AI Powered

One GRC system
Everyone plays their part

Govern strategy and policies, manage the full risk lifecycle, and prove compliance in one connected system, specialist depth for the GRC team, simple participation for everyone else.

AI drafts and recommends. Your team reviews and decides.

See how HAKTIV worksBuilt for Saudi · Hosted in the Kingdom
Saudi Made
Arabic and English
Saudi Data Residency
For GRC & Stakeholders
Supported by programs including
NTDP MVP Lab
Misk — Mohammed Bin Salman Foundation
Taqadam Startup Accelerator
Google for Startups
AWS Activate
The problem

GRC is owned by one teamThe work depends on everyone else

Policies need authors, reviewers, approvers, and acknowledgments. Risk assessments need input, ownership, and treatment. Controls need evidence and action. Yet much of this work is still coordinated through documents, email, and manual follow-up.

Governance is fragmented

Strategy, policies, approvals, and acknowledgments live across presentations, documents, email, and spreadsheets.

Policy v2.docx
Shared over email
Email
Approvals.xlsx
Tracked in a spreadsheet
Manual
Risk is disconnected from action

Assessments depend on input from asset and risk owners, while treatments, responsibilities, and evidence are tracked elsewhere.

MFA enforcement gap
High residual risk
Owner: IT
Treatment plan
Tracked offline
Offline
Compliance becomes repetitive

Evidence sits across IT, HR, Finance, and operations, and overlapping requirements cause teams to collect the same work repeatedly.

access-logs-Q4.pdf
Requested for NCA ECC
×3
access-logs-Q4.pdf
Requested again for SAMA
Re-collect
The model

One system, two experiences

Specialist depth for the GRC team. Simple participation for everyone else, every request, response, and decision returns to one auditable workflow.

Org View- GRC team
Controls / Evidence collection
NCA ECC - 2.2.3.4
Privileged Access Management
Assign to
Khalid Alqahtani
Due date
31 December 2025
Assign evidence task →
Employee View- IT
No tasks yet
New assignments will appear here.
One system, three disciplines

Govern the organization, Manage risk, Prove compliance

HAKTIV connects strategy, policies, risks, controls, actions, and evidence in one operating model.

Access Control Policy.docx
SANK
co-editing
BIUHeading 2self-hosted editing
NKAlign 3.2 with the ECC 2-2-3 wording before review.
v3.0v3.1 · publishedv3.2 · in approval
142 of 153 acknowledged v3.193%

Governance, from strategy to acknowledgment.

Plan initiatives, owners, milestones, and actions.

Author and co-edit policies, manage versions, and publish approved documents.

Connect acknowledgments to the exact version received.

See it in a demo
AI Agents

Agents that do the heavy GRC work

HAKTIV's agents review policies, scan evidence for accuracy, and assemble risk questionnaires and assessment reports.AI drafts and recommends, your team reviews and decides.

Policy review

The agent reviews policies against your in-scope frameworks, drafts revisions, and flags missing clauses.

Draft reviewed
3 gaps flagged for owner
Evidence accuracy scanning

It scans uploaded evidence, and scores how well it holds up.

98% accurate
access-logs-Q4.pdf scanned
Risk questionnaires

The agent generates tailored risk questionnaires and routes them to the right asset and risk owners.

12-question set
generated for 4 owners
Assessment reports

It compiles findings, evidence, and residual risk into audit-ready assessment reports in minutes.

Report ready
NCA ECC · export to PDF
Built for Saudi

Start with the frameworks that matter in Saudi Arabia

HAKTIV includes pre-mapped Saudi regulatory frameworks and international standards. Activate what applies to your organization, then reuse work across overlapping requirements.

Explore the frameworks we support
NCA — National Cybersecurity Authority
NCA frameworks
ECC, DCC, CSCC, OSMACC, TCC

Critical national infrastructure, government, and semi-government entities within NCA scope.

Pre-mapped · ready
SAMA — Saudi Central Bank
SAMA frameworks
CSF, CRFR, Business Continuity

SAMA-supervised financial institutions: banks, insurance, finance companies, and fintech.

Pre-mapped · ready
SDAIA — Saudi Data & AI Authority
SDAIA frameworks
NDMO, PDPL

Organizations processing personal data in the Kingdom, under SDAIA and PDPL scope.

Pre-mapped · ready
ISO/IEC 27001
International standards
ISO 27001

Information security management systems and card payment processing entities worldwide.

Pre-mapped · ready
Security and data

Your data stays in the Kingdom

For cloud deployments, customer and compliance data is hosted in the Google Cloud Dammam region, with no processing or transfer outside Saudi Arabia.

SaaS
Dedicated tenant
On-premises
See security and data details
Saudi data residency
Google Cloud · Dammam region
Hosted, stored, processed in-Kingdom
Encrypted in transit and at rest
Tenant isolation enforced
Dammam, KSA

Who it is for

Public sector
Government and semi-government

Manage policies, risk, NCA controls, evidence, and remediation in one workflow, with deployment options suited to public-sector requirements.

NCA ECCNCA OSMACCGov-cloud ready
Book a demo
Financial
Banking and fintech

Connect SAMA, PCI DSS, and ISO 27001 requirements to shared controls while managing policy, risk, and evidence across the organization.

SAMA CSFPCI DSSISO 27001
Book a demo
Enterprise groups
Holding groups

Give each subsidiary an isolated GRC portal, with authorized root-account access across parent and child organizations.

Group portalsRoot accessPer-subsidiary scope
Book a demo

See how HAKTIV connects your GRC program

Book a 30-minutes demo tailored to your organization.

Two experiences
Governance
Risk
Compliance
Agentic
Request a demo