework (2013)
ISO/IEC 42001:2023 — Artificial Intelligence Management System (AIMS)
ISO/IEC 23894:2023 — Artificial Intelligence — Guidance on Risk Management
ISO/IEC 38507:2022 — Governance of AI by the Organisation
NIST AI RMF 1.0 — Artificial Intelligence Risk Management Framework (January 2023)
NIST AI RMF Playbook — GOVERN, MAP, MEASURE, MANAGE function actions
NIST AI 600-1 — Generative AI Profile (July 2024)
NIST SP 800-30 Rev 1 — Guide for Conducting Risk Assessments
EU AI Act (2024/1689) — Full regulatory framework including Articles 9, 10, 11, 12, 13, 14, 17, 61, 62
EU AI Act Article 9 — Risk management system for high-risk AI
EU AI Act Article 17 — Quality management system for providers
EU AI Act Article 61 — Post-market monitoring by providers
EU AI Act Article 62 — Reporting of serious incidents
EU AI Act Articles 53–55 — GPAI model obligations and codes of practice
EU AI Office — GPAI Model Code of Practice (Draft, March 2025)
OECD Principles on AI (2019, updated 2024) — International AI governance reference
G7 Hiroshima AI Process (2023) — Code of conduct for advanced AI
Council of Europe AI Convention CETS 225 (2024)
Federal Reserve SR 11-7 — Supervisory Guidance on Model Risk Management (2011, still current)
OCC 2011-12 — Model Risk Management (banks)
EBA Guidelines on Internal Governance (EBA/GL/2021/05) — AI model governance
DORA (EU) 2022/2554 — Digital Operational Resilience Act — ICT risk management and AI
Basel Committee BCBS 239 — Principles for Effective Risk Data Aggregation
IIA International Standards for the Professional Practice of Internal Auditing (2024 edition)
IIA Global Technology Audit Guide (GTAG) — Auditing Artificial Intelligence
ISAE 3000 (Revised) — Assurance Engagements Other than Audits or Reviews
ISSB IFRS S1 — General Requirements for Sustainability-related Financial Disclosures
TCFD — Task Force on Climate-related Financial Disclosures (superseded by ISSB but foundational)
GRI 101: Foundation 2021 — GRI Standards for sustainability reporting
SASB Standards — Sector-specific ESG metrics (now under ISSB)
ISO 14001:2015 — Environmental Management Systems
UN Sustainable Development Goals (SDGs) — Framework for ESG alignment reporting
SBTi (Science Based Targets initiative) — Corporate net-zero target validation
CDP (Carbon Disclosure Project) — Climate, water, and forests disclosure

Source URLs

Subdomains

Subdomain	Categories	Sample Attributes
Enterprise Risk Assessment & Treatment	4	grc.risk.assessment_method, grc.risk.treatment_strategy, grc.risk.appetite_status
NIST AI RMF & AI Governance Maturity	3	grc.nist_ai_rmf.function, grc.nist_ai_rmf.implementation_tier, grc.ai_governance.maturity_level
ISO/IEC 42001 AI Management System	2	grc.iso42001.clause_area, grc.ai_impact_assessment.outcome
Third-Party AI Risk Management	3	grc.third_party_ai.risk_tier, grc.model_validation.status, grc.gpai.obligation_status
AI Incident Management & Post-Market Monitoring	3	grc.ai_incident.severity, grc.ai_incident.root_cause_category, grc.ai_post_market.monitoring_status
ESG Programme Governance	2	grc.esg.framework_alignment, grc.esg.assurance_level
Internal Audit & Assurance for AI	2	grc.internal_audit.ai_engagement_type, grc.internal_audit.finding_severity
Board & Executive AI Governance	2	grc.ai_governance.governance_body_type, grc.ai_governance.board_reporting_frequency

Implementation examples

Enterprise Risk Assessment & Treatment: Risk Assessment Method. AI GRC agent selects risk assessment method based on risk category and materiality. Tier 4 critical AI systems require at minimum 'red_team_exercise' and 'threat_modeling_stride'. OPA policy enforces that any new high-risk AI deployment must have a completed risk assessment with a documented method before receiving production ATO. (Eu AI Act Art9: EU AI Act Article 9 — High-risk AI risk management system requires documented risk identification and evaluation; the chosen risk assessment method must be recorded and reproducible)
Enterprise Risk Assessment & Treatment: Risk Treatment Strategy. AI risk agent assigns a treatment strategy to each identified risk. OPA policy blocks 'accept_retain' treatment for any AI risk rated above the board-approved risk appetite threshold without explicit Risk Committee or CRO HITL authorisation. (Eu AI Act Art9: EU AI Act Article 9(3) — Risk management system must include residual risk evaluation; 'accept_retain' for any risk classified as high requires documented AO or Risk Committee approval)
Enterprise Risk Assessment & Treatment: Risk Appetite Status. AI risk monitoring agent continuously recalculates risk scores. 'Exceeds_tolerance' status on any material risk triggers immediate CIRO/CRO HITL notification and initiates the board escalation workflow. AI agent cannot autonomously resolve an 'exceeds_tolerance' status — only the Risk Committee can. (Coso Erm 2017: COSO ERM 2017 Principle 6 — Board defines risk oversight and appetite; 'exceeds_tolerance' requires board notification)
Enterprise Risk Assessment & Treatment: Compliance Action Status. AI compliance agent tracks all open remediation actions against their deadlines. 'Overdue' items trigger management escalation. OPA policy enforces that 'escalated_to_regulator' and 'regulatory_breach_confirmed' status transitions require CCO and General Counsel HITL — AI cannot self-escalate to regulatory authorities. (Eu AI Act Art62: EU AI Act Article 62 — Serious incident reporting: 'escalated_to_regulator' status for AI serious incidents must be filed without undue delay)

Illustrative policy patterns

block high risk ai deployment without impact assessment

Block production deployment of any AI system classified as high-risk or above where the AI impact assessment has not been completed with an acceptable outcome. Implements ISO/IEC 42001 Annex A.5, EU AI Act Article 9, and the enterprise AI deployment governance gate in a single policy.

Regulatory basis: ISO/IEC 42001:2023 Annex A.5 — AI system impact assessment is a normative control required before deployment; EU AI Act Article 9(4) — Testing and evaluation must be performed for high-risk AI; NIST AI RMF MAP 2.2 — Impact assessment before deployment

package grc.ai_deployment_governance

blocking_assessment_outcomes := {
  "assessment_not_conducted",
  "assessment_in_progress",
  "unacceptable_impact_deployment_blocked"
}

high_risk_maturity_required := "level_3_managed"

deny[msg] {
  input.grc_ai_impact_assessment_outcome in blocking_assessment_outcomes
  msg := sprintf("ISO 42001 Annex A.5 / EU AI Act Art 9: AI system '%v' cannot be deployed — impact assessment outcome is '%v'. A completed assessment with acceptable outcome is required.", [input.ai_system_id, input.grc_ai_impact_assessment_outcome])
}

enforce eu ai act serious incident reporting gate

Block any AI incident management agent from downgrading a 'serious_incident_eu_ai_act_art62' classification to a lower severity without CCO approval, and enforce that regulatory notification is initiated within the EU AI Act prescribed timeline. Prevents AI-driven incident suppression.

Regulatory basis: EU AI Act Article 62 — Providers must report serious incidents without undue delay; life-threatening situations within 2 days; all other serious incidents within 15 days; providers cannot suppress or delay reporting

package grc.ai_incident_management

deny[msg] {
  input.previous_incident_severity == "serious_incident_eu_ai_act_art62"
  input.proposed_incident_severity != "serious_incident_eu_ai_act_art62"
  not input.cco_hitl_approved_downgrade == true
  msg := "EU AI Act Art 62: Downgrading a serious incident classification requires CCO approval. AI incident management agent cannot autonomously reclassify serious incidents to lower severity."
}

deny[msg] {
  input.grc_ai_incident_severity == "serious_incident_eu_ai_act_art62"
  not input.regulatory_notification_initiated == true
  input.hours_since_incident_detected > 14
  msg := sprintf("EU AI Act Art 62: Serious incident '%v' detected %v hours ago. Regulatory notification must be submitted within 15 days. CIRO and Legal must initiate notification immediately.", [input.incident_id, input.hours_since_incident_detected])

From enum to evidence

The same vocabulary should carry from instrumentation through review. The OTel attribute names here become emitted metadata, those attributes become policy inputs, and those same labels should still be intelligible when a reviewer opens the decision record later.

import { VeriproofClient, VeriproofSdkOptions, SessionMetadata } from '@veriproof/sdk-core';
import { RiskAssessmentMethod, RiskAssessmentMethodMeta, RiskTreatmentStrategy, RiskTreatmentStrategyMeta, RiskAppetiteStatus, RiskAppetiteStatusMeta } from '@veriproof/sdk-core/verticals/grc-esg-enterprise-risk';

const client = new VeriproofClient(
  VeriproofSdkOptions.createProduction({
    apiKey: process.env.VERIPROOF_API_KEY!,
    applicationId: 'grc-esg-enterprise-risk-production',
  }),
);

const session = client
  .startSession('grc-esg-enterprise-risk.review')
  .withSessionMetadata(SessionMetadata.forTransaction('txn-1001').withEnvironment('production'))
  .addStep('evaluate_workflow', { output: { status: 'completed' } })
  .withMetadata(RiskAssessmentMethodMeta.otelAttribute, RiskAssessmentMethod.qualitative)
  .withMetadata(RiskTreatmentStrategyMeta.otelAttribute, RiskTreatmentStrategy.avoid)
  .withMetadata(RiskAppetiteStatusMeta.otelAttribute, RiskAppetiteStatus.within_appetite)

await session.complete();

SDK: emit the OTel attribute shown on this page during the decision workflow.
Policy: reference the matching `opa_policy_path` in governance rules.
Evidence: surface the same label and value in the portal and exported record so reviewers are not translating between systems.

For a step-by-step getting-started walkthrough specific to this vertical, open the GRC, ESG & Enterprise Risk Management SDK quick start. For the full core API reference, continue with TypeScript, Python, or .NET.

Ready to connect your first workflow?

Register a free Builder account for full SDK and REST API access, enter the live demo if you want to see the portal first, or request a coverage workshop if your team wants a guided review of this vertical before implementation starts.

Live demo →Get API access →Request coverage workshop →

Highlighted Enum Categories

Enum	OTel Attribute	Values
RiskAssessmentMethod Risk assessment methodology applied by an AI risk assessment agent. ISO 31010:2019 catalogs 42 risk assessment techniques — this enum covers the most commonly applied methods in enterprise AI risk programmes. The chosen method must be proportionate to the risk complexity and documented in the risk assessment record. Workflow area: Enterprise Risk Assessment & Treatment	grc.risk.assessment_method	qualitative, quantitative, semi_quantitative, bow_tie_analysis, fmea_failure_modes, threat_modeling_stride, red_team_exercise, automated_scan_vulnerability
RiskTreatmentStrategy ISO 31000:2018 Section 6.5 risk treatment option. AI risk management agents apply treatment strategies to identified risks. Treatment decisions for residual risks above the organisation's risk appetite threshold must be escalated to the Risk Committee — AI may not autonomously accept above-threshold residual risks. Workflow area: Enterprise Risk Assessment & Treatment	grc.risk.treatment_strategy	avoid, reduce_mitigate, share_transfer, accept_retain, monitor_watch_list, exploit_opportunity
RiskAppetiteStatus Classification of a risk's current position relative to the board-approved risk appetite and tolerance thresholds. COSO ERM 2017 defines risk appetite as the amount of risk an entity is willing to accept in pursuit of value. AI GRC agents flag breaches in real time. Workflow area: Enterprise Risk Assessment & Treatment	grc.risk.appetite_status	within_appetite, approaching_tolerance, within_tolerance_above_appetite, exceeds_tolerance, board_exception_approved, appetite_not_defined
ComplianceActionStatus Status of a compliance remediation action or finding response in the GRC platform. AI compliance agents track actions through this lifecycle and escalate overdue items. Escalation to regulator status is irreversible — it must be set by a human compliance officer, not autonomously by AI. Workflow area: Enterprise Risk Assessment & Treatment	grc.compliance.action_status	open_not_started, in_flight, overdue, pending_verification, remediated, verified_closed, exception_granted, exception_expired
NISTAIRMFFunction NIST AI RMF 1.0 core function. The four functions structure the AI risk management lifecycle from governance through active management. AI GRC agents tag every AI risk management action with the applicable function for maturity measurement and gap analysis. Workflow area: NIST AI RMF & AI Governance Maturity	grc.nist_ai_rmf.function	GOVERN, MAP, MEASURE, MANAGE
NISTAIRMFImplementationTier NIST AI RMF 1.0 Implementation Tier characterising an organisation's AI risk management posture. Tiers reflect the degree to which AI risk management is institutionalised and integrated with enterprise risk management. Tier is assessed separately for each NIST AI RMF function. Workflow area: NIST AI RMF & AI Governance Maturity	grc.nist_ai_rmf.implementation_tier	tier_1_partial, tier_2_risk_informed, tier_3_repeatable, tier_4_adaptive
AIGovernanceMaturityLevel AI governance programme maturity level. Adapted from CMMI and ISO/IEC 42001 Annex B maturity guidance. Used by AI governance assessment agents to produce maturity scorecards and roadmaps. Level 3 or above is the minimum expected for organisations deploying high-risk AI. Workflow area: NIST AI RMF & AI Governance Maturity	grc.ai_governance.maturity_level	level_0_ad_hoc, level_1_aware, level_2_defined, level_3_managed, level_4_optimised, level_5_transformative
ISO42001ClauseArea ISO/IEC 42001:2023 clause area for AI management system requirements. AI compliance agents tag evidence and gap findings with the applicable clause to support third-party certification audits and internal readiness assessments. Workflow area: ISO/IEC 42001 AI Management System	grc.iso42001.clause_area	clause_4_context_of_organisation, clause_5_leadership, clause_6_planning, clause_7_support, clause_8_operation, clause_9_performance_evaluation, clause_10_improvement, annex_a_controls
AIImpactAssessmentOutcome Outcome of an AI impact assessment conducted under ISO/IEC 42001 Annex A.5 or EU AI Act Article 9 risk management system. Determines whether the AI system may proceed to deployment, requires additional controls, or must be modified or abandoned. Workflow area: ISO/IEC 42001 AI Management System	grc.ai_impact_assessment.outcome	low_impact_approved, moderate_impact_controls_required, high_impact_enhanced_governance_required, critical_impact_board_approval_required, unacceptable_impact_deployment_blocked, assessment_in_progress, assessment_not_conducted, reassessment_triggered_by_change
ThirdPartyAIRiskTier Risk tier classification for a third-party AI vendor or AI model provider. Drives due diligence depth, contractual requirements, and ongoing monitoring intensity. SR 11-7 model risk management principles apply to all material AI models, regardless of whether they are built or bought. Workflow area: Third-Party AI Risk Management	grc.third_party_ai.risk_tier	tier_a_critical_dependency, tier_b_significant, tier_c_moderate, tier_d_low, not_assessed
ModelValidationStatus SR 11-7 / OCC 2011-12 model validation lifecycle status. Applicable to all material AI models — including foundation models deployed via API, fine-tuned models, and internally developed models. A model in production without a completed validation is an SR 11-7 finding. Workflow area: Third-Party AI Risk Management	grc.model_validation.status	pre_validation_development, initial_validation_in_progress, initial_validation_completed_approved, initial_validation_completed_conditional_approval, initial_validation_failed_blocked, in_production_monitoring, ongoing_validation_in_progress, material_change_triggered_revalidation
GPAIModelObligationStatus EU AI Act Articles 53–55 compliance status for a General-Purpose AI (GPAI) model or GPAI model with systemic risk. Organisations deploying GPAI models (including GPT-4, Claude, Gemini, Llama) as components of their products must verify the upstream GPAI provider has fulfilled these obligations. Workflow area: Third-Party AI Risk Management	grc.gpai.obligation_status	technical_documentation_published, copyright_summary_published, training_data_summary_available, eu_copyright_policy_compliant, systemic_risk_model_adversarial_tested, systemic_risk_model_incident_reporting_active, code_of_practice_signatory, obligations_not_yet_assessed

This reference page is rendered from the mirrored JSON file inside the docs app, not from a hand-written website model.

If you need the machine-readable asset for offline review, automation, or internal diffing, use the mirrored JSON download above.

Next: open the corresponding SDK reference under SDK documentation and then compare it with the public-site industry page to see how the same vocabulary is framed commercially.