AI Third-Party Risk Workflow SaaS

Problem

Third-party risk reviews are repetitive: collect vendor docs, extract attestations, map them to a control framework, route to reviewers, and produce a defensible decision record.

Business context

A workflow where reviewers are the constraint — they need AI to surface evidence and gaps without replacing their judgement.

My role

Architect / lead engineer on the concept design: workflow model, AI extraction pipeline, reviewer UI, and guardrails.

Solution

• Modelled the review as a state machine: intake → extraction → reviewer queue → decision → archive.
• Used LLMs to extract candidate attestations from uploaded vendor documents, with citations back to source pages.
• Built a reviewer UI that always shows the AI suggestion alongside the source quote — never as a sole source of truth.
• Persisted prompt, model, and version metadata for every AI-assisted field for auditability.

Architecture highlights

• React + TypeScript reviewer UI with strict typing on workflow states.
• .NET Core APIs for workflow orchestration and document handling.
• PostgreSQL for workflow + audit data.
• LLM calls isolated behind a thin server-side service with retry, timeout, and content limits.

Challenges

• Designing AI output as suggestions, not commitments — UI had to make the seam obvious.
• Preventing prompt drift across feature areas while still allowing rapid iteration.
• Keeping personally identifiable and confidential vendor data out of model logs.

Outcome / impact

• Reduced manual effort during evidence triage.
• Improved traceability for AI-assisted decisions.
• Improved delivery confidence by isolating LLM calls behind a small, testable surface.

What I learned

• AI fields must carry their provenance forever — prompt, model, version, and source quote.
• The reviewer UI is the most important part of an AI workflow product.