How UiPath Is Shaping Criteria-Driven Third-Party Risk Management with Drata’s TPRM Agent
Overview
UiPath is an enterprise automation platform company that serves more than 10,000 customers, including Fortune 500 organizations, with a mission to safeguard customer trust and data as it grows.
The GRC team sits within security as the second line of defense, reviewing controls, mitigating risk, and enabling sales by upholding the standards UiPath commits to its customers.
As UiPath’s ecosystem of vendors and technologies has expanded, especially with the rise of AI, the demands on its third-party risk management (TPRM) program have grown sharply.
As CISO, Scott Roberts sees that as part of a broader industry shift:
“Third-party risk is one of the most pressing challenges for every CISO. Agentic TPRM Assessment will fundamentally change how organizations operationalize third-party risk management — bringing rigor, consistency, and scale. Using Agentic AI, security teams can run assessments in minutes, achieve a more accurate risk posture across the supply chain, and operate at AI speed.”
To address these emerging needs, UiPath joined Drata’s TPRM Agent design partner program, working closely with the product team on a criteria-driven, evidence-first approach to third-party risk that reflects UiPath’s real-world requirements and long-term vision.
The Reality of Modern Third-Party Risk at UiPath
From an executive perspective, Sheron Chakalakal, Head of GRC at UiPath, sees TPRM as a continuously evolving ecosystem.
New vendors are constantly coming into UiPath’s environment, existing vendors are introducing significant changes, and technologies like AI are reshaping risk profiles in real time.
Historically, third-party reviews relied on security questionnaires, audit reports, and back-and-forth with vendors. These processes created a point-in-time snapshot rather than a continuous view of risk.
From the practitioner side, Alin Raicu, Senior Technical Program Manager responsible for third-party risk management, experiences that complexity day to day. His team assesses vendor security postures by reviewing SOC 2 reports, other assurance reports, and detailed security documentation, then integrating what matters into UiPath’s own risk-based review process.
With hundreds of vendors and frequent proofs of concept in play, these reviews can be time-consuming and can introduce friction into vendor onboarding.
Sheron summarizes the structural challenge for modern TPRM programs:
“The biggest bottleneck for third party risk management is the consistency of the review, the quality of the review, as well as the pace that we would have to keep on to make sure every single vendor that brings their own complexity to the supply chain is evaluated consistently.”
In practice, keeping pace with the full vendor portfolio requires the team to stretch its bandwidth significantly, prioritizing critical vendors for the deepest scrutiny while maintaining meaningful coverage across moderate and lower-tier vendors as well.
Inside Drata’s Design Partnership with UiPath on the TPRM Agent
UiPath had already partnered with Drata on continuous control monitoring, a project Sheron describes as “hugely successful.” When the opportunity arose to collaborate on a new TPRM approach, UiPath joined Drata as a design partner with clear objectives:
Move away from point-in-time, questionnaire-driven reviews toward a more systematic and criteria-based third-party review model.
Shift from gut-feeling checks to dynamic, evidence-driven risk assessments grounded in verifiable facts.
Explore how criteria-driven models can help TPRM teams keep pace with the scale and speed of vendor and technology change, particularly in AI.
“Through the Design Partner program, we wanted to make sure that we are going away from the traditional point in time review to a more criteria based, systematic and consistent third party reviews that can be ingrained into our overall review process.”
UiPath was also attracted to Drata’s approach to AI in TPRM: using a criteria-driven, evidence-first model to evaluate vendors against UiPath’s specific requirements, while keeping humans in the loop to make final decisions.
UiPath’s Work with Drata’s TPRM Agent
As a design partner, UiPath is both hands-on with Drata’s TPRM Agent in real-world scenarios and playing an integral role in shaping how these capabilities continue to evolve.
Evidence-First, Criteria-Based Assessments
Sheron and the team are focused on criteria-driven, evidence-based models that validate vendor claims against real evidence rather than relying solely on questionnaire responses.
The TPRM Agent is designed to review vendor questionnaires, audit reports, and security packages, pull specific citations from those documents, and map all of that back to UiPath’s own requirements and baselines, then generate follow-up for the vendor to address gaps.
“The criteria based agent driven model is helpful… because you are validating the facts with evidence first format… not just looking at a questionnaire and accepting what they said, but also validating their true risk profile.”
For the GRC team, this approach is intended to reduce bias, mitigate burnout, and enable more objective and repeatable risk rankings across a growing vendor landscape.
Agent-Driven Review Workflows
UiPath is also seeing how criteria-driven workflows will change the time and effort profile of vendor reviews.
Today, reviewing a critical vendor can require going through all of their audit reports, questionnaires, and security documentation, then forming an opinion and drafting follow-up questions, a process Sheron notes can take “a couple of days to a week, depending on how critical and how much data the vendor provides.”
From Sheron’s perspective, Drata’s Agentic TPRM Assessment is the key to changing that dynamic over time:
“Agentic TPRM Assessment will transform how we run third-party reviews. By ingesting live Trust Center evidence and producing criteria based evaluations, Drata eliminates the tedious back-and-forth with vendors and lets our team focus only on real risk—ultimately accelerating reviews and giving our procurement team the confidence to move faster.”
Early Signals and Executive Perspective
So far, UiPath has seen promising signals from its collaboration with Drata on TPRM Agent.
Sheron highlights the responsiveness of Drata’s team and the pace at which feedback has been incorporated into product iterations.
“It’s been going great. We have been able to provide a lot of feedback… and they’ve been open about getting all the feedback, taking it back into the product team and coming with their own response to it. So it’s been a good back and forth.”
From an executive standpoint, the potential impact is substantial: freeing GRC capacity, expanding review coverage, and enabling TPRM to plug more deeply into procurement and other business processes.
Practitioner Perspective: Reducing Friction and Refocusing on Risk
Alin Raicu is a Senior Technical Program Manager at UiPath, and his perspective adds texture from the “boots on the ground” view of third-party risk. He describes how traditional reviews can be frustrating when teams invest significant time in evaluating potential vendors that may never be onboarded.
Alin’s goal with TPRM Agent is to spend less time on manual document review and back-and-forth with vendors and more time on evaluating risk in the context of UiPath’s business needs.
The design partner program’s emphasis on understanding how UiPath actually works, rather than a checkbox approach to features, has already helped refine UiPath’s internal operations.
“The first thing that stood out to me… was how much the team wanted to understand how we actually function on a day to day basis, not just what features we thought we needed… it actually helped us to improve our own process.”
For Alin, the promise of a criteria-driven approach is being able to review more vendors and support more proofs of concept without becoming a bottleneck — and to be perceived as a partner to the business rather than an obstacle.
What’s Next and Where the Program Stands Today
UiPath is an active design partner supporting Drata on the future of TPRM.
The criteria-driven, evidence-first model is setting the stage for significant innovation in the TPRM market, and both the executive and practitioner teams at UiPath see clear opportunities as the collaboration progresses to:
Shorten review durations for critical vendors from days or weeks to minutes.
Extend consistent, criteria-based reviews across the full vendor ecosystem, including moderate and lower-tier vendors.
Free GRC and risk teams to focus on higher-value work, from broader risk strategy to deeper collaboration with business stakeholders.
As Sheron notes, the impact story is still being written, and that is precisely why UiPath chose to be at the forefront of designing what modern, AI-enabled third-party risk management should look like.
Latest Stories
Chart Your Course
Navigate to new worlds of trust with Drata.
Chart Your Course
Navigate to new worlds of trust with Drata.