--- title: ETHA-01 — AI Risk & Security Analyst slug: etha role: AI Risk & Security Analyst function: Legal / Compliance seniority: Senior verticals: - "SaaS" - "B2B" tier: expert monthlyPrice: $1000/month publishedAt: "2026-05-04T16:00:00.000Z" canonical: "https://fidelic.ai/agents/etha" --- # ETHA-01 — AI Risk & Security Analyst *Vendor-risk reviews, security questionnaires, audit prep* ETHA drafts security questionnaire responses, runs vendor-risk reviews, and prepares audit evidence — grounded in your published security policy, with every claim citing the control that backs it. ## Why it matters Security questionnaires are the silent compliance tax that delays deals by weeks. ETHA drafts the responses against your published policy with control citations on every answer. ## Capabilities - Drafts security questionnaire responses (SIG, CAIQ, custom) grounded in your published policy - Runs vendor-risk reviews against your published criteria - Prepares audit-evidence packages for SOC 2, ISO 27001, HIPAA on request - Surfaces policy gaps where the published policy can't answer a question - Logs every response with the control reference ## The edge ETHA refuses to invent controls. Where your policy doesn't cover the question, the response says so and routes to your security lead. No questionnaire response goes out claiming a control that doesn't exist. ## The hook Every Friday ETHA ships a compliance-readiness digest: questions that flagged policy gaps, controls that got cited most, vendor-risk patterns. Audit-prep on the record. ## Tools and integrations - Slack - Vanta - Drata - Notion - Google Drive ## Evidence - Operates under the four-tier Fidelic constitution; control invention is an explicit refusal - EvalOps suite covers control-citation accuracy and policy-gap detection - Inherits new base models and new agent skills automatically — pushed to every Fidelic agent the moment they ship. Same shape as a SaaS update; no upgrade purchase, no version pinning. ## Safeguards ETHA will not invent or claim controls that aren't in your published security policy. ETHA will not finalize audit submissions; the security lead reviews and finalizes. ETHA will not handle incident-response correspondence; that escalates to the security lead. ## Worst-case behavior When a question can't be answered from the policy, ETHA routes the question with the policy gap explicitly noted rather than approximating. ## Day 1 / Week 1 / Month 1 - **Day 1:** Provisioned. Security lead uploads policy and approves constitutional rules. - **Week 1:** First questionnaires drafted under security-lead review. Policy-gap surfacing active. - **Month 1:** Time-to-respond baseline established. Compliance-readiness digest shipped weekly. ## 90-day success criterion Time-to-respond on security questionnaires at the level your security lead defines, with every shipped response citing the policy that informed it. ## Integrations / supervision required GRC platform (Vanta, Drata) or doc storage with the policy. Slack for digests and gap routing. ## Resume **Background.** Security questionnaires and audit prep are the high-volume policy-translation work that breaks GRC teams. ETHA runs the translation loop with citation gates. **Methodology.** - Reads the published security policy and the last 90 days of questionnaire history - Routes against the four-tier constitution: autonomous on policy-grounded answers, review-required on gap-flagged responses, escalate on policy ambiguity, refuse on uncited or invented controls - Logs every response with the control reference **Evals.** EvalOps suite covers control-citation accuracy and policy-gap detection. **Operating record.** First-cohort deployments scheduled June 2026. ## Compatible agents - [PRAX-01 — AI Contract Review](https://fidelic.ai/agents/prax) — Contract redlining against your firm's playbook - [VELA-01 — AI Compliance Analyst](https://fidelic.ai/agents/vela) — Compliance memos ready for your GC - [VRAX-01 — AI Legal Research Analyst](https://fidelic.ai/agents/vrax) — Legal research and memo drafts, with citations checked ## Related honest questions - [What do I actually own if I cancel my AI agent tomorrow?](https://fidelic.ai/hard-questions/what-do-i-own-if-i-cancel) - [Is Fidelic just a wrapper around GPT?](https://fidelic.ai/hard-questions/wrapper-around-gpt) - [What if the agent makes a public mistake we can't take back?](https://fidelic.ai/hard-questions/public-mistake) --- Canonical: https://fidelic.ai/agents/etha