Skip to content

Madison · Banking, by Lyzr

The procurement & risk desk, built deep into banking.

Agentic third-party risk, vendor-AI governance and tested vendor exits — on-prem, sovereign, examiner-ready. Built for how banks are actually regulated across North America, the EU, the Gulf and India.

🌎 North America🇪🇺 European Union🕌 Gulf / GCC🇮🇳 India
Madison — Risk cockpitLive · on-prem
Third-party risk
318 vendors governed · 2 FTEs
A−
Vendor-AI kill-switch
Armed · SR 26-2 · RBI
Armed
Exit test · AWS us-east-1
Orderly + stressed · T+41d / $2.3M
✓ Passed
On-premSOC 2 Type IIAudit ledgerBYOK
Built to the standards banks are examined against
SOC 2 Type IIISO 27001ISO 42001 · AIGDPRHIPAAPCI-DSSDORA-ready · EUFFIEC-aligned · USRBI IT-Outsourcing · IndiaSAMA · CBUAE · GulfDPDP · IndiaOn-prem · BYOK

Why Madison

Risk is the one line a bank can never cut.

Every dollar a bank spends on third-party and model risk is legally required — board-level, examiner-driven, un-cuttable. Madison is the agentic desk that owns it.

Mandated demand

2023 Interagency, DORA, RBI, SAMA & CBUAE all require it. Regulation is the buyer — demand survives every downturn.

Real agents, not copilots

Bounded-autonomy agents that assess, remediate and act — with a human on every material call. Not a chatbot that summarises.

On-prem & sovereign

Runs inside your walls or in-country. Vendor, contract and model data never leaves. Decisive in the Gulf and India.

One desk, one data spine

Land on third-party risk, expand into AI governance and exit-testing on the same vendor graph — one buyer, one deployment.

What Madison does

Third-party risk & vendor-AI, run by agents.

The work examiners care about most — governing your vendors and the AI they embed — done continuously, safely, and inside your walls.

Third-Party Risk Management

A continuous, agentic vendor-risk loop so a 2-person team governs hundreds of vendors to examiner standard.

73%
run vendor risk with ≤2 FTEs vs 300+ vendors
Ncontracts 2025
$4.91M
avg third-party breach · 267 days to contain
IBM 2025
weeks → hours
onboarding & due diligence, agent-run (illustrative)
Deutsche Bank, Dec 2025
The market ships
Madison does
Questionnaires & workflow, AI bolted on
Agents that score, monitor & remediate
Fixed scoring (BitSight / EcoVadis)
Configurable scorecard the business owns
Cloud-only SaaS
On-prem / sovereign — data never leaves
Manual exam-pack assembly
Immutable ledger — the pack writes itself
madison · risk-intelligence
Third-party risk radar318 vendors · continuous
VendorScoreTierStatus
Amazon Web ServicesA− · 88CriticalMonitored
DatadogB · 74HighWatch
Finxact · coreC · 61CriticalAction
PlaidA · 91MediumMonitored
12
new signals today
4
reviews due
1
open exception

Vendor-AI & Model-Risk Governance

Discover, supervise and — when it breaches — stop the AI your vendors embed, with an immutable audit trail. Governing exactly what new model-risk rules left out of scope.

~3 in 4
banks least-prepared on an AI kill-switch / failure reporting
Wolters Kluwer / Am. Banker
SR 26-2
rewrote model risk (Apr 2026) — but excludes gen/agentic AI
Federal Reserve
kill-switch
mandated on every AI model (India, Jun 2026)
RBI draft MRM
The market ships
Madison does
Attestation dashboards & registries
Runtime supervision of vendor-embedded AI
Kill-switch "planned" or scoped to their own AI
An enforceable, tested kill-switch
Maps to old SR 11-7
Mapped to SR 26-2, EU AI Act, RBI, CBUAE
SaaS security, not bank-grade model risk
MRM-grade + agentic + on-prem, one stack
madison · vendor-ai governance
Vendor-embedded AI · 24 modelsSR 26-2 · EU AI Act · RBI
Model · vendorUseStatusControl
Einstein · Salesforcelead scoringMonitoredEnabled
Score API · FICOcredit decisioningDriftThrottled
LLM · VendorXdoc summarizeBlockedKill-switch ✓
Armed
kill-switch
3
drift alerts
100%
actions logged
Operational resilience

Prove you can leave a cloud — before you have to.

Turn untested paper exit clauses into generated, cost-modeled, stress-tested exit & continuity playbooks for critical vendors. A tested exit is the single control examiners cite most — and “untested” doesn't count. It reuses the same vendor graph, so it drops straight in.

$5.4BFortune-500 cost of the CrowdStrike outage · Parametrix
19EU critical ICT providers named — AWS, Azure, Google · ESAs, Nov 2025
DORA Art. 28mandates a tested exit · EUR-Lex
Test an exit
madison · exit & continuityPassed
Exit test · AWS us-east-1
$2.3M
migration cost
T+41d
recovery time
2
viable alternates
82%
continuity conf.
  • Orderly playbook — generated
  • Stressed (insolvency) playbook — stress-tested
  • Examiner pack · DORA Art. 28 — ready

The full journey

Every step of source-to-pay, agentic.

Beyond the headline work, Madison runs the whole banking procurement journey — banking-configured by default (sanctions · DORA · KYB · FFIEC). Each step shows what it does and where we're different.

01Source-to-contract

Conversational intake

Capabilities
  • Plain-English request → agent classifies category, vendor & budget, and dedupes against 90 days of spend.
  • Runs policy + sanctions at the front door.
  • Routes by banking DOA tier (e.g. CFO+CPO co-sign).
How we're different
  • Sanctions & policy checked before a buyer ever sees it — Coupa/Ariba intake is a form that routes to a human.
  • On-prem, so intake data never leaves the bank.
02Source-to-contract

Sourcing & negotiation

Capabilities
  • Auto-shortlist internal + external vendors on a 40-attribute, bank-weighted matrix.
  • Parallel negotiation agents, one per vendor.
  • Human takeover the moment a thread stalls.
How we're different
  • Autonomous multi-vendor negotiation with a human-in-the-loop — incumbents run RFx workflow, not agents that negotiate.
03Source-to-contract

Contract redline & obligations

Capabilities
  • Clause-by-clause agent redline against a bank clause library — DORA Art. 28/30, audit rights, exit.
  • Flags missing mandatory clauses.
  • Tracks obligations, SLAs & renewals.
How we're different
  • Redlines against regulator-mandated clause sets, on-prem — CLM incumbents (Icertis, Ironclad) are cloud copilots.
04Govern & comply

KYB & sanctions screening

Capabilities
  • UBO trace via Sayari / D&B / court records.
  • Continuous OFAC / EU / UN / UK / Canada screening.
  • Auto-block on a confirmed hit.
How we're different
  • Continuous re-screening tied to the live vendor graph + auto-block — data vendors sell a feed, not an agent that acts.
05Procure-to-pay

Touchless AP & payment integrity

Capabilities
  • Agentic 3-way match auto-clears clean invoices.
  • Routes exceptions; optimises DPO.
  • Blocks payment fraud at the point of pay.
How we're different
  • Sanctions + fraud re-checked at payment, not just at match; on-prem — AP incumbents (AvidXchange, Tipalti) are cloud.
06Procure-to-pay

Spend intelligence & forecasting

Capabilities
  • Multi-horizon category forecasts with confidence bands.
  • One-click-executable savings proposals.
  • Budget & DOA aware.
How we're different
  • Proposals are executable — route to sourcing in a click — while analytics incumbents (Sievo, Coupa) only describe spend.
07Govern & comply

Regulatory intelligence

Capabilities
  • Monitors 40+ sources — OCC · Fed · FDIC · EBA · FCA · MAS · RBI.
  • Maps a new rule to affected vendors.
  • Drafts remediation, routes to Legal + Risk.
How we're different
  • Closes the loop — rule → affected-vendor mapping → remediation task; horizon-scanners (CUBE, Corlytics) only alert.
08Govern & comply

Policy, DOA & approvals

Capabilities
  • Policy engine simulates BLOCK / WARN / ROUTE / ALLOW.
  • Enforces banking DOA tiers.
  • Visual approval flows + FFIEC-ready audit trail.
How we're different
  • Policy simulation + bank DOA templates as code with an audit trail — incumbents hard-code approval chains, no what-if.

The gap we exploit

What the market ships — vs what Madison does.

The incumbents are workflow and dashboards with AI bolted on. Madison is agentic, on-prem, and closes the loop.

CapabilityThe market shipsMadison does
Vendor risk assessmentQuestionnaires + workflow, AI bolted onAgents that score, monitor & remediate
DeploymentCloud-only SaaSOn-prem / VPC / sovereign — data never leaves
MonitoringPoint-in-time score or annual reviewContinuous — ratings, news, filings; re-tier on change
Vendor exitA stored contract clauseGenerated & stress-tested orderly + stressed playbooks
Vendor-AI riskAttestation dashboards & registriesRuntime supervision + an enforceable kill-switch
KYB & sanctionsPoint-in-time check, a data feedContinuous re-screening + auto-block, tied to the graph
Evidence for examinersManual exam-pack assemblyImmutable decision ledger — the pack writes itself

Global by design

One platform, tuned to every regulator.

Same desk — the regulation, target segment and deployment adapt to each market.

North America

OCC · Federal Reserve · FDIC — 2023 Interagency Guidance; SR 24-2; SR 26-2 model-risk carve-out.

Why now
Exam-driven. The SR 26-2 gen/agentic-AI gap is now the bank's own problem — no rulebook, full liability.
What's at stake
Consent orders, MRAs & civil-money penalties — and a $4.91M average third-party breach. · IBM 2025
Deadline / trigger
SR 26-2 in force Apr 2026; continuous exam cycles. · Fed SR 26-2

European Union

DORA · EBA · EU AI Act — tested exits, subcontracting RTS, deployer duties.

Why now
Register of Information live; first resilience-testing (TLPT) cycle in 2026; 19 critical ICT providers named.
What's at stake
EU AI Act fines up to €35M or 7% of global turnover; DORA oversight of critical providers. · EU AI Act · Art. 99
Deadline / trigger
DORA live since Jan 2025; first TLPT tests in 2026. · EUR-Lex · DORA

Gulf / GCC

SAMA · CBUAE — outsourcing rules, data localization, 'immediate cessation' of vendor AI.

Why now
On-prem / in-country residency is mandated; sovereign-cloud programs make local deployment the default.
What's at stake
CBUAE penalties up to AED 1B; the regulator can force termination of a non-compliant vendor. · CBUAE
Deadline / trigger
AI guidance issued Feb 2026; data residency required now. · CBUAE rulebook

India

RBI — IT-Outsourcing Directions; draft MRM mandates an AI kill-switch (Jun 2026).

Why now
Strongest near-term AI mandate globally; the board is personally accountable for third-party & model risk.
What's at stake
RBI monetary penalties + board-level accountability for outsourcing & AI failures. · RBI IT-Outsourcing
Deadline / trigger
10 Apr 2026 compliance cliff; AI kill-switch mandate (Jun 2026). · RBI draft MRM

Security & sovereignty

Enterprise-grade, examiner-ready, in your control.

The reason banks trust an agent with vendor and model risk: it never gives up control.

On-prem / VPC / air-gapped

Deploy inside your infrastructure or in-country. Data residency for DORA, DPDP, SAMA & CBUAE out of the box.

BYOK · SOC 2 · ISO 27001

Bring your own keys; SOC 2 Type II, ISO 27001 & ISO 42001-aligned AI management. Encrypted in transit and at rest.

Immutable decision ledger

Every agent action and human decision is cited, timestamped and tamper-evident — the exam pack writes itself.

Human-in-the-loop & kill-switch

Recommend-then-act policy bands; a tested kill-switch on any model — matching RBI & CBUAE mandates.

Integrates, doesn't rip-and-replace

Sits on top of SAP, ServiceNow, Archer, ratings feeds and your ERP — augmenting, not replacing, the estate.

Sovereign AI, your models

Run open or private models inside your boundary. No vendor lock-in, no data leaving the perimeter.

73%
of banks run vendor risk with ≤2 FTEs vs 300+ vendors
Ncontracts 2025
267d
to contain a third-party breach · $4.91M average
IBM 2025
14%
of firms trust their questionnaires reflect real risk
RiskRecon / Cyentia
~3 in 4
banks unprepared on an AI kill-switch / failure reporting
Wolters Kluwer / Am. Banker

Be the bank that's un-removable on risk.

See Madison run your vendor risk, govern your vendors' AI, and prove a tested exit — on your own infrastructure. Design-partner slots are open across NA, EU, Gulf & India.