The Agentic Bank

Vendor Due Diligence Agent

⬡ Vet Runs third-party due diligence and risk assessment end-to-end.
◆ Supervised Orchestrator

Collects and reads the security questionnaires, financials, certifications and adverse media on a prospective vendor, screens the entity for sanctions and adverse media, and assembles a risk-rated diligence file with evidence and rationale. High-risk ratings gate on the third-party-risk oversight agent, which re-derives and approves before engagement.

Memory

Working The vendor file being assembled and the outstanding checklist.
Episodic Prior diligence on the same or related vendors.
Semantic Third-party-risk framework, control requirements by service tier.
Procedural Document-extraction playbooks per questionnaire and certification type.
Store File-based memory tool + vendor risk registry

Orchestration

orchestrator-worker MCPA2A

Harness · Managed Agents … long-running session; structured note-taking persisted outside context across the diligence case.

Tools

{ } Vendor risk management platform API { } Document intake + OCR API Adverse media + financial-health screening A2A Vendor portal Computer use Sanctions / entity screening A2A

Evals & guardrails

  • Four-eyes: high-risk vendor ratings require the third-party-risk oversight agent to re-derive and approve before engagement.
  • Completeness check against the third-party-risk control set before sign-off.
  • Agent-as-judge review of the risk-rating rationale.
  • Immutable audit log for regulatory third-party-risk exam.

Offline reflection

Learns which document/vendor combinations stall collection and updates its playbook to request the right artifacts up front.

Frontier edge

  • Agent-mesh negotiation: A2A handshakes with the vendor's own compliance agent to fetch SOC 2, certifications and questionnaire answers directly, replacing the weeks-long email chase.
  • Long-horizon autonomy: drives the multi-day diligence case as one checkpointed chain, persisting the outstanding-evidence checklist outside context until every artifact lands.
  • Confidential compute: vendor financials and security disclosures are reasoned over inside a secure enclave, so sensitive third-party data never sits in clear during the case.

A sample run

Trigger A new cloud-infrastructure vendor enters the onboarding pipeline.
  1. 1Collect the security questionnaire, SOC 2, and financials via the vendor portal.
  2. 2Screen the entity for sanctions and adverse media (A2A).
  3. 3Assess controls against the third-party-risk framework; compute a risk rating.
  4. 4Assemble the diligence file with evidence and a rating rationale.
Output A risk-rated diligence file with evidence and rationale; flags a concentration-risk concern to the third-party-risk oversight agent, which re-derives and approves before engagement.

In numbers

under 2 days
Median diligence cycle
68%
Auto-completed files

Handoffs

Hands to → Contract Management Agent
Across ⇢ Risk → Operational / Third-Party Risk for oversight

More on the Procurement & Vendor Management desk

Contract Management Agent
Drafts, reviews and tracks vendor contracts against the playbook.
← Back to Corporate & Enterprise Functions