Twenty-two purpose-built AI agents for GRC.
We don't bolt AI onto a traditional consultancy. Every Srida IT engagement runs on a named suite of specialist LLM agents — organised into seven tiers — under the supervision of certified GRC experts. Each agent owns a real slice of delivery, with auditable inputs and deterministic outputs.
Operating Foundation
Five agents in production today. The daily-execution layer behind every Srida engagement — drafting, gathering, testing, monitoring, auditing.
Aarya
Policy Agent
Drafts ISO 27001, SOC 2, DPDPA, HIPAA policies in minutes.
Ingests org context, regulatory scope, and existing controls. Drafts the full policy stack mapped to clause IDs. A certified consultant reviews and you sign.
- Clause-level mapping (ISO / SOC / PCI / DPDPA)
- Industry-adaptive tone (fintech, health, SaaS)
- Versioning + board-ready diff view
Bhuvi
Evidence Agent
Continuously collects audit-ready evidence from your stack.
Connects to cloud, identity, ticketing, code repos, HRMS. Pulls evidence on a schedule, tags it to controls, assembles audit packets on demand.
- Connectors: AWS, Azure, GCP, Okta, GitHub, Jira
- Auto-mapping to NIST 800-53 + ISO Annex A
- Tamper-evident chain-of-custody log
Charan
Control-Test Agent
First-pass control testing so auditors land on prepared ground.
Executes deterministic test scripts against each control — MFA enforcement, log retention, vendor DD, backup integrity. Flags failures with reproducible evidence and CAPA drafts.
- Pre-built library: ISO Annex A, SOC 2 TSC, PCI DSS
- Failure clustering — root-cause across controls
- Auto-generated CAPA drafts
Devika
Autonomous DPO Agent
24/7 DPDPA & GDPR watch — flows, vendors, DSAR queue.
Watches processing register, vendor list, DSAR queue. Flags unauthorised flows, vendor renewals without re-assessment, DSARs nearing SLA. Drafts board-ready privacy posture reports.
- DPDPA Sec 8 & 9 obligations tracker
- Cross-border transfer & adequacy monitoring
- Automated DPIA for new high-risk processing
Esha
Audit Agent
Mock audits before the auditor walks in.
Full dry-run audits across your framework. Interviews control owners, samples evidence, identifies gaps, produces an auditor-style finding report so you close gaps before they fail you.
- Mock audits: ISO 27001, SOC 2 II, PCI, ISO 27701
- Control-owner interview simulator
- Observation → root-cause → recommendation format
Admissions & Cohort
One agent in production — runs candidate selection, integrity engines, and the Phase 1–4 assessment pipeline behind every Srida-certified hire.
Strategic Advisory
Counsel for CISOs, DPOs, and Boards. Strategic-tier agents brief leadership, run M&A diligence, and quarterback crisis response.
Falgun
vCISO Advisor
Cyber strategy, target-operating-model design, M&A diligence.
Brings CISO-tier judgement to fractional engagements — 3-year security roadmap, target-operating-model design, M&A cybersecurity due-diligence, Board narrative translation.
- 3-year security roadmap synthesis
- M&A buy-side & sell-side cyber diligence
- Board / Risk Committee briefing prep
Gauri
vDPO Advisor
Privacy strategy, DPIA design, regulator engagement.
Strategic counterpart to Devika — sets the privacy programme strategy, designs DPIAs for high-impact products, and prepares the org for regulator engagement.
- Privacy programme target-state design
- DPIA scoping for AI / cross-border features
- Regulator engagement & inquiry response
Hari
Board Liaison
Translates the security & privacy posture for non-technical leadership.
Converts technical posture into Board-and-Audit-Committee narratives. Builds the quarterly risk pack, the regulator-facing narrative, and the cyber section of the annual report.
- Quarterly Board risk pack generation
- Audit Committee briefing materials
- Annual-report cybersecurity section drafting
Ira
Crisis Coordinator
On-call commander for breach, ransomware, regulator inquiry.
Orchestrates incident response across legal, PR, IT, forensics, and regulators. Maintains the runbook, drives the war-room cadence, and produces the post-incident dossier.
- Real-time IR war-room orchestration
- Regulator notification timer (DPDPA 72h, CERT-In 6h)
- Post-incident dossier + lessons learned
Frameworks & Compliance
Framework-specialist agents. Each one owns the full implementation, gap-close, internal audit, and external-audit prep for a single regime.
Jay
ISO 27001 Lead
End-to-end ISMS — scoping to Stage 2 certification.
Owns the ISMS lifecycle: scoping, Annex A mapping, statement of applicability, internal audit, management review, Stage 1 / Stage 2 audit preparation.
- Annex A control mapping + SoA generation
- Internal audit programme + finding registers
- Stage 1 / Stage 2 audit readiness
Karan
SOC 2 Specialist
Type I & Type II across all five Trust Service Criteria.
Runs SOC 2 readiness for SaaS clients — TSC selection, control library, observation window management, CPA audit liaison.
- TSC selection: Security, Availability, Confidentiality, Processing Integrity, Privacy
- Type I → Type II observation-window orchestration
- CPA-audit liaison + walkthrough prep
Lila
PCI DSS Engineer
v4 scoping, segmentation, RoC preparation.
Owns PCI DSS v4 readiness — cardholder-data environment scoping, network segmentation validation, RoC evidence packet for the QSA.
- PCI DSS v4 scoping + CDE definition
- Segmentation testing + evidence
- RoC packet for the QSA
Manu
DPDPA Programme Lead
Section 8/9/11 compliance, ROPA, regulator readiness.
Owns the operational DPDPA programme — ROPA build-out, Sec 8 / 9 / 11 obligations mapping, breach response runbook, regulator-readiness drills.
- ROPA template + processing-activity inventory
- DPDPA Sec 8 / 9 / 11 obligation matrix
- DPB regulator-readiness drills
Security Operations
Operational-tier security agents. SOC tuning, threat intelligence, and offensive validation — built to plug into existing SIEM/SOAR stacks.
Naina
SOC Operations Agent
SIEM tuning, detection engineering, alert triage.
Augments the in-house SOC — tunes SIEM rules to reduce false positives, develops detections for new threats, and runs the first-pass triage on enriched alerts.
- SIEM rule tuning + false-positive reduction
- Detection engineering for new TTPs
- Enriched-alert first-pass triage
Omkar
Threat Intelligence Agent
Sector-specific threat briefings + IOC enrichment.
Ingests open-source and commercial threat feeds, enriches IOCs with context, and produces sector-specific weekly threat briefings for CISOs.
- IOC enrichment + sector-mapped briefings
- Adversary-attribution synthesis
- Weekly CISO threat brief
Pratik
VAPT Specialist
Pentest planning, vuln management, attack-path validation.
Plans and supervises VAPT engagements — scope, rules of engagement, attack-path validation, post-test remediation guidance, retesting.
- Web / API / cloud / network pentest scoping
- Attack-path validation across discovered findings
- Remediation guidance + retest orchestration
AI Governance
AI-specialist agents — born of the same engineering discipline that built Srida's own AI suite. Govern model risk, run red-team tests, and certify AI products against NIST AI RMF and the EU AI Act.
Riya
AI Risk Agent
NIST AI RMF, EU AI Act, model risk catalogues.
Builds and maintains the AI model risk catalogue, classifies models against NIST AI RMF and EU AI Act risk tiers, and drives governance-committee cadence.
- Model inventory + risk classification
- NIST AI RMF + EU AI Act mapping
- AI Governance Committee briefing pack
Rohan
AI Red-Team Agent
Adversarial testing, prompt-injection probes, fairness audits.
Runs adversarial-evaluation harnesses against LLM applications — prompt-injection probes, jailbreak coverage, fairness and harm audits — and produces a red-team report fit for board sign-off.
- Prompt-injection + jailbreak test harness
- Fairness + harm metric coverage
- Board-grade red-team report
Specialty Functions
Specialist agents covering vendor risk, regulatory tracking, and cyber-insurance liaison. The off-screen connective tissue that keeps a GRC programme defensible.
Saanvi
Third-Party Risk Agent
Vendor questionnaires, due-diligence scoring, continuous monitoring.
Owns the third-party risk lifecycle — questionnaire automation, due-diligence scoring against tiered criticality, continuous monitoring with public-data signals.
- Questionnaire automation + auto-evidence cross-check
- Tiered DD scoring (critical / important / standard)
- Continuous monitoring on public signals
Tarun
Regulatory Tracker
CERT-In, RBI, SEBI, DPB notifications — auto-mapped to your controls.
Watches Indian regulator publications and global counterparts, auto-maps new requirements to the client's control library, and flags gaps with suggested control updates.
- CERT-In / RBI / SEBI / DPB watch
- Auto-mapping to client control library
- Gap flagging + control-update proposals
Uma
Cyber Insurance Liaison
Incident filings, premium-impact analysis, policy gap reviews.
Manages the cyber-insurance relationship — annual application accuracy, premium-impact modelling, incident filing, policy-language gap reviews.
- Annual application + warranty accuracy
- Premium-impact modelling on control changes
- Policy gap review vs incident scenarios
How Srida AI is engineered
Four design principles that separate Srida's agents from a chatbot stapled onto a GRC SaaS.
Deterministic where it matters
Every grading, ranking, and pass/fail decision is a numeric computation — same inputs always produce identical outputs. Fully auditable to clients and regulators.
Human-in-the-loop at every gate
Agents draft, propose, and flag. Certified GRC experts review, decide, and own the deliverable. Speed of AI, defensibility of human judgement.
Worst-of-engines integrity
Where we use AI to evaluate AI (or candidates), multiple independent engines run in parallel and the worst signal wins. No single engine can rubber-stamp an output.
Built in India, for Indian regulators
Native DPDPA, CERT-In, RBI Master Direction, and SEBI awareness — alongside ISO, SOC, GDPR, PCI. Localisation isn't an afterthought.
See the agents draft, test, and audit — live.
30 minutes. We'll run your real framework, with your real context, and produce a real evidence packet. No slides.