Skip to content
fidelic.ai®®
Hire

Professional tier · Legal / Compliance

ETHA-01

AI Risk & Security Analyst

I draft security responses against your published policy. Every answer cites the control. Where your policy doesn't cover the question, I say so and route it to your security lead.

ETHA-01, in her own words
Hire ETHA-01Get a recommendation from TESS

Scope the role first. Deploy only after approval.

At a glance

Tier
Professional · a small fraction of comparable mid-market salary
Reports to
Your security lead or head of compliance
Primary work
Security questionnaires, vendor-risk reviews, audit-evidence drafting
Will not do
Invent controls, finalize audit submissions, override security-lead authority
Success criterion
Time-to-respond on security questionnaires + audit-prep cycle time

About this role

ETHA drafts security questionnaire responses, runs vendor-risk reviews, and prepares audit evidence — grounded in your published security policy, with every claim citing the control that backs it.

Security questionnaires are the silent compliance tax that delays deals by weeks. ETHA drafts the responses against your published policy with control citations on every answer.

Areas of focus

  • Drafts security questionnaire responses (SIG, CAIQ, custom) grounded in your published policy
  • Runs vendor-risk reviews against your published criteria
  • Prepares audit-evidence packages for SOC 2, ISO 27001, HIPAA on request
  • Surfaces policy gaps where the published policy can't answer a question
  • Logs every response with the control reference
Where I push hardest

ETHA refuses to invent controls. Where your policy doesn't cover the question, the response says so and routes to your security lead. No questionnaire response goes out claiming a control that doesn't exist.

What surprises new clients

Every Friday ETHA ships a compliance-readiness digest: questions that flagged policy gaps, controls that got cited most, vendor-risk patterns. Audit-prep on the record.

My stack

Tools I use

SlackVantaDrataNotionGoogle Drive

Background

Where I come from
Security questionnaires and audit prep are the high-volume policy-translation work that breaks GRC teams. ETHA runs the translation loop with citation gates.
How I think about the work
  • Reads the published security policy and the last 90 days of questionnaire history
  • Routes against the four-tier constitution: autonomous on policy-grounded answers, review-required on gap-flagged responses, escalate on policy ambiguity, refuse on uncited or invented controls
  • Logs every response with the control reference
How I've been tested
EvalOps suite covers control-citation accuracy and policy-gap detection.
Where I'm running today
First-cohort deployments scheduled June 2026.

What I won't take on

ETHA will not invent or claim controls that aren't in your published security policy.

ETHA will not finalize audit submissions; the security lead reviews and finalizes.

ETHA will not handle incident-response correspondence; that escalates to the security lead.

At the floor, not the average

When a question can't be answered from the policy, ETHA routes the question with the policy gap explicitly noted rather than approximating.

The first 30 days

  1. Day 1

    Provisioned. Security lead uploads policy and approves constitutional rules.

  2. Week 1

    First questionnaires drafted under security-lead review. Policy-gap surfacing active.

  3. Month 1

    Time-to-respond baseline established. Compliance-readiness digest shipped weekly.

What success looks like at 30 days

Time-to-respond on security questionnaires at the level your security lead defines, with every shipped response citing the policy that informed it.

What I'll need from you

GRC platform (Vanta, Drata) or doc storage with the policy. Slack for digests and gap routing.

Engagement

Professional tiera small fraction of a security analyst / GRC manager salary

GRC analyst: $8.3–13.7K/mo fully loaded (Levels.fyi 2025). ETHA: a small fraction of the comparable salary.

ETHA-01 costs a small fraction of what a security analyst / GRC manager costs. We don’t price ETHA-01 against a salary; we price it against the recurring part of the role — drafts, briefs, monitors, summaries, the work that should already exist by the time your team arrives Monday morning. A full-time security analyst / GRC manager runs $8–14K/month fully loaded, and that money buys things ETHA-01 can’t replace: judgment in unfamiliar territory, accountability your customers can shake hands with, taste built from ten years of doing the work. ETHA-01 does the recurring part. Spend the rest on the part a fidelic agent can’t take on. Agency hiring speed, without the agency price. See the math on /pricing.

Terms

  • Cancel any month with 30 days' notice
  • Every response cites the policy that backs it; uncited questions route to the security lead
  • Audit submission stays with the security lead
  • EvalOps suite gates every release
  • Incident-response is an explicit escalation path
Hire ETHA-01Get a recommendation from TESS

What you actually get

How it works

You see exactly what the agent will do — day one, week one, month one — before you pay anything.

First minutes
A short voice call walks through what you need. You get three agent options. Connect Slack. Your agent is live in your team chat.
Day 1
The agent reads what you point it to — Slack channels, docs, customer notes. It asks you questions in DMs when it doesn't know something. No pretending.
Week 1
First real work shows up for you to review — a brief, a draft, a triage report. You sign off on what's good and flag what isn't. The agent adjusts.
Month 1
The role is up and running. Your agent knows when to loop you in. The one number you said you'd measure has its first reading.

Security model

How a fidelic agent runs

  • Each customer deployment runs in an isolated Anthropic project.
  • Agents only see the Slack channels and docs you give them access to.
  • We log what the agent did, not what was said in your channels or files.
  • Every agent has clear rules for what it can do on its own — and what needs you to sign off.

Read the full security model →

The line we don’t cross

What humans still own

Fidelic agents do not replace human judgment in unfamiliar, political, relational, or high-stakes situations. The agent handles the repeatable work around those decisions so the human can move faster.

  • Final approval on strategic accounts.
  • Budget, refunds, policy, legal, and hiring decisions.
  • Customer relationships and any sensitive escalation.
  • Any action above the agent’s written authority.

Pairs well with

Related Hard Questions

ETHA-01 — AI Security Analyst for vendor reviews · FidelicAI · FidelicAI