Comparison
Constellation vs GRC Software
GRC platforms — ServiceNow GRC, LogicGate, OneTrust, Archer, MetricStream — are a mature, well-funded category. They manage risk registers, compliance frameworks, policy libraries, and audit readiness. Constellation does something structurally different: it governs institutional action at the moment it happens. GRC answers “are we compliant?” Constellation answers “was this legitimate?”
What GRC software does
The GRC category has consolidated around a clear set of capabilities:
- •Risk identification, assessment, and quantification across the enterprise
- •Compliance mapping to regulatory frameworks (SOX, GDPR, HIPAA, ISO 27001)
- •Policy lifecycle management — drafting, approval, attestation, review
- •Control testing, evidence collection, and audit preparation
- •Incident management and remediation workflows
- •Executive dashboards and board-level risk reporting
It’s a $15B+ market because every regulated organisation needs it. The tools are mature and the workflows are well-understood.
The category gap
GRC Software
“We have documented our risks and mapped our controls to the relevant frameworks.”
Compliance management infrastructure
Constellation
“This action was checked against institutional constraints and found legitimate at the moment it was taken.”
Institutional operating system
GRC operates in the documentation and assessment layer — it tracks what you’ve decided to do about risk. Constellation operates at the execution layer — it ensures what’s happening right now is consistent with what the institution has decided.
Risk management is not governance
| GRC Platforms | Constellation | |
|---|---|---|
| Question | Are we compliant? | Was this legitimate? |
| Timing | Periodic (quarterly, annually) | Moment of action |
| Enforcement | Tasks, reminders, attestations | Check / escalate / block + trace |
| Subject | Risks, controls, frameworks | Authority, thresholds, legitimacy |
| AI agents | Emerging (AI risk assessment) | Core (governed at tool-call level) |
| Contestation | Exception requests | Formal challenge with ruling & precedent |
| Memory | Audit trails & reports | Knowledge graph, precedent, institutional learning |
What GRC platforms cannot do
GRC platforms are designed for the assessment and reporting cycle. Even the most sophisticated platforms cannot:
- •Intercept an action at the moment of execution and evaluate its institutional legitimacy
- •Govern AI agent tool calls against a living set of institutional constraints
- •Enforce authority boundaries that change as board decisions evolve
- •Create immutable governance traces that prove exactly why an action was permitted or blocked
- •Build governance precedent from past decisions that automatically informs future checks
- •Run shadow mode to calibrate AI delegation before enabling autonomous action
These aren’t product gaps in GRC. They’re category boundaries. GRC was designed for a world where humans make decisions slowly enough to be reviewed periodically.
The speed problem
GRC platforms were built for a quarterly cadence. Risk reviews happen periodically. Control testing is scheduled. Policy attestations recur annually. This worked when institutional action moved at human speed.
AI agents don’t operate on a quarterly cadence. They act in milliseconds — approving expenditures, drafting communications, triggering workflows, executing contracts. An agent can take a hundred consequential actions between one risk review and the next.
The gap between GRC’s assessment cadence and AI’s action speed is where governance failures will occur — not because the risk register was wrong, but because nobody checked at the moment it mattered.
Constellation eliminates this gap. It makes institutional governance present at the speed of action.
Complementary architecture
// The governance stack
Board Decisions
↓
Institutional Governance (Constellation)
↓ governance traces
Risk & Compliance Management (ServiceNow, LogicGate, OneTrust)
↓ audit evidence
Compliance Reporting (Drata, Vanta)
↓ certifications
Regulators & Auditors
Constellation generates the governance traces that GRC platforms consume. Every check, escalation, and enforcement event becomes high-fidelity evidence for risk registers, control testing, and audit packages. The output of Constellation becomes the input to GRC.
Organisations that use both get real-time governance enforcement and periodic risk assessment — the moment and the cadence, working together.
Bottom line
Category competitor?
No
Language overlap?
Significant (governance, risk, compliance)
Architectural overlap?
None
GRC software manages risk. Constellation governs action. GRC tells you what could go wrong. Constellation ensures that what’s happening right now is institutionally legitimate. Different temporal orientation, different enforcement model, natural partners.
Constellation is not a GRC platform. It’s the institutional governance layer that GRC platforms have been missing — real-time enforcement at the moment of action, not periodic assessment after the fact.