Access (who can do what), Change (how changes are requested, approved, and deployed), Operations (backups, jobs, monitoring), and Reporting (data accuracy and completeness). If you can evidence those four, you’ve covered 80% of ITGC risk.