Built against your vendor risk obligations. Governed by the people who own them.
Generic AI tools don't understand your vendor risk taxonomy, your data classification thresholds, or how a regulated onboarding process actually moves across Procurement, Legal, Risk, AP, and Cyber. They produce outputs that need to be corrected before anyone can act on them — and the team ends up curating instead of approving.
The Supplier Assurance & Onboarding Agent is built for one procurement function, against that function's risk thresholds, by a firm whose primary practice is diagnosing why AI fails. It classifies every new vendor by risk tier, orchestrates due-diligence across the right reviewers, surfaces regulatory flags (Privacy Act, Modern Slavery, sanctions, AUSTRAC), and routes every approval decision back to the humans who own it — with evidence attached.
Phase 1 demo available: a working prototype on synthetic vendor data, no production system access required, in 4 weeks.
"Vendor onboarding is the choke point. Cross-functional coordination, due diligence orchestration, and regulatory flagging are absorbing weeks that should take days. The Supplier Assurance & Onboarding Agent absorbs the coordination layer — freeing your team to decide, not chase." The pattern across Australian regulated procurement
A new AI-vendor onboarding request arrives via the procurement portal at 3:47pm Friday. Manually, it sits over the weekend waiting for someone to start chasing Legal, Risk, Privacy, CISO, and AP next week. Onboarding stretches across 4–10 weeks of email coordination.
The Supplier Assurance & Onboarding Agent classifies the request as Enhanced tier within minutes (AI vendor + customer data access + overseas hosting). It triggers parallel DD across Legal, Risk, Cyber, and DPO in the same hour. By Monday 9am the Procurement Director sees a consolidated Vendor Risk Profile with a CONDITIONAL recommendation and three named conditions — ready to action.
Outcome: The onboarding clock starts Friday afternoon, not Monday morning. Cross-functional inputs arrive in parallel, not in sequence. The Procurement Director makes the call with full context, not partial.
Every regulated function has annual vendor re-certification obligations — APRA-supervised entities under CPS 230, financial advisers under AFSL conditions, healthcare providers under privacy obligations. Re-cert cycles routinely fall behind because manual coordination across hundreds of vendors is unsustainable.
The agent runs the re-certification cycle as a scheduled job. For each vendor: pulls the current certification status, identifies what's expiring, drafts the re-cert questionnaire, routes to the vendor and to the relevant internal reviewer, and compiles status reports for the Procurement Director and the Risk function. Vendors that fail to respond by deadline are flagged for escalation.
Outcome: Re-certification becomes a managed process with named owners and named deadlines, not a quarterly fire-fight. The audit trail for the regulator is generated as a byproduct.
A sanctions list update overnight surfaces a match against one of your active vendors. Manually, the discovery often comes weeks later via a periodic re-screen — by which time the exposure has compounded.
The agent continuously monitors AUSTRAC, OFAC, UN, and DFAT sanctions lists against your active vendor register. A match triggers immediate notification to General Counsel and the Procurement Director with the vendor record, the matching list entry, the active contracts impacted, and a recommended response (suspension, investigation, or false-positive triage). The audit trail is generated automatically.
Outcome: Sanctions exposure is detected within hours, not weeks. General Counsel makes the call with the full evidence pack already assembled — and the timeline is defensible to APRA or AUSTRAC if asked.
Most agent builds skip phase one (no mission alignment), compress phase two (assumed workflows, not observed ones), and have no equivalent of phases four and five (built and released without the people who will use it ever signing off).
The Mycelium build loop is slower than the market default. The slowness is the point.
Fixed fee, ex GST. Optional Sustained Alignment Retainer ($3,500–$8,500/month) available post-release for quarterly mission re-alignment, CPS 230 obligation updates, drift monitoring, and governance review.
Every Supplier Assurance & Onboarding Agent is released to broader use only after three sign-offs.
This is what separates a managed build from a deployed tool. The agent is not finished when the code is written. It is finished when the people who will use it have signed off on what it does, what it doesn't do, and how its performance will be reviewed.
The Program Managers and analysts who will use the agent daily sign off that it works as expected, handles edge cases responsibly, and the CPS 230 flag logic aligns with your compliance obligations.
The function owner signs off on scope, governance cadence, performance measures, compliance boundaries, and the explicit list of what the agent will and will not do.
The budget holder receives the executive briefing, confirms the scope and risk envelope, reviews the CPS 230 compliance approach, and authorises broader release.
60 minutes with you and your executive sponsor. We assess whether a Supplier Assurance & Onboarding Agent build — or a Phase 1 demo — is the right move for your situation. And we tell you if it is not.