ServiceNow Integrated Risk Management bundles eight modules behind three SKU lines. Knowing which line you actually need is the difference between a 400K USD bill and a 1.2M USD bill.
ServiceNow Integrated Risk Management (IRM, formerly GRC) is licensed in three SKU tiers with several add on products that sit outside the tiers. The right buyer side question is not which tier to buy. It is which modules to use and which persona to license each user under.
Most IRM estates we audit are over licensed in two ways. Practitioners are licensed at fulfiller rates when business stakeholder rates would cover the use case. Tiers are bought higher than required because one specific module sits in the higher tier when a different combination of add ons would cost less.
ServiceNow's 2026 IRM price book moved the third party risk add on to a separate workflow with its own per user pricing. Customers who priced IRM in 2023 with bundled Third Party Risk now face a separate renewal line. Knowing where the line moved is the first lever in the renewal conversation.
ServiceNow's risk and compliance product was Governance Risk and Compliance (GRC) until 2023. The product was rebranded as Integrated Risk Management (IRM) and most modules were rebranded with it. Some legacy orders still reference GRC.
The IRM product family covers eight modules. Each module is either inside one of the three core tiers or sold as a separate add on. The buyer side audit is to map current use to module, then map module to tier.
IRM core licensing comes in three tiers. Each tier unlocks a different module set. The pricing per fulfiller equivalent moves up with the tier.
| Module | Standard | Professional | Enterprise |
|---|---|---|---|
| Policy and Compliance Management | Yes | Yes | Yes |
| Risk Management | No | Yes | Yes |
| Audit Management | No | Yes | Yes |
| Business Continuity Management | No | No | Yes |
| Operational Resilience Management | No | No | Yes |
| Privacy Management | Add on | Add on | Add on |
| Third Party Risk Management | Add on | Add on | Add on |
| Continuous Authorization to Operate | No | No | Add on |
ServiceNow IRM uses the standard ServiceNow license families. The buyer side question is which family fits which role inside the GRC organization.
The license audit for IRM follows the same pattern as the broader ServiceNow audit. Pull the active user table, join to role assignments, identify users carrying IRM roles, compare paper licensing to actual usage. Move users to the right family.
The most common GRC over license is control owners and executive reviewers carried at fulfiller licensing because they were provisioned during initial rollout. Both populations usually fit business stakeholder licensing at a fraction of the cost.
Third Party Risk Management (TPRM) is licensed separately from the IRM core tiers. The pricing model for TPRM in 2026 has two meters: internal user seats and supplier records under management.
A 500 supplier estate with 10 internal TPRM users carries the same internal seat cost as a 5,000 supplier estate. The supplier record meter is what scales the bill. Active supplier hygiene (offboarding inactive suppliers, deduplicating records) is a real cost lever.
The levers below are the ones that move the IRM bill on a typical renewal.
A financial services customer with 80 GRC users on IRM Enterprise, Third Party Risk Management with 2,400 supplier records, and Privacy Management add on. Starting renewal quote is 1.18M USD per year.
| Lever | Annual saving |
|---|---|
| Drop from Enterprise to Professional (BCM unused) | 168K USD |
| Move 32 control owners and executives to business stakeholder | 148K USD |
| Offboard 600 inactive suppliers in TPRM | 96K USD |
| Multi add on discount on Privacy plus TPRM | 54K USD |
| Total | 466K USD per year |
The six step sequence below is the buyer side workflow on a typical IRM renewal.
ServiceNow rebranded GRC as Integrated Risk Management in 2023. The product family is the same. The naming changed, some bundling moved, and the price book reorganized. Vendor Risk Management was renamed Third Party Risk Management and moved outside the core tier.
No. Audit Management is in IRM Professional and above. Many customers buy Enterprise because they assume Audit Management requires it. Professional is the right tier if Business Continuity Management and Operational Resilience Management are not actively used.
TPRM has a dual meter in 2026. Internal user seats are priced per fulfiller. Supplier records under management are priced per active supplier record in the tenant. Both meters bill independently. Supplier hygiene before renewal is a real cost lever.
Yes in most cases. Executive reviewers who only read dashboards, approve, and sign off reports fit the business stakeholder license family. Moving executives from fulfiller to business stakeholder typically saves 60 to 75 percent on those users.
Primarily yes. CATO is the federal control inheritance and ATO packaging workflow. It is sold as an add on to IRM Enterprise. Commercial customers occasionally license CATO for ISO 27001 or SOC 2 program automation, but most do not.
Yes. IRM and SecOps share the Now Platform data model and several common tables. Customers running both modules often benefit from joint licensing conversations and joint module enablement. The savings sit in shared role provisioning, not in shared pricing.
Adding IRM to an existing ServiceNow estate co terms IRM back to the master subscription renewal date. The first year is a short year priced pro rata. The uplift kicks in at the master anniversary alongside the rest of the estate.
Not by default. Standard ServiceNow paper does not permit mid term reductions. A 10 percent annual reduction right has to be negotiated into the LOI before signature. With the right in place, module drops can be applied at the renewal anniversary.
Buyer side reference on the full ServiceNow renewal cycle including IRM tier right sizing, persona downgrades, and add on consolidation. Seat mix targets, supplier hygiene tactics, and uplift caps.
Independent. Buyer side. Written for CIOs, CISOs, CROs, and procurement leaders carrying ServiceNow IRM, TPRM, Privacy Management, and CATO subscriptions. No ServiceNow referral fee. No conflict on the table.
Open the white paper in your browser. Corporate email only.
Open the Paper →The most common IRM over license is buying Enterprise for one module that sits in Enterprise when the rest of the estate fits Professional. Tier right sizing alone funds the next year of GRC tooling.
We have run 500+ enterprise engagements across 11 publishers. Every engagement starts with one conversation.
Monthly ServiceNow intelligence on IRM tier benchmarks, TPRM supplier record hygiene patterns, persona downgrade tactics, and renewal levers from every ServiceNow GRC engagement we run on the buyer side.
Once a month. Audit patterns, renewal benchmarks, vendor commercial signals across Oracle, Microsoft, SAP, Salesforce, IBM, Broadcom, AWS, Google Cloud, ServiceNow, Workday, Cisco, and the GenAI vendors. No follow up sales pressure.
Free providers (Gmail, Yahoo, Outlook) cannot subscribe. Work email only. Unsubscribe in one click.
