Madison · Banking, by Lyzr
The procurement & risk desk, built deep into banking.
Agentic third-party risk, vendor-AI governance and tested vendor exits — on-prem, sovereign, examiner-ready. Built for how banks are actually regulated across North America, the EU, the Gulf and India.
Why Madison
Risk is the one line a bank can never cut.
Every dollar a bank spends on third-party and model risk is legally required — board-level, examiner-driven, un-cuttable. Madison is the agentic desk that owns it.
Mandated demand
2023 Interagency, DORA, RBI, SAMA & CBUAE all require it. Regulation is the buyer — demand survives every downturn.
Real agents, not copilots
Bounded-autonomy agents that assess, remediate and act — with a human on every material call. Not a chatbot that summarises.
On-prem & sovereign
Runs inside your walls or in-country. Vendor, contract and model data never leaves. Decisive in the Gulf and India.
One desk, one data spine
Land on third-party risk, expand into AI governance and exit-testing on the same vendor graph — one buyer, one deployment.
What Madison does
Third-party risk & vendor-AI, run by agents.
The work examiners care about most — governing your vendors and the AI they embed — done continuously, safely, and inside your walls.
Third-Party Risk Management
A continuous, agentic vendor-risk loop so a 2-person team governs hundreds of vendors to examiner standard.
| Vendor | Score | Tier | Status |
|---|---|---|---|
| Amazon Web Services | A− · 88 | Critical | Monitored |
| Datadog | B · 74 | High | Watch |
| Finxact · core | C · 61 | Critical | Action |
| Plaid | A · 91 | Medium | Monitored |
Vendor-AI & Model-Risk Governance
Discover, supervise and — when it breaches — stop the AI your vendors embed, with an immutable audit trail. Governing exactly what new model-risk rules left out of scope.
| Model · vendor | Use | Status | Control |
|---|---|---|---|
| Einstein · Salesforce | lead scoring | Monitored | Enabled |
| Score API · FICO | credit decisioning | Drift | Throttled |
| LLM · VendorX | doc summarize | Blocked | Kill-switch ✓ |
Prove you can leave a cloud — before you have to.
Turn untested paper exit clauses into generated, cost-modeled, stress-tested exit & continuity playbooks for critical vendors. A tested exit is the single control examiners cite most — and “untested” doesn't count. It reuses the same vendor graph, so it drops straight in.
- Orderly playbook — generated
- Stressed (insolvency) playbook — stress-tested
- Examiner pack · DORA Art. 28 — ready
The full journey
Every step of source-to-pay, agentic.
Beyond the headline work, Madison runs the whole banking procurement journey — banking-configured by default (sanctions · DORA · KYB · FFIEC). Each step shows what it does and where we're different.
Conversational intake
- Plain-English request → agent classifies category, vendor & budget, and dedupes against 90 days of spend.
- Runs policy + sanctions at the front door.
- Routes by banking DOA tier (e.g. CFO+CPO co-sign).
- Sanctions & policy checked before a buyer ever sees it — Coupa/Ariba intake is a form that routes to a human.
- On-prem, so intake data never leaves the bank.
Sourcing & negotiation
- Auto-shortlist internal + external vendors on a 40-attribute, bank-weighted matrix.
- Parallel negotiation agents, one per vendor.
- Human takeover the moment a thread stalls.
- Autonomous multi-vendor negotiation with a human-in-the-loop — incumbents run RFx workflow, not agents that negotiate.
Contract redline & obligations
- Clause-by-clause agent redline against a bank clause library — DORA Art. 28/30, audit rights, exit.
- Flags missing mandatory clauses.
- Tracks obligations, SLAs & renewals.
- Redlines against regulator-mandated clause sets, on-prem — CLM incumbents (Icertis, Ironclad) are cloud copilots.
KYB & sanctions screening
- UBO trace via Sayari / D&B / court records.
- Continuous OFAC / EU / UN / UK / Canada screening.
- Auto-block on a confirmed hit.
- Continuous re-screening tied to the live vendor graph + auto-block — data vendors sell a feed, not an agent that acts.
Touchless AP & payment integrity
- Agentic 3-way match auto-clears clean invoices.
- Routes exceptions; optimises DPO.
- Blocks payment fraud at the point of pay.
- Sanctions + fraud re-checked at payment, not just at match; on-prem — AP incumbents (AvidXchange, Tipalti) are cloud.
Spend intelligence & forecasting
- Multi-horizon category forecasts with confidence bands.
- One-click-executable savings proposals.
- Budget & DOA aware.
- Proposals are executable — route to sourcing in a click — while analytics incumbents (Sievo, Coupa) only describe spend.
Regulatory intelligence
- Monitors 40+ sources — OCC · Fed · FDIC · EBA · FCA · MAS · RBI.
- Maps a new rule to affected vendors.
- Drafts remediation, routes to Legal + Risk.
- Closes the loop — rule → affected-vendor mapping → remediation task; horizon-scanners (CUBE, Corlytics) only alert.
Policy, DOA & approvals
- Policy engine simulates BLOCK / WARN / ROUTE / ALLOW.
- Enforces banking DOA tiers.
- Visual approval flows + FFIEC-ready audit trail.
- Policy simulation + bank DOA templates as code with an audit trail — incumbents hard-code approval chains, no what-if.
The gap we exploit
What the market ships — vs what Madison does.
The incumbents are workflow and dashboards with AI bolted on. Madison is agentic, on-prem, and closes the loop.
| Capability | The market ships | Madison does |
|---|---|---|
| Vendor risk assessment | Questionnaires + workflow, AI bolted on | Agents that score, monitor & remediate |
| Deployment | Cloud-only SaaS | On-prem / VPC / sovereign — data never leaves |
| Monitoring | Point-in-time score or annual review | Continuous — ratings, news, filings; re-tier on change |
| Vendor exit | A stored contract clause | Generated & stress-tested orderly + stressed playbooks |
| Vendor-AI risk | Attestation dashboards & registries | Runtime supervision + an enforceable kill-switch |
| KYB & sanctions | Point-in-time check, a data feed | Continuous re-screening + auto-block, tied to the graph |
| Evidence for examiners | Manual exam-pack assembly | Immutable decision ledger — the pack writes itself |
Global by design
One platform, tuned to every regulator.
Same desk — the regulation, target segment and deployment adapt to each market.
North America
OCC · Federal Reserve · FDIC — 2023 Interagency Guidance; SR 24-2; SR 26-2 model-risk carve-out.
- Why now
- Exam-driven. The SR 26-2 gen/agentic-AI gap is now the bank's own problem — no rulebook, full liability.
- What's at stake
- Consent orders, MRAs & civil-money penalties — and a $4.91M average third-party breach. · IBM 2025
- Deadline / trigger
- SR 26-2 in force Apr 2026; continuous exam cycles. · Fed SR 26-2
European Union
DORA · EBA · EU AI Act — tested exits, subcontracting RTS, deployer duties.
- Why now
- Register of Information live; first resilience-testing (TLPT) cycle in 2026; 19 critical ICT providers named.
- What's at stake
- EU AI Act fines up to €35M or 7% of global turnover; DORA oversight of critical providers. · EU AI Act · Art. 99
- Deadline / trigger
- DORA live since Jan 2025; first TLPT tests in 2026. · EUR-Lex · DORA
Gulf / GCC
SAMA · CBUAE — outsourcing rules, data localization, 'immediate cessation' of vendor AI.
- Why now
- On-prem / in-country residency is mandated; sovereign-cloud programs make local deployment the default.
- What's at stake
- CBUAE penalties up to AED 1B; the regulator can force termination of a non-compliant vendor. · CBUAE
- Deadline / trigger
- AI guidance issued Feb 2026; data residency required now. · CBUAE rulebook
India
RBI — IT-Outsourcing Directions; draft MRM mandates an AI kill-switch (Jun 2026).
- Why now
- Strongest near-term AI mandate globally; the board is personally accountable for third-party & model risk.
- What's at stake
- RBI monetary penalties + board-level accountability for outsourcing & AI failures. · RBI IT-Outsourcing
- Deadline / trigger
- 10 Apr 2026 compliance cliff; AI kill-switch mandate (Jun 2026). · RBI draft MRM
Security & sovereignty
Enterprise-grade, examiner-ready, in your control.
The reason banks trust an agent with vendor and model risk: it never gives up control.
On-prem / VPC / air-gapped
Deploy inside your infrastructure or in-country. Data residency for DORA, DPDP, SAMA & CBUAE out of the box.
BYOK · SOC 2 · ISO 27001
Bring your own keys; SOC 2 Type II, ISO 27001 & ISO 42001-aligned AI management. Encrypted in transit and at rest.
Immutable decision ledger
Every agent action and human decision is cited, timestamped and tamper-evident — the exam pack writes itself.
Human-in-the-loop & kill-switch
Recommend-then-act policy bands; a tested kill-switch on any model — matching RBI & CBUAE mandates.
Integrates, doesn't rip-and-replace
Sits on top of SAP, ServiceNow, Archer, ratings feeds and your ERP — augmenting, not replacing, the estate.
Sovereign AI, your models
Run open or private models inside your boundary. No vendor lock-in, no data leaving the perimeter.
Be the bank that's un-removable on risk.
See Madison run your vendor risk, govern your vendors' AI, and prove a tested exit — on your own infrastructure. Design-partner slots are open across NA, EU, Gulf & India.
