Cybersecurity Risk Management, Strategy and Governance	12 Months Ended
Mar. 31, 2026
Cybersecurity Risk Management, Strategy, and Governance [Line Items]
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]	Item 1C. Cybersecurity Risk Management and Strategy We maintain a comprehensive cybersecurity risk management program (“CRMP”) designed to protect the confidentiality, integrity, and availability of our critical systems and information. The CRMP includes enterprise‑level procedures for Graham Corporation and tailored procedures for each of our business units. It also incorporates formal incident response plans (“IRPs”) for Graham Manufacturing, BN, and P3. The IRPs establish a structured, systematic process for identifying, escalating, responding to, and documenting information security incidents affecting our systems, networks, or data—including data managed by third‑party vendors or service providers. Our CRMP is integrated into our broader enterprise risk management framework. Oversight of the IRPs for Graham Corporation and its subsidiaries is assigned to our Chief Information Officer (“CIO”), who has more than 25 years of cybersecurity experience and holds a Certified Information Systems Security Professional ("CISSP") certification. Each business unit also maintains dedicated cybersecurity personnel responsible for implementing and managing local cybersecurity and data‑privacy programs. The CIO and Business Unit IT Managers are responsible for: • Implementing IRPs specific to each business unit. • Identifying and managing an incident response team (“IRT”) responsible for cybersecurity risk assessments, security controls, and incident response activities. • Coordinating IRT operations, including escalation procedures, decision‑making protocols, and documentation of cybersecurity incidents. • Conducting post‑incident reviews to evaluate response effectiveness and address gaps in security controls. • Providing cybersecurity training and periodic exercises to enhance organizational preparedness. • Reviewing and updating the IRP when material changes in business practices may affect incident‑response procedures. Our CRMPs include: • Risk assessments to identify material risks to systems, information, products, services, and the broader IT environment, including ransomware‑related risks. • Engagement of external service providers to assess, test, or support our security controls. • Cybersecurity awareness training for employees, incident‑response personnel, and senior management. • A formal cybersecurity incident response plan outlining procedures for responding to cybersecurity events. • A third‑party risk management process for service providers, suppliers, and vendors. From time to time, we may engage assessors, consultants, auditors or other third parties in connection with our CRMP and IRP processes. We have established processes to identify and oversee cybersecurity risks associated with third‑party service providers. These include security reviews during vendor onboarding and ongoing, risk‑based monitoring. We are currently integrating FlackTek into our CRMP and IRP processes, with completion expected during fiscal 2027. As of March 31, 2026, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, and financial condition. As with most organizations, we may experience cyber incidents in the future. Additional information regarding cybersecurity risks is included in Item 1A, Risk Factors. Governance Oversight of cybersecurity risk management has been delegated to the Audit Committee of the Board of Directors as part of its broader risk‑oversight responsibilities, as outlined in the Audit Committee Charter. The Audit Committee receives periodic reports from our CIO—at least annually—on cybersecurity risks and is updated as needed regarding any material cybersecurity incidents or incidents with lesser potential impact. Our management team is responsible for assessing and managing material risks from cybersecurity threats. The CIO and Business Unit IT Managers regularly brief senior management on cybersecurity posture, risks, and incidents to ensure visibility at the highest levels of the organization. Management oversees the overall cybersecurity risk management program and supervises both internal cybersecurity personnel and external cybersecurity consultants. Management’s oversight activities include efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents. These efforts may involve: • Briefings from internal security personnel. • Threat intelligence from governmental, public, and private sources. • Information from external cybersecurity consultants. • Alerts and reports generated by security tools deployed across our IT environment.
Cybersecurity Risk Management Processes Integrated [Flag]	true
Cybersecurity Risk Management Processes Integrated [Text Block]	Our CRMP is integrated into our broader enterprise risk management framework. Oversight of the IRPs for Graham Corporation and its subsidiaries is assigned to our Chief Information Officer (“CIO”), who has more than 25 years of cybersecurity experience and holds a Certified Information Systems Security Professional ("CISSP") certification. Each business unit also maintains dedicated cybersecurity personnel responsible for implementing and managing local cybersecurity and data‑privacy programs.
Cybersecurity Risk Management Third Party Engaged [Flag]	true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]	true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]	false
Cybersecurity Risk Board of Directors Oversight [Text Block]	Governance Oversight of cybersecurity risk management has been delegated to the Audit Committee of the Board of Directors as part of its broader risk‑oversight responsibilities, as outlined in the Audit Committee Charter. The Audit Committee receives periodic reports from our CIO—at least annually—on cybersecurity risks and is updated as needed regarding any material cybersecurity incidents or incidents with lesser potential impact. Our management team is responsible for assessing and managing material risks from cybersecurity threats. The CIO and Business Unit IT Managers regularly brief senior management on cybersecurity posture, risks, and incidents to ensure visibility at the highest levels of the organization. Management oversees the overall cybersecurity risk management program and supervises both internal cybersecurity personnel and external cybersecurity consultants. Management’s oversight activities include efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents. These efforts may involve: • Briefings from internal security personnel. • Threat intelligence from governmental, public, and private sources. • Information from external cybersecurity consultants. • Alerts and reports generated by security tools deployed across our IT environment.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]	Oversight of cybersecurity risk management has been delegated to the Audit Committee of the Board of Directors as part of its broader risk‑oversight responsibilities, as outlined in the Audit Committee Charter. The Audit Committee receives periodic reports from our CIO—at least annually—on cybersecurity risks and is updated as needed regarding any material cybersecurity incidents or incidents with lesser potential impact.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]	The Audit Committee receives periodic reports from our CIO—at least annually—on cybersecurity risks and is updated as needed regarding any material cybersecurity incidents or incidents with lesser potential impact.
Cybersecurity Risk Role of Management [Text Block]	The CIO and Business Unit IT Managers are responsible for: • Implementing IRPs specific to each business unit. • Identifying and managing an incident response team (“IRT”) responsible for cybersecurity risk assessments, security controls, and incident response activities. • Coordinating IRT operations, including escalation procedures, decision‑making protocols, and documentation of cybersecurity incidents. • Conducting post‑incident reviews to evaluate response effectiveness and address gaps in security controls. • Providing cybersecurity training and periodic exercises to enhance organizational preparedness. • Reviewing and updating the IRP when material changes in business practices may affect incident‑response procedures. Our CRMPs include: • Risk assessments to identify material risks to systems, information, products, services, and the broader IT environment, including ransomware‑related risks. • Engagement of external service providers to assess, test, or support our security controls. • Cybersecurity awareness training for employees, incident‑response personnel, and senior management. • A formal cybersecurity incident response plan outlining procedures for responding to cybersecurity events. • A third‑party risk management process for service providers, suppliers, and vendors.
Cybersecurity Risk Management Positions or Committees Responsible [Flag]	true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]	Oversight of the IRPs for Graham Corporation and its subsidiaries is assigned to our Chief Information Officer (“CIO”), who has more than 25 years of cybersecurity experience and holds a Certified Information Systems Security Professional ("CISSP") certification. Each business unit also maintains dedicated cybersecurity personnel responsible for implementing and managing local cybersecurity and data‑privacy programs.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]	our Chief Information Officer (“CIO”), who has more than 25 years of cybersecurity experience and holds a Certified Information Systems Security Professional ("CISSP") certification.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]	Our management team is responsible for assessing and managing material risks from cybersecurity threats. The CIO and Business Unit IT Managers regularly brief senior management on cybersecurity posture, risks, and incidents to ensure visibility at the highest levels of the organization.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]	true

Cybersecurity Risk Management, Strategy and Governance

12 Months Ended

Mar. 31, 2026

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Item 1C. Cybersecurity

Risk Management and Strategy

We maintain a comprehensive cybersecurity risk management program (“CRMP”) designed to protect the confidentiality, integrity, and availability of our critical systems and information. The CRMP includes enterprise‑level procedures for Graham Corporation and tailored procedures for each of our business units. It also incorporates formal incident response plans (“IRPs”) for Graham Manufacturing, BN, and P3.

The IRPs establish a structured, systematic process for identifying, escalating, responding to, and documenting information security incidents affecting our systems, networks, or data—including data managed by third‑party vendors or service providers.

Our CRMP is integrated into our broader enterprise risk management framework. Oversight of the IRPs for Graham Corporation and its subsidiaries is assigned to our Chief Information Officer (“CIO”), who has more than 25 years of cybersecurity experience and holds a Certified Information Systems Security Professional ("CISSP") certification. Each business unit also maintains dedicated cybersecurity personnel responsible for implementing and managing local cybersecurity and data‑privacy programs.

The CIO and Business Unit IT Managers are responsible for:

•

Implementing IRPs specific to each business unit.

•

Identifying and managing an incident response team (“IRT”) responsible for cybersecurity risk assessments, security controls, and incident response activities.

•

Coordinating IRT operations, including escalation procedures, decision‑making protocols, and documentation of cybersecurity incidents.

•

Conducting post‑incident reviews to evaluate response effectiveness and address gaps in security controls.

•

Providing cybersecurity training and periodic exercises to enhance organizational preparedness.

•

Reviewing and updating the IRP when material changes in business practices may affect incident‑response procedures.

Our CRMPs include:

•

Risk assessments to identify material risks to systems, information, products, services, and the broader IT environment, including ransomware‑related risks.

•

Engagement of external service providers to assess, test, or support our security controls.

•

Cybersecurity awareness training for employees, incident‑response personnel, and senior management.

•

A formal cybersecurity incident response plan outlining procedures for responding to cybersecurity events.

•

A third‑party risk management process for service providers, suppliers, and vendors.

From time to time, we may engage assessors, consultants, auditors or other third parties in connection with our CRMP and IRP processes. We have established processes to identify and oversee cybersecurity risks associated with third‑party service providers. These include security reviews during vendor onboarding and ongoing, risk‑based monitoring.

We are currently integrating FlackTek into our CRMP and IRP processes, with completion expected during fiscal 2027.

As of March 31, 2026, we are not aware of any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, and financial condition. As with most organizations, we may experience cyber incidents in the future. Additional information regarding cybersecurity risks is included in Item 1A, Risk Factors.

Governance

Oversight of cybersecurity risk management has been delegated to the Audit Committee of the Board of Directors as part of its broader risk‑oversight responsibilities, as outlined in the Audit Committee Charter. The Audit Committee receives periodic reports from our CIO—at least annually—on cybersecurity risks and is updated as needed regarding any material cybersecurity incidents or incidents with lesser potential impact.

Our management team is responsible for assessing and managing material risks from cybersecurity threats. The CIO and Business Unit IT Managers regularly brief senior management on cybersecurity posture, risks, and incidents to ensure visibility at the highest levels of the organization. Management oversees the overall cybersecurity risk management program and supervises both internal cybersecurity personnel and external cybersecurity consultants.

Management’s oversight activities include efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents. These efforts may involve:

•

Briefings from internal security personnel.

•

Threat intelligence from governmental, public, and private sources.

•

Information from external cybersecurity consultants.

•

Alerts and reports generated by security tools deployed across our IT environment.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

Management’s oversight activities include efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents. These efforts may involve:

•

Briefings from internal security personnel.

•

Threat intelligence from governmental, public, and private sources.

•

Information from external cybersecurity consultants.

•

Alerts and reports generated by security tools deployed across our IT environment.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Audit Committee receives periodic reports from our CIO—at least annually—on cybersecurity risks and is updated as needed regarding any material cybersecurity incidents or incidents with lesser potential impact.

Cybersecurity Risk Role of Management [Text Block]

The CIO and Business Unit IT Managers are responsible for:

•

Implementing IRPs specific to each business unit.

•

Identifying and managing an incident response team (“IRT”) responsible for cybersecurity risk assessments, security controls, and incident response activities.

•

Coordinating IRT operations, including escalation procedures, decision‑making protocols, and documentation of cybersecurity incidents.

•

Conducting post‑incident reviews to evaluate response effectiveness and address gaps in security controls.

•

Providing cybersecurity training and periodic exercises to enhance organizational preparedness.

•

Reviewing and updating the IRP when material changes in business practices may affect incident‑response procedures.

Our CRMPs include:

•

Risk assessments to identify material risks to systems, information, products, services, and the broader IT environment, including ransomware‑related risks.

•

Engagement of external service providers to assess, test, or support our security controls.

•

Cybersecurity awareness training for employees, incident‑response personnel, and senior management.

•

A formal cybersecurity incident response plan outlining procedures for responding to cybersecurity events.

•

A third‑party risk management process for service providers, suppliers, and vendors.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Oversight of the IRPs for Graham Corporation and its subsidiaries is assigned to our Chief Information Officer (“CIO”), who has more than 25 years of cybersecurity experience and holds a Certified Information Systems Security Professional ("CISSP") certification. Each business unit also maintains dedicated cybersecurity personnel responsible for implementing and managing local cybersecurity and data‑privacy programs.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

our Chief Information Officer (“CIO”), who has more than 25 years of cybersecurity experience and holds a Certified Information Systems Security Professional ("CISSP") certification.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true