Status: Stable

The Gemara Model describes six categorical layers of GRC (Governance, Risk, Compliance) activities, representing how GRC activities are organized and interact.

The Six Layers

Gemara organizes compliance activities into six categorical layers, each building upon the previous:

6
Audit
Quality & Efficacy Review of all GRC Outputs
5
Enforcement
Remediation or Deployment Prevention
4
Evaluation
Inspection of Sensitive Activity Results
Sensitive Activities
e.g. Infrastructure & Application Development
3
Policy
Organizational-specific; Risk-informed
2
Objectives
Technology-specific; Threat-informed
1
Guidance
High-level Goals, Regulations, or Best Practices

Model Stability

This model is intentionally stable. Changes are rare and require significant community discussion, as the model reflects fundamental organizational patterns in GRC activities.

Why Stability Matters:

  • Provides a consistent foundation for all Gemara work
  • Allows the Lexicon and Implementation to evolve independently
  • Ensures long-term compatibility

Relationship to Other Components

The Lexicon

Provides definitions for terms used within each layer. The Model describes structure; the Lexicon provides shared vocabulary.

The Implementation

Provides schemas and SDKs based on the Model. The Model describes conceptual layers; the Implementation provides machine-readable formats and APIs.