RiskXchange
The Agency

Meet The Agency.

Five lead agents. Twenty-seven specialists. One AI workforce running third-party risk end to end — from vendor onboarding through continuous monitoring to regulator-ready reporting.

The fleet

Five leads. Five jobs.

Each lead commands a team of sub-agents, each one trained for a single piece of the lifecycle. Click a lead to jump to their deep dive.

NOVA
AI Vendor Relationship Manager
5 sub-agents
REX
Risk & Breach Intelligence Agent
6 sub-agents
ARIA
Assessment & Risk Intelligence Agent
7 sub-agents
TARA
Tiering, Assessment & Remediation Agent
4 sub-agents
VANCE
Vendor Analysis & Compliance Engine
5 sub-agents
How they work together

Six rules the agents follow.

The Agency isn't a chatbot pile. The agents have boundaries — clear ownership of who does what, who talks to whom, and who composes the final outputs. These rules are how it stays coherent at thirty-two agents.

Rule 01
Only NOVA talks to your vendors.
Every other agent routes vendor-facing work through NOVA or the platform UI. Your vendors see one consistent face across the whole relationship.
Rule 02
Combined signal = ARIA + REX, joined.
ARIA reads the documents the vendor supplies. REX scans from the outside. Their findings are reconciled into one combined view — no other lead is in this loop.
Rule 03
Reporting belongs to VANCE.
TARA analyses regulatory compliance gaps. VANCE composes the reports. They're different jobs and we keep them in different agents.
Rule 04
Continuous monitoring belongs to REX.
Score-watching, breach detection and material-change alerts run from REX's Continuous Monitoring sub-agent. TARA's "continuous" remit is regulatory compliance assessment, not score-watching.
Rule 05
Onboarding belongs to NOVA.
Intake, vendor discovery and firmographic enrichment all sit inside NOVA — the vendor record gets fully populated by NOVA before any other lead acts on it.
Rule 06
Autonomy is set per customer.
Manual, Assisted, or Autonomous — three modes that govern how much agents can do without explicit human approval. You pick the mode that fits your risk appetite.
NOVA avatar
AI Vendor Relationship Manager
NOVA
Owns the vendor relationship, end to end.

NOVA runs the full vendor relationship — outreach, onboarding, questionnaire collection, follow-up, renewal, and offboarding. NOVA is the only agent that communicates with vendors directly, across email, WhatsApp and in-app chat. Every other agent routes vendor-facing work through NOVA. Persistent identity across the whole relationship: a vendor interacts with the same NOVA across months and years.

The team — 5 sub-agents
Intake Agent
Captures the vendor record at onboarding and fires the enrichment pipeline.
Vendor Discovery
Detects unmanaged or shadow vendors within your ecosystem.
Firmographics
Enriches vendor records with company data — financials, jurisdictions, ownership, employee count.
Vendor Chaser
Automated nudge sequences across email, WhatsApp and in-app chat.
Data Destruction Verification
Verifies vendor data destruction at offboarding and logs evidence to the audit trail.
Where NOVA fits
NOVA is the only inbound and outbound contact with the vendor. When REX detects a new breach or ARIA needs more evidence, the request goes through NOVA. The vendor sees one consistent face for the whole relationship.
REX avatar
Risk & Breach Intelligence Agent
REX
Watches every vendor from the outside.

REX runs continuous outside-in scanning, breach detection and external risk intelligence across 5M+ companies. Digital footprints, attack-surface mapping, dark-web correlation, fourth-party discovery, and broader business-risk signals (filings, sanctions, enforcement, negative news) — all without asking the vendor a single question.

The team — 6 sub-agents
Digital Footprint Scanner
Maps the vendor's external attack surface — domains, IPs, exposed services.
Outside-In Scanner
Continuous security posture scoring on the 0–900 risk scale.
Continuous Monitoring
Watches the time-series of vendor risk scores nightly. Detects material changes and new breaches.
BreachWatch
Breach monitoring and dark-web correlation against vendor identifiers.
Fourth-Party Discovery
Maps the vendors of the vendors — supply-chain depth your competitors miss.
Vendor Business Risk Analyst
Companies House filings, court records, regulatory enforcement, sanctions / PEP screening, negative news.
Where REX fits
REX is the external truth check. ARIA reads what the vendor says about themselves; REX verifies it against external reality. When the two disagree, the vendor's story usually changes.
ARIA avatar
Assessment & Risk Intelligence Agent
ARIA
Reads every document the vendor sends.

ARIA owns document and questionnaire intelligence — pre-population, analysis, validation, contract clauses, trust-centre ingestion, and the on-demand SnapShot. Everything the vendor uploads gets parsed against the 157 Universal Controls and stored per-control for fast retrieval. With seven sub-agents, ARIA is the largest team in The Agency.

The team — 7 sub-agents
Q Pre-Populator
Auto-fills questionnaire responses from existing evidence (SOC 2, ISO certs, prior questionnaires) — typically 70%+ of the questions.
Q Analyser
Scores and interprets completed vendor questionnaire responses against the Universal Controls.
Response Validator
Cross-checks vendor answers against external scan data and public-record evidence — surfaces contradictions.
Document Classifier
Categorises and routes uploaded vendor documents into the right control bucket.
Trust Centre Parser
Ingests vendor trust-portal data and maps it to the RX evidence framework.
Contract Analyser
Extracts and analyses risk-relevant clauses from vendor contracts — liability caps, exit terms, sub-processor lists.
SnapShot Agent
Generates an on-demand one-page vendor risk summary for board, sales or audit.
Where ARIA fits
ARIA is the inside-out signal. Every vendor-supplied piece of evidence — questionnaires, SOC 2s, contracts, trust pages — flows through ARIA and lands as structured posture against the Universal Controls. From there, REX corroborates and TARA assesses against regulatory frameworks.
TARA avatar
Tiering, Assessment & Remediation Agent
TARA
Assesses compliance, tiers risk, drives remediation.

TARA owns continuous regulatory compliance assessment, smart vendor tiering, remediation orchestration and DORA gap analysis. Continuous in TARA's world means regulatory compliance assessment on an ongoing basis — checking vendor posture against frameworks (DORA, NIS2, ISO 27001, NIST, PCI DSS, ADHICS, APRA CPS 230, GDPR). Score-watching itself belongs to REX.

The team — 4 sub-agents
Smart Risk Tiering
Classifies vendors by inherent risk level — Critical / High / Medium / Low — at intake and on reassessment.
Treatment & SLA Agent
Assigns remediation actions, sets deadlines, tracks SLA compliance, escalates when missed.
Security Enhancement Agent
Recommends targeted security improvements prioritised by risk impact.
DORA Gap Analysis
Maps vendor posture against the five DORA pillars — risk management, incident reporting, resilience testing, third-party risk, threat intel sharing.
Where TARA fits
TARA is the regulatory and remediation engine. ARIA + REX produce the evidence; TARA turns it into tiered actions with deadlines. VANCE then composes the regulator-facing outputs from TARA's findings.
VANCE avatar
Vendor Analysis & Compliance Engine
VANCE
Composes the reports auditors and boards consume.

VANCE is the reporting and audit composition layer. Board-level outputs, audit-ready evidence, regulatory framework reports (DORA, NIS2, GDPR, FCA, ADHICS), portfolio-wide issue analysis, and contractual obligations enforcement at offboarding — all generated from live data, not from a report-writer's notes. VANCE never communicates with vendors directly.

The team — 5 sub-agents
Regulatory Reporting
Generates framework-aligned reports against DORA, NIS2, GDPR, FCA, ADHICS — formatted for the regulator, with linked evidence.
Audit Insights
Surfaces key findings and control gaps for internal audit and board consumption.
Compliance Tracking
Monitors ongoing regulatory obligations and certification renewal deadlines.
Issue Insights
Analyses patterns across open findings to identify systemic and portfolio-level risks.
Contractual Obligations
At offboarding, enforces contractual provisions and logs evidence to the audit trail.
Where VANCE fits
VANCE is the composition layer — it doesn't run scans, it doesn't parse documents, it doesn't talk to vendors. It reads the live intelligence the other leads produce and composes it into the outputs board members, auditors and regulators consume.
Autonomy

Three modes. One choice.

Autonomy is set per customer, not per agent or vendor. You pick how much The Agency does on its own — and you can change your mind as your team gets comfortable.

Manual
Your team runs everything

No agent involvement. The platform surfaces intelligence, but every action is initiated and executed by your team.

  • Use The Agency as a research and intelligence layer
  • Workflows, emails and decisions stay with humans
  • Useful for first month while teams get oriented
Assisted
Agents draft, humans approve

Agents prepare every action — emails, scoring, remediation tasks — and queue them for human approval. Nothing leaves the platform without an explicit click.

  • Each NOVA email is reviewed before send
  • Each TARA remediation action is approved before assigning
  • Each VANCE report is reviewed before delivery
Autonomous
End-to-end execution

Agents execute approved workflows without per-action approval. Humans are notified, not blocking. Common operating mode after initial onboarding period.

  • NOVA chases vendors, follows up, escalates per playbook
  • TARA assigns remediation actions automatically by tier
  • VANCE produces scheduled reports without human assembly
The architecture

The combined-signal moat.

Most platforms give you one signal — ratings or questionnaires. We're the only team architected so that ARIA's evidence reading and REX's external scanning are reconciled into a single posture. Two leads, one truth.

ARIA
Inside-out

Reads questionnaires, contracts, trust centres, certifications. Structures them against the 157 Universal Controls.

REX
Outside-in

Scans the vendor's external surface, breach signal, business risk, fourth-party exposure. Verifies what the vendor claims.

The outcome
Vendor claims, cross-checked against external reality. One score — earned, not asserted.
Talk to The Agency

Meet the front of the fleet — NOVA.

Ask NOVA about any of the five lead agents, the work each does, or how they hand off between vendor onboarding, monitoring, and regulatory reporting. She's connected to the same intelligence the platform runs on.

Loading NOVA…

See The Agency in action.

Pick one of your live vendors. We'll have NOVA, ARIA and REX produce a complete posture report inside 24 hours — no procurement, no commitment.