A short, source-grounded rubric for GRC leads who need to compare vendors on the dimensions that actually compound. Run it against demo footage, sales decks, and contract terms. Score every vendor on the same questions.
Each question pairs a yes-or-no test with a short evidence prompt. Sit through the demo with the rubric open. Mark each question Yes, Partial, or No, and capture the link, screenshot, or contract clause that backed the score. A vendor that cannot show the evidence in their own product fails the question, regardless of marketing copy.
Does the platform maintain a continuously updated, source-watched corpus of obligations across the jurisdictions you operate in, or does it depend on an external framework you would have to maintain yourself? Evidence to ask for: a live admin view of the regulatory catalog with the source URL, last-watched timestamp, and version pointer for each obligation. Static markdown tables and CSV exports do not count.
If a regulator asks how a specific decision was made six months ago, can the vendor reproduce the inputs, policy version, and outcome, with cryptographic proof the record was not edited after the fact? Evidence to ask for: a worked example of a past decision retrieved from the audit trail with hash chain or signature visible. Append-only log claims without a verifiable signature scheme are not enough.
Are pre-built control libraries shipped for your industry on day one, or do you have to assemble the mapping from raw frameworks yourself? Evidence to ask for: a working install of the sector pack for your vertical (financial services, healthcare, insurance, public sector, technology) with controls visible in the UI and policy templates pre-populated. A statement that frameworks are "supported" without an installable pack is closer to a roadmap promise than a shipped artifact.
Does the platform tell you where you sit relative to your industry cohort on each control area, or only your absolute score? Evidence to ask for: a dashboard view that shows your standing against a peer group, with the cohort definition (size, sector, geography) visible. An absolute score without comparative context tells you a number, not whether you are behind.
Does the platform cover detection, remediation, and auditor-ready evidence in one workflow, or stop at detection and hand the rest to your team? Evidence to ask for: a finding routed from detection through assignment, remediation action, evidence capture, and auditor sign-off, all inside the platform. A list of detected issues without a workflow to close them out is half the product.
Does the platform actively find AI agents and tools your team is using without registration, or only govern what you manually enroll? Evidence to ask for: a discovery feed populated from real signals (browser activity, code commits, identity provider events, procurement records) showing untracked AI use surfaced in the UI. A registration form for known agents is the floor, not the ceiling.
Can the platform's risk score be defended to a CISO or auditor with named inputs, transparent weights, and a loss range, or is it an opaque composite? Evidence to ask for: a system risk score broken down into the inputs that drove it (autonomy, data sensitivity, drift signals, control attestations) with the weight applied to each. A single number without input attribution is a vibe, not a model.
Does the vendor own the substrate, the regulatory corpus, the evaluation harness, the control libraries, the policy templates, or pull these from a partner whose roadmap they do not control? Evidence to ask for: a clear statement of which platform layers are first-party. Substrate dependencies become risk: a corpus partner that misses a regulation, an evaluator that blocks a release, a content vendor whose pricing changes, all show up as gaps in your governance.
Can the platform govern agents your team uses but did not build and cannot instrument: vendor SaaS copilots, Microsoft Copilot deployments, Salesforce Einstein, browser-based assistants? Evidence to ask for: a working demo of structured probe tests sent against a third-party agent endpoint (HTTP API, chat UI, or Slack bot), with findings that carry regulatory citations and the same signed evidence format as findings from instrumented agents. A platform that only governs agents you built leaves the majority of enterprise AI use ungoverned.
Vendors that score well in the demo should be able to commit to the same answers in writing. Move the nine questions into the master services agreement as warranties. A vendor that resists making contractual commitments on the dimensions that matter is telling you which ones they cannot back up.