Drata Launches AI-Powered Vendor Risk Management Agent to Revolutionize GRC Automation

Risk and compliance startup Drata has introduced its AI Agent for Vendor Risk Management (VRM), marking the first in a series of AI assistants designed to transform governance, risk, and compliance (GRC) from manual processes into autonomous, context-aware operations. Based in San Diego, Drata revealed its AI Agent for Vendor Risk Management as part of a broader vision to provide continuous, autonomous GRC operations via its AI-native Trust Management platform. The VRM Agent is tailored for GRC teams responsible for managing thousands of external vendor relationships, including IT companies and service providers. “This is a new era of trust management, as we say, where trust is continuously maintained and proven,” said Adam Markowitz, Drata CEO and co-founder, in an exclusive interview with CRN. Risk management tools help organizations identify, assess, and control threats—ranging from cybersecurity risks to financial and operational dangers. Managing risks posed by third-party vendors is a critical component of this process. Typically, GRC teams operate within security departments under the leadership of chief information security officers (CISOs). Founded in 2020, Drata offers a cloud-based GRC platform that supports risk management, policy compliance monitoring, user access reviews, and evidence collection for audits, security assurance, and service level agreements (SLAs). The company serves approximately 8,000 customers and recently surpassed $100 million in annual recurring revenue, achieving 60% year-over-year global revenue growth in its last fiscal year. Drata’s SaaS platform integrates with hundreds of external vendors, continuously monitoring their security controls and gathering evidence to confirm contractual compliance. A key feature of the platform is its integration with trust centers—external portals where IT vendors share security, privacy, and compliance information such as SOC 2 reports, HIPAA policies, certifications, and other trust-building data. These trust center networks include cloud providers, code repositories, and identity security services. In February 2025, Drata acquired SafeBase, a trust center software company used by over 1,000 organizations including OpenAI, Twilio, CrowdStrike, Hubspot, LinkedIn, and T-Mobile. “Third- and fourth-party vendor risk is one of the leading causes for security breaches or incidents across their vendor landscape,” Markowitz explained. He also highlighted the risks introduced by the rapid adoption of AI services, including “shadow AI” usage, which can lead to data leaks and compromise data integrity and confidentiality. CISOs and security teams face mounting pressure to assess these vendors quickly to safely incorporate AI technologies. The VRM Agent, currently in beta and expected to be generally available by the end of 2025, focuses specifically on vendor risk management. It helps evaluate and manage vendor relationships to reduce cybersecurity risks and gather information for internal audits and SLAs. “Having agents takes this to a whole new level,” Markowitz said, emphasizing the agent’s ability to autonomously set monitoring criteria for vendors and even their subcontractors, continuously tracking them in real-time—capabilities impossible for human teams to replicate. The VRM Agent accelerates vendor risk reviews and improves data scoring for network trust frameworks. Its features include automated criteria extraction and mapping, AI-powered document review and risk scoring, dynamic report generation, and follow-up orchestration. Drata is also developing dedicated Trust and Compliance agents to expand its AI-driven GRC platform. The company collaborates with over 1,000 partners, including IT service providers, system integrators, and audit firms. Approximately one-third of Drata’s sales come through partners, and about 90% of deals involve partner participation. Some partners incorporate Drata’s platform into their vendor onboarding processes, while others offer it as a managed service to customers, enabling broader advisory and managed GRC services.

Frequently Asked Questions (FAQ)

What is Drata's AI Agent for Vendor Risk Management (VRM)? Drata's AI Agent for VRM is the first in a series of AI assistants designed to automate and enhance governance, risk, and compliance (GRC) processes, specifically focusing on managing risks associated with third-party vendors. How does the VRM Agent help organizations? The VRM Agent assists GRC teams in evaluating and managing thousands of external vendor relationships, reducing cybersecurity risks, and streamlining the process of gathering information for internal audits and service level agreements (SLAs). It automates tasks like setting monitoring criteria, continuous tracking, and document review. What is the primary goal of Drata's AI-native Trust Management platform? The platform aims to provide continuous, autonomous GRC operations, moving away from manual processes to more efficient, context-aware operations. What kind of data do vendors share through trust centers that Drata integrates with? Vendors share security, privacy, and compliance information such as SOC 2 reports, HIPAA policies, certifications, and other trust-building data. What are the key features of the VRM Agent? Key features include automated criteria extraction and mapping, AI-powered document review and risk scoring, dynamic report generation, and follow-up orchestration. It can also autonomously set monitoring criteria for vendors and their subcontractors. When is the VRM Agent expected to be generally available? The VRM Agent is currently in beta and is expected to be generally available by the end of 2025. How does Drata collaborate with partners? Drata collaborates with over 1,000 partners, including IT service providers, system integrators, and audit firms. A significant portion of their sales is driven through these partnerships, with some partners integrating Drata's platform into their offerings. What risks are associated with the rapid adoption of AI services that Markowitz highlighted? Markowitz highlighted risks such as "shadow AI" usage, data leaks, and compromised data integrity and confidentiality, emphasizing the need for quick vendor assessments to safely adopt AI technologies.

Crypto Market AI's Take

Drata's launch of an AI Agent for Vendor Risk Management signifies a critical advancement in how businesses approach third-party risk in the increasingly interconnected digital landscape. This move aligns with the broader trend of AI-driven automation in critical business functions, a trend we closely follow at Crypto Market AI. As organizations integrate more AI services, the complexity of managing vendor risk, including the nascent risks associated with AI vendors themselves, grows exponentially. Drata's solution addresses this by providing continuous, autonomous monitoring, a capability that is becoming essential for maintaining robust security and compliance postures. This innovation is particularly relevant in the financial and tech sectors, where vendor relationships are numerous and the impact of a breach can be catastrophic. For businesses looking to understand the evolving landscape of AI in enterprise solutions, our insights into AI agents and their growing role can provide further context. Additionally, understanding the security implications of these advancements is paramount, as highlighted in our coverage of AI-powered crypto scams and the need for enhanced cybersecurity measures.

Drata Brings AI Agent Technology To Vendor Risk Management: Exclusive

Drata Launches AI-Powered Vendor Risk Management Agent to Revolutionize GRC Automation

Frequently Asked Questions (FAQ)

Crypto Market AI's Take

More to Read: