Drata Brings AI Agent Technology To Vendor Risk Management: Exclusive

Startup launches VRM Agent, the first in a line of planned AI agents to automate governance, risk and compliance tasks.

Risk and compliance startup Drata today debuted its AI Agent for Vendor Risk Management (VRM), the first of what’s expected to be a series of AI assistants that the company says will shift governance, risk and compliance (GRC) tasks from manual tools to autonomous, context-aware agents.

The San Diego-based company heralded the first public look at AI Agent for Vendor Risk Management as the first step in its broader vision of providing autonomous AI agents for continuous GRC operations running on the company’s AI-native Trust Management platform.

The VRM Agent will be used by GRC teams who are tasked with managing relationships and connections with outside vendors—sometimes numbering in the thousands—including IT companies and IT service providers.

“This is a new era of trust management, as we say, where trust is continuously maintained and proven,” said Adam Markowitz, Drata CEO and co-founder (pictured), in an exclusive interview with CRN.

Risk management tools are used by businesses and organizations to identify, assess and control threats—both external and internal—including cybersecurity threats, financial mismanagement or malfeasance, operational risks and long-term strategic risks. And managing potential risks posed by third parties, including suppliers and customers, is a significant part of that.

GRC teams are usually housed within organizations’ security operations and are under the management of chief information security officers (CISOs).

Drata, founded in 2020, develops a cloud-based GRC platform that offers risk management, policy compliance monitoring, user access reviews, and evidence collection for audits, security assurance and SLAs, among other capabilities.

The company has some 8,000 customers, Markowitz said, achieved 60 percent year-over-year global revenue growth in its last fiscal year and in February surpassed $100 million in annual recurring revenue.

The company’s SaaS platform is integrated with many hundreds of outside vendors, continuously monitoring those companies’ security controls and collecting evidence that they are meeting contractual requirements.

A key component of the platform is its connections with trust centers, externally facing websites and portals where IT vendors organizations provide their security, privacy and compliance information including security posture (the SOC 2 framework, for example), policies (HIPAA), certifications and other information—all geared toward establishing trust with customers, partners and other entities. Trust center networks can include cloud platform companies, code repositories, identity security service providers and more.

(In February Drata acquired SafeBase, which developed trust center software used by more than 1,000 companies and organizations including OpenAI, Twilio, CrowdStrike, Hubspot, LinkedIn and T-Mobile.)

“Third- and fourth-party [vendor] risk is one of the leading causes for security breaches or incidents across their vendor landscape,” Markowitz said.

He added that the AI boom in particular and rapid adoption of outside AI services—including “shadow AI” usage—is a source of data leaks and data integrity and confidentiality risks. “CISOs and security teams are sitting there holding the bag of risk when it comes to assessing these vendors as quickly as possible so they can bring this [AI] technology in.”

The new VRM Agent, now in beta and expected to be generally available by year’s end, specifically addresses the vendor risk piece of the broader GRC picture. It is used to evaluate and manage vendor relationships for a range of purposes including limiting cybersecurity risks and collecting information for internal audit and service level agreement purposes, among others.

“Having agents takes this to a whole new level,” Markowitz said, noting the agent’s ability to autonomously establish monitoring criteria for specific vendors—and even for vendor’s vendors—and continuously monitor them in real-time. “It just wouldn’t be possible with a human being,” he said.

VRM Agent can accelerate vendor risk reviews and provide improved data scores for network trust frameworks, Markowitz said. The agent’s capabilities include automated criteria extraction and mapping, AI-powered document review and risk scoring, and dynamic report generation and follow-up orchestration, Drata said in the press release announcing the VRM Agent.

The company said that dedicated Trust and Compliance agents are currently in development and will follow VRM Agent in the future for the Drata platform.

Markowitz said Drata works with more than 1,000 partners including IT service providers, system integrators, audit service firms and more. About one-third of the company’s sales are sourced through partners and about 90 percent involve a partner in some way, the CEO said.

Some service partners use the Drata platform as part of their own vendor onboarding process while others offer it as a service for their customers. “It does open doors for partners to deliver broader advisory and managed services tied to GRC as a whole,” he said.