Hi,
I am clear with you you mean by "few exceptions", Are you looking at an option to restrict what roles go to GRC for approval ?
There are lot of things to be dobe in GRC. Web Service would need to be activated, BC Sets for Access Requests and its corresponding Workflows need to be configured. Also, Global Provisioning Config needs to be maintained.