GRC for Cloud

Governance, Risk, and Compliance - the discipline that makes cloud security legible to auditors, regulators, executives, and the customers who buy from you. Vendor-neutral guide to the three pillars, the framework landscape, policy-as-code, continuous compliance, audit evidence in cloud, and the tools each cloud ships natively to support the work.

Detailed view of a hand writing a signature on an official document with a ballpoint pen
Photo by Tima Miroshnichenko on Pexels

· · Vendor-neutral · View source on GitHub

The 30-second version: GRC (Governance, Risk, and Compliance) is the discipline that turns abstract security intent into documented controls, evidence, and audit-ready posture. Governance = who decides, what's the policy, who's accountable. Risk = what could go wrong, how likely, how bad, what are we doing about it. Compliance = can you prove, to an auditor or regulator, that the controls you claim actually run.

Cloud changes GRC in two practical ways: every control is an API call away from drifting (so it has to be continuously monitored, not annually sampled), and most controls leave a log behind (so evidence collection is automatable). The modern stack is compliance-as-code for the rules, CSPM/CNAPP for live sensing, a GRC platform for the system-of-record, and a small GRC team that owns the mapping, exceptions, and auditor relationships.

On this page

  1. What GRC is
  2. The three pillars
  3. What cloud changes about GRC
  4. The framework landscape
  5. Control frameworks & baselines
  6. Policy-as-code & compliance-as-code
  7. Continuous compliance with CSPM/CNAPP
  8. Audit evidence in cloud
  9. GRC platforms
  10. AWS, Azure, and GCP side-by-side
  11. Roles & responsibilities
  12. Maturity stages
  13. Common pitfalls
  14. Further reading
  15. FAQ

What GRC is

GRC is the discipline that translates security intent ("we will protect customer data") into controls (specific things we do - encrypt at rest, MFA on admin accounts, rotate keys), into evidence (proof those controls run), and into attestation (a third party signing off that what we say is true). Done well, it's the connective tissue between the security org, the rest of the business, and the outside world of auditors, regulators, and customers who want assurance before they buy.

Done badly, it's the worst caricature security has: a separate team, a separate vocabulary, screenshots-for-screenshots'-sake, and a calendar driven by audit windows rather than by what's actually changing in the environment. The good news is that the cloud-native version of GRC can avoid most of those failure modes if the team builds with the right primitives from the start.

This page is the practitioner's view - what the work actually is in 2026, which frameworks you'll encounter, how compliance-as-code changes the game, and how to choose between native cloud tools, CSPM/CNAPP, and dedicated GRC platforms.

The three pillars

The "G", "R", and "C" are distinct disciplines that interlock. Most orgs do one well, one passably, and one badly - recognizing which is yours is the first step in maturing the program.

Governance

Policies, standards, decision-making rights, and accountability. Who can approve a production deployment? Who owns the IAM model? Which exceptions can which manager sign? Governance answers the org-chart questions of security. Outputs: an information-security policy, role definitions, an exception-approval workflow, and a documented owner for every control.

Risk

Identifying threats, assessing likelihood and impact, deciding what to do (accept, avoid, mitigate, transfer), and monitoring whether the treatments are working. Outputs: a risk register, residual-risk scoring, treatment plans linked to controls, and a periodic review cadence that survives team turnover.

Compliance

Demonstrating that controls run as policy requires, mapped to one or more external frameworks, with evidence an auditor will accept. Outputs: framework mappings, evidence collected on a defined cadence, gap analyses, and clean audit reports (SOC 2, ISO 27001, PCI DSS, etc.) that procurement teams can read.

The pillars are reinforcing. A weak governance pillar produces inconsistent risk decisions; a weak risk pillar produces compliance work that costs more than it should because nothing is risk-prioritized; a weak compliance pillar produces well-governed, well-risked programs that customers can't buy from because there's no report to send them.

What cloud changes about GRC

The fundamentals of GRC predate cloud by decades. The execution looks meaningfully different once your workloads run in someone else's data center, behind APIs that auditors don't have ssh access to.

Dimension Traditional GRC Cloud GRC
Control unit A server, a network segment, a policy doc An API call, a resource configuration, an identity
Evidence shape Screenshots, manual log exports, attestation letters API queries, structured JSON, log streams, signed config snapshots
Audit cadence Annual or quarterly point-in-time samples Continuous - every config change generates an event
Shared responsibility You own the stack end-to-end Provider owns part; your scope shrinks but doesn't disappear
Change rate Quarterly releases, change-advisory boards Hundreds of deploys / day; controls must keep up
Auditor knowledge Familiar with on-prem controls Variable - newer firms specialize, older ones still learning the cloud model
Failure mode Audit window finds the gap; remediate before next audit Misconfiguration is exploitable in hours; the auditor finding lags the breach

The bottom row matters most. In traditional GRC, the audit finding generally arrives before the breach. In cloud, an attacker scanning for public S3 buckets, exposed IMDS, or overly permissive trust policies can act in minutes - your control either holds at the moment of misconfiguration, or it doesn't hold at all. GRC has to keep up with the cloud's change rate, not the auditor's calendar.

The framework landscape

You will eventually be asked about most of these. The pragmatic strategy is to pick one as your primary internal framework, map all others to it, and run a single control set with framework-specific overlays where required.

SOC 2

The de facto B2B SaaS attestation in North America. AICPA-defined Trust Services Criteria - Security is required; Availability, Confidentiality, Processing Integrity, and Privacy are optional add-ons. Type I is a point-in-time design assessment; Type II covers a period (typically 6 or 12 months) and verifies the controls actually ran. Most enterprise procurement teams require Type II.

ISO 27001

The international information-security management system (ISMS) standard. More prescriptive than SOC 2 on management-system structure, less prescriptive on individual technical controls. Required or preferred outside North America for most enterprise buyers; increasingly co-required with SOC 2. Annex A (in the 2022 revision) lists 93 reference controls.

PCI DSS

The Payment Card Industry Data Security Standard. Required if you store, process, or transmit cardholder data. v4.0 (in force) places much heavier expectations on continuous monitoring and risk-based scoping than v3.2.1 did. Tokenization and scope reduction are the highest-leverage moves; doing it the brute-force way (everything in scope) is several multiples more expensive.

HIPAA / HITECH

U.S. healthcare. The Security Rule defines administrative, physical, and technical safeguards for protected health information (PHI). All three major clouds offer BAA-eligible services; using a service not on your provider's BAA list with PHI is a quiet path to a finding. Breach Notification Rule sets the timeline for disclosure.

FedRAMP

U.S. federal cloud authorization. Three impact levels (Low, Moderate, High) drawn from NIST SP 800-53. Moderate is the most common; High applies to data whose loss would have severe or catastrophic effect. The authorization process is long (12-18+ months typical) and expensive; most vendors use a 3PAO and target an agency sponsor or the Joint Authorization Board.

NIST Cybersecurity Framework (CSF)

Not an attestation, but the most-cited common-language framework for security programs. CSF 2.0 organizes work into six functions: Govern, Identify, Protect, Detect, Respond, Recover. Useful as the meta-framework that maps SOC 2, ISO 27001, and PCI DSS to a shared vocabulary for executive reporting.

CIS Benchmarks

Technical baselines - specific configurations for AWS, Azure, GCP, Kubernetes, Docker, OS images, and more. Not attestations; they're the implementation-level baseline most CSPM tools score against by default. Aligning your environment with CIS produces evidence that crosswalks cleanly to SOC 2, ISO 27001, and PCI DSS controls.

Privacy: GDPR, CCPA/CPRA, and regional

Personal-data protection laws. GDPR (EU), CCPA / CPRA (California), LGPD (Brazil), PIPL (China), and dozens more. Distinct from security frameworks but heavily overlapping - most security controls also serve privacy obligations. Data-residency, data-subject-rights workflows, and lawful-basis tracking are the new asks; cloud providers have residency tooling (regions, sovereign-cloud offerings) to support them.

Sector-specific

The 80/20 of mapping

SOC 2, ISO 27001, and most other frameworks overlap by 60-80%. Pick one as the internal source-of-truth control set; map every other framework to it. Add framework-specific controls only where the others don't already cover the requirement (e.g., PCI DSS network segmentation, HIPAA breach-notification timelines, FedRAMP continuous monitoring deliverables). This is the single highest-leverage decision in a multi-framework program.

Control frameworks & baselines

Where attestation frameworks (SOC 2, ISO 27001) define what outcomes you must demonstrate, control frameworks define how at the configuration level. Cloud GRC programs reach for these:

Policy-as-code & compliance-as-code

The biggest mechanical change cloud brings to GRC is that policy can be code. The control "S3 buckets must have public access blocked" can be a one-line rule that runs against every bucket every time anything changes, instead of a sentence in a PDF that gets sampled annually.

The languages and runtimes

Where to enforce

The three layers are complementary. Pre-deploy is cheapest and fastest; post-deploy is the safety net for everything that slips. Skipping pre-deploy because "the CSPM catches it" means you ship the misconfiguration and rely on the post-deploy detection to be tuned, alerted, and acted on - at which point the bucket may already have been scanned.

Continuous compliance with CSPM/CNAPP

A CSPM (Cloud Security Posture Management) tool inventories your cloud, evaluates every resource against a rule set, and emits findings continuously. When the rule set is tagged with the framework it satisfies (CIS, NIST, SOC 2, ISO 27001, PCI DSS, HIPAA, etc.), the CSPM becomes the live sensor for your compliance posture - not the system of record, but the source of truth for "is this control passing right now?"

What CSPM/CNAPP gives GRC

What CSPM/CNAPP doesn't give you

The pragmatic split: CSPM/CNAPP for the technical controls (probably 60-70% of any modern framework), GRC platform or wiki for the rest, both feeding into the same audit-evidence repository.

Audit evidence in cloud

The evidence shape changes in cloud, and so does the work of gathering it. The categories an auditor will ask about - and what cloud-native sources answer them:

Identity & access

Who has access to what, with what permissions, since when, used how recently. IAM Access Analyzer (AWS), Entra ID + Defender (Azure), IAM Recommender + Asset Inventory (GCP). Last-used and unused-access reports answer "least privilege?" directly.

Configuration

Current state of every resource at any point in time. AWS Config history, Azure Resource Graph snapshots, GCP Asset Inventory history. Re-hydrates "what did this resource look like during the audit period?" without re-running scans.

Activity

Who did what, when, from where. CloudTrail (AWS), Activity Log (Azure), Cloud Audit Logs (GCP). The single most-requested evidence class in any cloud audit.

Encryption & keys

What's encrypted, with which keys, rotated when. KMS / Key Vault / Cloud KMS APIs; the keyring + key-usage audit logs that prove customer-managed-key claims.

Vulnerability & patching

What CVEs exist on what workloads, age of unremediated findings, patch SLA compliance. CSPM/CNAPP, Inspector, Defender for Cloud, Security Command Center. Tied to your remediation-SLA policy in the GRC platform.

Change management

Every production change ties back to a ticket, a reviewer, a CI build, an attested artifact. GitHub / GitLab audit log, deployment pipeline records, IaC plan history. (See CI/CD and our pipeline writeup.)

Incident response

Tickets, runbooks executed, post-incident reviews, evidence of timely notification per regulatory obligation. SIEM incident records, IR ticketing system, communications archive.

Third-party / vendor

Subprocessor list, due-diligence records, contracted security obligations, data-processing addenda. Lives in the GRC platform; rarely cloud-native.

Automating evidence collection

The 2026 reality: the GRC platforms that have integrated with cloud APIs collect most of the technical evidence automatically. Vanta, Drata, Secureframe, Hyperproof, ServiceNow GRC, OneTrust, and others connect to AWS, Azure, GCP, GitHub, identity providers, MDM, HRIS, ticketing - and refresh evidence on a schedule. The control-engineering work is in defining the mapping; once defined, the evidence is mostly free.

Close-up of a checklist with green checkmarks
Photo by Towfiqu barbhuiya on Pexels

GRC platforms

The system-of-record layer that lives above the cloud-native tooling. The major categories in 2026:

Choosing one

AWS, Azure, and GCP side-by-side

The native GRC-supporting capabilities each cloud ships, reduced to a one-screen reference:

Capability AWS Azure GCP
Policy enforcement Service Control Policies (SCPs), Resource Control Policies (RCPs) Azure Policy + Initiatives Organization Policy constraints
Configuration tracking AWS Config, Config Rules Azure Resource Graph, Defender for Cloud Cloud Asset Inventory, Security Health Analytics
Posture & compliance Security Hub (CIS, PCI, NIST, AWS Foundational) Defender for Cloud regulatory compliance dashboard Security Command Center compliance posture
Audit evidence collection AWS Audit Manager Microsoft Purview Compliance Manager Risk & compliance as code (Assured Workloads + SCC reports)
Regulated-workload boundary GovCloud, Secret Region, dedicated tenancy Azure Government, Sovereign Cloud offerings Assured Workloads (FedRAMP, IL4, ITAR), sovereign-cloud partners
Activity audit log CloudTrail (org trail) Activity Log (subscription / mgmt group) Cloud Audit Logs (org-aggregated)
Encryption controls KMS, CloudHSM, key policies, BYOK Key Vault Managed HSM, BYOK, Confidential Compute Cloud KMS, External Key Manager, CMEK
Data classification Macie Purview Information Protection Sensitive Data Protection (DLP API)
Identity governance IAM Access Analyzer, IAM Identity Center Entra ID Governance, Access Reviews, PIM IAM Recommender, Access Approval, Access Transparency
Available attestations 100+ - SOC, ISO, PCI, HIPAA, FedRAMP, IRAP, C5, ENS, etc. 100+ - comparable global coverage 75+ - including FedRAMP High, IL4, IRAP

The native tools are necessary but not sufficient. Every cloud will tell you it ships everything a regulated workload needs; in practice the cross-cloud GRC platform fills the gaps between them, and the human program runs above all of it.

Roles & responsibilities

GRC roles look different at different company sizes. The work doesn't disappear at small scale; it just collapses onto fewer people.

For how these roles relate to broader cloud-security career paths, see the Cloud Security Careers page.

Maturity stages

A useful staging model for a cloud GRC program:

Stage 1 - Written

Information-security policy exists and is approved. Asset inventory is partial but real. One target framework picked (usually SOC 2). Risk register is a spreadsheet. Evidence is collected manually around audit windows.

Stage 2 - Automated

GRC platform live and pulling evidence from cloud APIs, IdP, code repo, MDM. First clean SOC 2 Type II shipped. CSPM running with framework-aligned rule packs. Exception workflow defined. Auditor receives evidence via the platform, not screenshots.

Stage 3 - Engineered

Compliance-as-code in CI/CD - policy violations fail the build. Controls mapped 1:1 between internal control set and 2-4 external frameworks. Risk treatments tied to engineering OKRs. Continuous-monitoring dashboard visible to executives.

Stage 4 - Strategic

GRC informs product roadmap (data-residency features, regulated-industry offerings, regional expansion). Risk-quantification methods (FAIR, monte-carlo) produce dollar-denominated risk inputs to investment decisions. The program is a competitive advantage in sales.

The skip-stage cost is real here too - an org trying to compliance-as-code without a written policy and a defined control set is automating against nothing. Sequencing matters.

Common pitfalls

Further reading

Frameworks & standards

Policy-as-code tooling

Provider docs

Related CSOH pages

FAQ

How long does a first SOC 2 Type II take?

For a 20-50-person SaaS using a compliance-automation platform: roughly 3-4 months to readiness, then a 6-month observation period for Type II, then 4-8 weeks of audit fieldwork. Total elapsed: 9-12 months from "we should do this" to a signed report. Skip the platform and add 50%; skip the prior auditor relationship and add another 25%.

Should the GRC team report to the CISO or to Legal?

Most cloud-native orgs put GRC inside Security under the CISO. Some larger or heavily regulated orgs (financial services, healthcare) keep the compliance function under Legal or a Chief Compliance Officer. The trade-off: Security-aligned GRC is closer to the engineering work that produces evidence; Legal-aligned GRC is closer to the contractual and regulatory side. Neither is wrong; pick the one that matches where the dependent decisions get made.

Is FedRAMP worth pursuing for a commercial SaaS?

Only if you have an actual federal-government deal that requires it. FedRAMP is 12-18+ months of work and significant ongoing cost; the math only works against revenue you can name. The path is: identify the federal customer, secure an agency sponsor or pursue JAB authorization, pick a 3PAO, and budget 18 months. "Maybe federal eventually" is a recipe for sunk cost.

How does zero trust relate to GRC?

Zero trust is an architectural pattern; GRC is a discipline. Zero-trust controls (verify every request, least privilege, continuous validation) generate evidence GRC values (every access logged, every policy decision auditable). Most modern frameworks now reference zero-trust principles (NIST 800-207, CSF 2.0 Govern function). They reinforce each other; neither replaces the other.

What's changing in cloud GRC over the next 1-2 years?

Three forces: AI assistance for drafting and mapping (most GRC platforms now ship LLM-assisted evidence summarization and control-mapping), regulatory expansion (NIS2, DORA, AI-specific regulations like the EU AI Act), and continuous-control-monitoring displacing point-in-time evidence as the auditor expectation. The orgs investing in compliance-as-code now will have an easier time when the third force fully arrives.

Do auditors trust automated evidence?

Increasingly yes - and the signing auditor's familiarity with the platform you use is the bigger variable. A SOC 2 auditor who has run a hundred audits on Vanta evidence is comfortable with Vanta evidence; the same auditor's first ServiceNow GRC engagement will take longer. Talk to your auditor about evidence sources before you pick the platform.

Where next