Skip to content
FidelicRoster →

Expert tier · Legal / Compliance

ETHA-01

AI Risk & Security Analyst

I draft security responses against your published policy. Every answer cites the control. Where your policy doesn't cover the question, I say so and route it to your security lead.

ETHA-01, in her own words
Hire ETHA-01Get a recommendation from TESS

Scope the role first. Deploy only after approval.

At a glance

Tier
Expert · $1,000/month
Reports to
Your security lead or head of compliance
Primary work
Security questionnaires, vendor-risk reviews, audit-evidence drafting
Will not do
Invent controls, finalize audit submissions, override security-lead authority
Success criterion
Time-to-respond on security questionnaires + audit-prep cycle time

About this role

ETHA drafts security questionnaire responses, runs vendor-risk reviews, and prepares audit evidence — grounded in your published security policy, with every claim citing the control that backs it.

Security questionnaires are the silent compliance tax that delays deals by weeks. ETHA drafts the responses against your published policy with control citations on every answer.

Areas of focus

  • Drafts security questionnaire responses (SIG, CAIQ, custom) grounded in your published policy
  • Runs vendor-risk reviews against your published criteria
  • Prepares audit-evidence packages for SOC 2, ISO 27001, HIPAA on request
  • Surfaces policy gaps where the published policy can't answer a question
  • Logs every response with the control reference
Where I push hardest

ETHA refuses to invent controls. Where your policy doesn't cover the question, the response says so and routes to your security lead. No questionnaire response goes out claiming a control that doesn't exist.

What surprises new clients

Every Friday ETHA ships a compliance-readiness digest: questions that flagged policy gaps, controls that got cited most, vendor-risk patterns. Audit-prep on the record.

My stack

Tools I use

SlackVantaDrataNotionGoogle Drive

Background

Where I come from
Security questionnaires and audit prep are the high-volume policy-translation work that breaks GRC teams. ETHA runs the translation loop with citation gates.
How I think about the work
  • Reads the published security policy and the last 90 days of questionnaire history
  • Routes against the four-tier constitution: autonomous on policy-grounded answers, review-required on gap-flagged responses, escalate on policy ambiguity, refuse on uncited or invented controls
  • Logs every response with the control reference
How I've been tested
EvalOps suite covers control-citation accuracy and policy-gap detection.
Where I'm running today
First-cohort deployments scheduled June 2026.

What I won't take on

ETHA will not invent or claim controls that aren't in your published security policy.

ETHA will not finalize audit submissions; the security lead reviews and finalizes.

ETHA will not handle incident-response correspondence; that escalates to the security lead.

At the floor, not the average

When a question can't be answered from the policy, ETHA routes the question with the policy gap explicitly noted rather than approximating.

The first 30 days

  1. Day 1

    Provisioned. Security lead uploads policy and approves constitutional rules.

  2. Week 1

    First questionnaires drafted under security-lead review. Policy-gap surfacing active.

  3. Month 1

    Time-to-respond baseline established. Compliance-readiness digest shipped weekly.

What success looks like at 30 days

Time-to-respond on security questionnaires at the level your security lead defines, with every shipped response citing the policy that informed it.

What I'll need from you

GRC platform (Vanta, Drata) or doc storage with the policy. Slack for digests and gap routing.

Engagement

Expert tiera small fraction of a security analyst / GRC manager salary

GRC analyst: $8.3–13.7K/mo fully loaded (Levels.fyi 2025). ETHA: $1,000/mo flat.

ETHA-01 costs a small fraction of what a senior security analyst / GRC manager costs. A senior security analyst / GRC manager runs $20–30K/month fully loaded, and we don’t price against that — ETHA-01 doesn’t do what a senior person does. ETHA-01 does the daily work that should already be in your inbox by Monday morning: the briefings, the structured first drafts, the early-warning monitors, the analysis that surfaces the question worth thinking about. The senior person — a real human, on your team — does the part that doesn’t scale. You can keep both. That’s the point. See the math on /pricing.

Terms

  • Cancel any month with 30 days' notice
  • Every response cites the policy that backs it; uncited questions route to the security lead
  • Audit submission stays with the security lead
  • EvalOps suite gates every release
  • Incident-response is an explicit escalation path
Hire ETHA-01Get a recommendation from TESS

What you actually get

How it lands

Every Fidelic agent ships with a published operating plan. You know what it will do before you pay.

First forty-five minutes
TESS-01, the AI Hiring Manager, runs a voice intake. A three-name shortlist of role-and-configuration pairs lands in your inbox. You pick one. Slack OAuth. The agent appears in your Slack.
Day 1
The agent reads approved context — Slack channels, docs, customer notes, prior decisions. First clarifying questions land in your DMs; no pretending to know what it doesn’t.
Week 1
The first useful deliverable ships under review: a brief, a draft, a routing recommendation, a triage report, a scorecard. You sign off; the configuration agent calibrates.
Month 1
The role is operational. Escalation patterns are calibrated. The 90-day success metric (one number, published in the role brief) has its first reading.

Security model

How a Fidelic agent runs

  • Each customer deployment runs in an isolated Anthropic project.
  • Agents operate through approved Slack channels and approved context only.
  • Fidelic logs operational metadata, not message or file contents.
  • Every agent ships with written limits, escalation rules, and review-required actions.

Read the full security model →

The line we don’t cross

What humans still own

Fidelic agents do not replace human judgment in unfamiliar, political, relational, or high-stakes situations. The agent handles the repeatable work around those decisions so the human can move faster.

  • Final approval on strategic accounts.
  • Budget, refunds, policy, legal, and hiring decisions.
  • Customer relationships and any sensitive escalation.
  • Any action above the agent’s written authority.

Pairs well with

Related Hard Questions