heygrc is a layer, not a replacement.
The most common question about a tool like heygrc is what it replaces. The honest answer is nothing: it sits alongside the audit, your code-quality scanners, and your GRC platform, and covers the gap between them: reading each change against your frameworks and citing the control, at the pull request.
heygrc and the annual audit
The annual audit
An assessment over a point in time or a window, ending in an opinion. It is thorough, and it is a lagging indicator: it tells you what was true across a period that has already passed, often finding a gap months after the change that caused it shipped.
How heygrc differs
heygrc is built to read every pull request as it happens and name the control a change touches, at the diff. The aim is a leading indicator on the same obligations the audit measures, moving while you can still change the decision cheaply.
Use them together. The audit still happens. heygrc is built to reduce what it has to find, by catching control-relevant changes in review instead of letting them accumulate into exceptions.
heygrc and a code-quality scanner
A code-quality scanner
A linter or static analysis tool reasons about the code itself: bugs, injection, unsafe patterns, known-vulnerable signatures. Its rules are universal, the same in every repository, which is its strength and the reason it is framework-blind.
How heygrc differs
heygrc reasons about your specific obligations: which framework control a change touches, cited by clause. A change can be flawless code that no scanner objects to and still break GDPR Art. 5(1)(e) or weaken SOC 2 CC6.1, because the problem is a property of the framework, not the code.
Use them together. Keep your scanners. heygrc is the framework-aware layer above them, covering a category of risk that code-quality analysis cannot see.
heygrc and a grc platform
A GRC platform
A governance, risk, and compliance platform maps controls to evidence and policies at the organization level: it tracks tasks, collects evidence, manages questionnaires, and coordinates the audit. It operates around the system.
How heygrc differs
heygrc operates inside the pull request, mapping a control to the specific code change that touches it. The gap a GRC platform cannot see is the diff that quietly moves a control's state in production between evidence collections.
Use them together. A GRC platform manages the program. heygrc is built to watch the code changes the program's controls depend on, helping the evidence stay aligned with what the code actually does.
heygrc and your code-review bot.
If you already run an AI code reviewer, heygrc sits alongside it: the bot checks whether the code is good, heygrc checks whether the change is compliant. They look for different kinds of risk on the same pull request.
What heygrc does not do.
heygrc does not replace your auditor, your static analysis, or your GRC platform, and it does not certify you. It reviews pull requests against the frameworks your company selected and cites the specific control a change touches, so the decision happens in code review. That is the whole job. heygrc is in early access.