April 27, 2026 — Draxis.ai today announced the TPRM Assessment Agent, a new AI vCISO persona purpose-built for third-party risk management. The agent classifies vendors into risk tiers, generates adaptive questionnaires scoped to vendor criticality and data sensitivity, analyzes responses for consistency, integrates external signals, and produces composite risk scores with specific remediation recommendations. Fifteen-minute intake for low-risk vendors; sixty-minute deep assessment for critical ones — never more than necessary, never less than defensible.

The TPRM Assessment Agent is the first vendor risk capability designed around the premise that most questions in a traditional SIG are irrelevant to most vendors, and the ones that matter change based on what the vendor actually does. Instead of sending a 400-question static spreadsheet to every vendor, the agent tailors each assessment to the vendor's tier, the data it handles, and the business criticality of the relationship.

The Problem: Questionnaire Fatigue on Both Sides

Traditional third-party risk management is broken in ways every security team recognizes:

  • The same 400-question SIG is sent to every vendor, regardless of whether they process payment data or just send email notifications
  • Vendors respond with cut-and-paste answers, producing checkbox compliance theater with little signal
  • Companies spend 200 to 400 hours per critical vendor per year on assessment and reassessment cycles
  • Results sit in a spreadsheet, disconnected from runtime risk, insurance coverage, or incident response plans
  • AI and generative tooling vendors — a rapidly growing category — cannot be meaningfully assessed with frameworks designed for traditional SaaS

The TPRM Assessment Agent replaces this with tiered, scoped, signal-rich vendor risk intelligence — and integrates it directly into the Draxis Expert Panel System so vendor decisions can be debated with Privacy, CISO, and Financial experts in a single session.

How It Works

1. Automated Vendor Tier Classification

Every vendor is classified as Critical (T1), High (T2), Moderate (T3), or Low (T4) based on the data they handle, the scale of the relationship, whether they have production access, and their business criticality. The tier drives every downstream decision: questionnaire depth, evidence requirements, reassessment frequency, and whether human expert review is required.

2. Adaptive Questionnaire Generation

Only relevant questions are asked. T4 vendors get a fifteen-minute intake focused on basic security hygiene. T1 vendors get a sixty-minute deep assessment with conditional follow-ups based on each answer. Progressive disclosure expands questioning when an answer exposes risk; closes early when it does not. The activation matrix maps questions to tiers and domains so no question is ever "because we ask everyone."

3. Six-Domain Assessment Including AI Governance

Every assessment spans six domains: Security, Compliance, Privacy, Operational, Reputational, and AI Governance — a new domain specifically for vendors providing AI-driven features, models, or agents. Each domain has its own risk taxonomy, evidence requirements, and scoring rubric. AI Governance covers training data provenance, model update cadence, hallucination handling, human oversight, prompt injection defenses, and output audit trails.

4. External Signal Integration and Composite Scoring

Self-attestation is supplemented with external signals: breach history, security ratings, certificate and DNS hygiene, regulatory actions, and news signals. The agent flags inconsistencies between what the vendor reports and what the signals show, requests evidence where it matters, and produces domain-scoped risk scores plus an overall risk rating. Recommendations are specific — Accept, Mitigate, Transfer, or Terminate — with concrete actions per finding.

Key Capabilities

  • Four-tier vendor classification — T1 Critical, T2 High, T3 Moderate, T4 Low, driven by data, scale, access, and criticality
  • Adaptive questionnaires — fifteen-minute T4 intake to sixty-minute T1 deep dive, with progressive disclosure and conditional follow-ups
  • Six-domain risk framework — Security, Compliance, Privacy, Operational, Reputational, and AI Governance
  • AI Governance domain — training data provenance, model updates, human oversight, prompt injection, and output auditability
  • External signal integration — threat intel, breach databases, security ratings, certificate and DNS hygiene, regulatory actions
  • AI-assisted response analysis — flags inconsistencies, requests evidence, and identifies answers that contradict external signals
  • Composite risk scoring — per-domain scores plus an overall rating with specific findings and remediation paths
  • Tier-based reassessment cadence — T1 every six months, T2 annually, T3 every eighteen months, T4 every two years
  • Delta-mode reassessment — only re-assess areas that have changed, saving hundreds of hours per vendor cycle
  • Portfolio analytics — vendor risk heat map, concentration risk, aggregate exposure by domain and tier
  • Decision support — Accept, Mitigate, Transfer, or Terminate recommendations with concrete next steps
  • Expert Panel integration — route T1 and T2 assessments into a panel with Privacy, CISO, and Financial experts for cross-functional judgment
  • Workflow Engine integration — convert vendor assessment processes into repeatable, KRI-instrumented workflows

Why It Matters for vCISOs

For vCISO firms, TPRM is one of the highest-volume, lowest-margin client deliverables. The TPRM Assessment Agent inverts that equation: the agent handles T3 and T4 vendors almost entirely on its own, routing T1 and T2 assessments to the advisor for expert judgment with the data already gathered, analyzed, and summarized. Advisors stop doing questionnaire admin and start doing vendor risk strategy — and client portfolios that used to support one advisor per fifty vendors now support one advisor per five hundred.

Because the agent integrates with the Expert Panel System, vendor decisions that cross functional lines — "Can we onboard this AI coding assistant given our source-code exposure risk?" — can be debated by TPRM, Privacy, CISO, and AI Governance experts in a single session, with the resulting decision preserved as institutional knowledge for future evaluations.

"Vendor risk is not a questionnaire problem. It's a prioritization problem, a data problem, and a cross-functional judgment problem. The TPRM Assessment Agent treats it as all three — and stops pretending that sending every vendor the same spreadsheet produces risk intelligence."
— Draxis.ai

Availability

The TPRM Assessment Agent is available today across all Draxis.ai platform tiers. Vendor portfolios, assessments, findings, and remediation tracking are included in the platform. The AI Governance domain is available to all tenants at launch, with an expanding library of AI-specific questions and external signals.

Retire the 400-question SIG

Tier your vendors, run your first adaptive assessment, and see the difference context-aware vendor risk makes.

Get Early Access →

About Draxis.ai

Draxis.ai is an AI-powered cyber risk intelligence platform that translates technical security data into executive decisions — personalized for every stakeholder. The platform connects security tool data to business outcomes through a five-layer risk model and uses an AI vCISO, extended by a growing library of specialist Skills, to deliver role-aware briefings to CFOs, CISOs, board members, and risk committees. Used by companies managing their own risk posture and by vCISO advisory firms scaling across multiple clients, Draxis.ai provides multi-tenant isolation, financial risk quantification, and full traceability from security tools to business impact.

Media contact: press@draxis.ai