July 10, 2026 · 8 min read

Your deal is stuck on the AI section. Here are your five options, honestly compared

An enterprise prospect sent the security questionnaire, and this year it has an AI section: twenty-ish questions about agent audit trails, data boundaries, tenant isolation, and prompt-injection defenses that your SOC 2 does not answer. Someone has to write those answers. You have five realistic options. We sell one of them, so read the other four first and discount our take accordingly.

Short version: automation tools win when you already have an answer bank. Consultants win when compliance is a program, not a deal blocker. For a first stalled deal, the choice is between doing it yourself properly and paying someone who lives in this to do it for you in a week.

OptionCostSpeedStrongest atWeakest at
DIY in-houseYour time (typically 1–2 weeks of a founder/eng lead)6–8 weeks when done mid-review; days if pre-writtenAnswers trace to your real stack; you learn your own gapsNobody has time mid-deal; first draft misses what reviewers actually want
ChatGPT / cloud LLM~$0HoursFast first draft of policy-style proseDescribes controls you don't have; caught overstatement = longest stall; your architecture docs leave your boundary
GRC consultant$5k–$50k+ per engagement2–6 weeksDeep compliance expertise, defensible for audits beyond one dealPrice and lead time absurd for one stalled deal; often generic on agent-runtime specifics
Questionnaire automation (Vanta/Conveyor/Loopio class)$7.5k–$15k+/yr platform feesMinutes per questionnaire once your answer bank existsGreat at scale: reusing approved answers across dozens of questionnairesThe AI section has no answer bank to reuse yet; drafts still need an expert human pass
Done-for-you kit (this is what we sell)$490 fixed7 days from a 30-minute intakeWritten from your actual stack by someone who lives in agent security; honest gaps get remediation linesPer-product engagement, not a platform; you still own keeping answers current

Option 1: do it yourself

The right answer if you have the time. Every claim traces to your real stack, and the exercise forces you to discover your own gaps before the reviewer does. The catch is that the questionnaire always lands mid-deal, when nobody has two free weeks. Vendors who answer ad hoc report six to eight weeks of review back-and-forth; vendors who pre-wrote the section report days. If you go this route, work from the free 20-question reference and write answers that name mechanisms, not policies. Reviewers accept honest gaps with remediation dates. They do not accept discovering an overstatement later.

Option 2: paste it into ChatGPT

Cheapest and fastest, and the one that backfires most expensively. Generated answers read fluent and describe textbook controls, which is exactly the problem: reviewers read dozens of packs and have learned to spot policy prose describing controls nobody built. One caught overstatement costs more weeks than an honest gap. The quieter problem: pasting your architecture docs into a cloud LLM to prove your data never leaves your boundary is a contradiction a security reviewer will notice. If you use an LLM, use it for structure, and have the person who built the system rewrite every claim.

Option 3: hire a GRC consultant

The right answer when compliance is a program: you are heading into SOC 2 Type II, ISO 42001, multiple regulated customers. Consultants bring defensibility that outlives one deal. For a single stalled deal the math rarely works: four-to-five-figure engagements, two to six weeks of lead time, and agent-runtime specifics (tool-call enforcement, tamper-evident action logs, replayability) are often outside their playbook because the category is new.

Option 4: questionnaire automation platforms

Tools in the Vanta, Drata, Conveyor, Loopio, Responsive class are genuinely good at what they do: keep an approved answer bank and reuse it across the forty questionnaires you will get this year. If you face that volume, buy one. Their limit on the AI section is structural: the section is new, so your answer bank is empty, and the AI drafting features generate from nothing, which reintroduces the ChatGPT problem with better formatting. Automation is where these answers should live after they exist. It is not what writes the first honest version.

Option 5: a done-for-you pack (ours)

This is the AI Security Review Kit: a 30-minute intake about your actual stack, and in 7 days you get the AI section written: the 20 standard questions and the AI-CAIQ set, plus the artifacts reviewers ask for next (model inventory card, data-flow one-pager, subprocessor list, evidence checklist). Gaps are stated honestly with remediation lines, because that is what reviewers actually accept. $490 fixed, money-back. The honest limits: it is per-product, not a platform, and keeping the answers current as your stack changes stays your job.

How to choose in one minute

FAQ

How much does a GRC consultant charge to answer a security questionnaire?

Boutique consultants typically quote four to five figures per engagement and take two to six weeks. Big-4-grade AI assurance work runs far higher. For a single stalled deal, most startups find that hard to justify.

Can questionnaire automation tools (Vanta, Conveyor, Loopio class) answer the AI section?

They excel at reusing answers you already have. The AI section is usually the section you have no answer bank for yet, so the tools draft from nothing and the output describes controls you may not have. You still need a human pass that traces every claim to your real stack.

Is it safe to answer a security questionnaire with ChatGPT?

Two risks. Reviewers have learned to spot generated policy prose describing controls nobody built, and a caught overstatement stalls a review worse than an honest gap. And pasting your architecture docs into a cloud LLM is itself the data-boundary behavior the questionnaire is probing.

How long does the AI section take to answer in-house?

Vendors doing it ad hoc mid-review report six to eight weeks of back-and-forth. Doing it once, properly, before the questionnaire arrives compresses future reviews to days.

What does a done-for-you AI-section pack include?

Your answers to the 20 standard questions plus the AI-CAIQ set, written from your actual stack after an intake, plus the artifacts reviewers ask for next: model inventory card, data-flow one-pager, subprocessor list, and an evidence checklist with honest remediation lines for gaps.

Costs and timelines above are the ranges practitioners report publicly in 2026; get current quotes for your case. We sell option 5, so we said so at the top and priced the comparison honestly.