How Tria Works: AI as a Junior GRC Analyst, Not a Chatbot

The Problem with "AI-Powered" in GRC

Every vendor risk management platform now claims to be "AI-powered." In practice, that usually means one of three things: a language model summarizes a document you uploaded, an auto-fill feature populates questionnaire fields from previous responses, or a chatbot answers questions about your data with varying degrees of accuracy.

These features are useful. They're also shallow. They treat AI as a presentation layer that sits on top of the product and makes it feel modern. The underlying workflow doesn't change. You still click the same buttons, navigate the same screens, and make the same manual connections between data points.

When we built 3PRM's AI capabilities, we wanted something fundamentally different. Not a chatbot that summarizes what you can already see on the dashboard. An agent that can do the work of a junior GRC analyst: investigate vendor risk, triage security alerts, execute multi-step workflows, generate reports, and learn how your organization operates. With the discipline to always ask before acting.

We named it Tria.

What Tria Can Do

Tria is an AI agent embedded directly in the 3PRM platform. It has access to 30+ tools spanning your entire vendor risk program, and it can chain them together to complete complex workflows end-to-end. Here's what that looks like in practice.

Investigate and Analyze

Ask Tria about any vendor in your portfolio and get an instant risk briefing: security score, open findings, assessment status, document gaps, monitoring alerts, supply chain dependencies, and system connections. Tria pulls data from across the platform in parallel and synthesizes it into actionable findings, not raw data.

That investigation would take a junior analyst 30-45 minutes of clicking through dashboards, cross-referencing monitoring data, checking document expiry dates, and mapping supply chain relationships. Tria does it in seconds and presents a structured briefing with proposed next steps.

Triage Security Alerts

This is where Tria goes beyond simple Q&A. For every alert type — breaches, CVEs, SSL issues, rating changes, compliance violations — Tria follows a standardized investigation runbook. It doesn't just surface the alert. It investigates it.

When a monitoring alert fires, Tria will:

• Check for duplicate findings so you don't create redundant records
• Calibrate severity based on vendor criticality tier and data sensitivity, not just the raw signal
• Review the vendor's current assessment status and open findings for context
• Propose a complete response plan: create a finding, set severity, assign an owner, and define remediation timelines

The result is a single action card that contains the entire response plan. You review it, approve it, and Tria executes every step. No clicking through five different screens to connect an alert to a finding to a vendor to a remediation plan.

Execute End-to-End Workflows

Tria handles multi-step workflows that would normally require navigating across several parts of the platform. Vendor onboarding is a good example of the difference.

Say you tell Tria: "Onboard Datawise Analytics as a new Critical vendor." Tria will:

1. Check the Trust Network for an existing Datawise profile and pull any shared security data
2. Create the vendor record with appropriate tier and classification
3. Request the documents recommended for Critical-tier vendors (SOC 2 report, information security policy, DPA)
4. Initiate the appropriate assessment template based on vendor tier
5. Enable continuous monitoring

That's five operations across different parts of the platform, executed through a single conversation. Each step is visible. Each write action requires your approval. But the workflow logic — knowing which documents to request, which assessment to use, when to check the Trust Network — is handled by Tria.

Generate Reports on Demand

Ask Tria for an executive summary, a vendor deep dive, a findings report, or a portfolio security overview and it generates the report on demand. These are the same reports available through the Reports dashboard, accessible through a simple request instead of navigating to the right page and configuring filters.

"Give me a portfolio risk summary for the board" produces the same output as clicking through the reporting interface. The difference is speed and accessibility: you get the report in the conversation without leaving what you're doing.

Learn Your Preferences

Tell Tria "always enable monitoring during onboarding" or "use the Comprehensive assessment template for Critical vendors" and it remembers. Not just for you — for your entire team. Organizational preferences persist across all sessions and all users, creating a shared institutional memory for how your GRC program operates.

Preferences are manageable in Settings, so you can see and edit the rules Tria follows. This means the knowledge of how your organization handles vendor risk doesn't live in one person's head. It's codified in the platform and enforced by the agent.

How It Works: Three Phases

Every task Tria performs follows a structured progression. The boundaries between phases are enforced architecturally, not just by prompting.

Phase 1: Discovery

Tria autonomously investigates, pulling data from multiple sources in parallel. For a vendor investigation, it might simultaneously retrieve the vendor profile, check monitoring alerts, pull open findings, review document status, and examine supply chain data. The output is a structured findings summary with analytical context.

You can watch Tria work in real time. Live status updates show which tools it's calling and what it's finding as the investigation progresses. There's no black box.

Phase 2: Recommendation

Based on what it found, Tria proposes a specific action plan. Every step is visible: what will be created, what will be modified, what the expected impact is. For alert triage, this might be a finding with calibrated severity, an assigned owner, and a remediation timeline. For onboarding, it might be a sequence of document requests, an assessment, and monitoring activation.

Tria cannot skip this step. It cannot jump from discovery to execution. The recommendation phase exists to give you the chance to review, modify, or reject the proposed actions before anything changes in your platform.

Phase 3: Execution

You review and approve. Tria executes. Every write action is logged with full attribution: which user approved it, which Tria session generated it, which tools were called, and what data changed. The audit trail is complete and specific.

Built for Trust

The capabilities above only matter if you can trust the agent executing them. Tria's trust model is enforced in code, not through prompting. Here's what that means concretely:

• Approval gates on every write action. Tria structurally cannot modify data without your explicit sign-off. It doesn't matter how the request is phrased. Read operations are instant and autonomous. Write operations always stop for approval.
• Full audit trail. Every action is logged with user attribution, session tracking, and tool-specific details. You can reconstruct exactly what happened, when, and who approved it.
• Investigation transparency. You can see exactly which data sources Tria consulted and what it found. No black box reasoning. The findings summary shows its work.
• Real-time visibility. Watch Tria work with live status updates as it investigates. You see each tool call as it happens.
• Conversation memory. Sessions persist across page navigation and browser refreshes. Pick up where you left off. Context carries forward.
• Organization-scoped data access. Tria only sees your organization's data. Row-level security is enforced on every query, every time. There are no shortcuts.

This is a fundamentally different approach from most AI integrations in enterprise software, where the AI either has no write access (making it a search bar) or has unconstrained access (making it a liability). Tria sits in the middle: capable enough to run complete GRC workflows, disciplined enough to always ask first.

Where This Is Going

Tria already does more than respond to questions. Open a new Tria window and it greets you with a proactive briefing: "Here's what needs your attention." Critical alerts, overdue assessments, vendors with unresolved monitoring issues, all prioritized and ready to investigate with a single click. You don't have to ask what's wrong. Tria tells you.

That's the direction the entire interface is heading. Not replacing the dashboard, but making Tria the starting point for your day. The briefing surfaces the highest-priority items. You click "Investigate" and Tria runs the full discovery workflow. You approve the recommended actions. You move on to the next item. The entire triage cycle happens in one place, through conversation, without navigating between screens.

The architecture supports this today. What we're continuing to build is depth: more alert types covered by investigation runbooks, richer cross-referencing between findings and monitoring data, and tighter integration between Tria's recommendations and the workflows they trigger. Every iteration makes the briefing smarter and the investigations more thorough.

The goal isn't to replace the analyst. It's to give every GRC team a tireless, disciplined junior analyst who opens with the right briefing, follows your runbooks, remembers your preferences, never forgets to check the monitoring data, never misses a connection between findings, and never acts without asking.

That's Tria.