Inspiration

Enterprise vendor risk management is broken. Companies manage hundreds of third-party vendors, but each assessment takes 4–6 weeks of manual questionnaire review, scattered across 20+ data sources. A single vendor breach costs $4.3M on average (IBM). With regulations like DORA, SEC cyber rules, and NIS2 tightening, compliance teams are overwhelmed — one analyst per 200+ vendors. We saw an opportunity to use agentic AI to compress weeks of work into minutes, while keeping humans accountable for high-stakes decisions.

What it does

VendorShield AI is a multi-agent platform that performs end-to-end vendor risk assessment in ~90 seconds. Submit a vendor name and it:

  • Research Agent scans news, web, and sanctions lists for breach history, lawsuits, and reputation signals (via Tavily + Claude)
  • Compliance Agent checks certifications (SOC2, ISO27001, HIPAA, PCI-DSS) and identifies regulatory gaps
  • Financial Agent evaluates credit risk, bankruptcy probability, and revenue stability using an analyst/reviewer pattern
  • Risk Scoring Agent aggregates all signals into a weighted 5-dimension score (Security 30%, Compliance 25%, Financial 20%, Operational 15%, ESG 10%)
  • Remediation Agent generates actionable task plans and an executive summary

Cases route through UiPath Maestro for orchestration — low-risk vendors auto-approve, high-risk cases escalate to human reviewers via Action Center.

How we built it

  • 5 independent microservice agents running on FastAPI (ports 8001–8005), orchestrated by a central API (port 8000)
  • Anthropic Claude powers reasoning for all agents (research, compliance, financial analysis, remediation)
  • Tavily provides real-time web search for the Research Agent's OSINT capabilities
  • UiPath Maestro Case Management handles case lifecycle, stage transitions, SLAs, and human-in-the-loop routing
  • UiPath API Workflows connect the platform to our external agent endpoints
  • SQLite for local case persistence, with the full pipeline testable via a single demo.py command
  • Built entirely using Cursor (UiPath for Coding Agents) for rapid development

Challenges we ran into

  • Agent coordination timing — getting 5 agents to run in parallel and merge results reliably required careful error handling and timeout management
  • Risk scoring calibration — tuning dimension weights and keyword signals so that known high-risk vendors (with breach history) actually score differently from clean vendors took extensive iteration
  • Real-time web data variability — Tavily search results change daily, so we had to build deterministic scoring logic on top of non-deterministic inputs
  • UiPath Maestro integration — wiring dynamic case routing (auto-approve vs. human review vs. escalation) based on confidence and risk thresholds required careful stage transition design

Accomplishments that we're proud of

  • 90-second full assessments — what used to take 6 weeks runs in under 2 minutes
  • 20/20 tests passing — comprehensive unit and smoke tests for the entire agent pipeline
  • Real OSINT — the Research Agent pulls live news and sanctions data, not mock responses
  • Production-grade scoring model — 5-dimension weighted scoring with confidence calculation and automatic routing logic
  • Single-command startupbash start.sh launches all 5 agents and the orchestrator

What we learned

  • Multi-agent architectures need clear contracts between services — we defined strict JSON schemas early and it saved us countless debugging hours
  • Claude excels at the analyst/reviewer pattern — having one prompt extract data and another validate it produces significantly more reliable outputs
  • UiPath Maestro's case management is genuinely powerful for dynamic workflows where you can't predict the path in advance
  • Coding agents (Cursor) dramatically accelerate development when you have a clear architecture — the plan-first, build-second approach worked perfectly

What's next for VendorShield AI

  • Continuous monitoring — scheduled daily scans that auto-reopen cases when new risk signals emerge (vendor breach, credit downgrade, lawsuit)
  • Document Understanding — upload SOC2 reports and ISO certificates for automated extraction and validation
  • CrewAI financial agent — replace the single-LLM financial agent with a multi-agent CrewAI crew for deeper analysis
  • UiPath Apps dashboard — real-time portfolio view showing all vendors by risk tier, SLA compliance, and agent activity
  • Batch assessment — trigger reassessment of all vendors affected by a new regulation (e.g., DORA compliance sweep)
  • Enterprise deployment — Docker Compose for production, with Maestro BPMN orchestrating the full vendor lifecycle across teams

Built With

  • uipath
Share this project:

Updates