The compliance paperwork, handed to AI agents that finish the job and show their work.
There is a genre of corporate work that everyone agrees is important, nobody enjoys, and most people are quietly bad at. It is called governance, risk, and compliance - GRC to its friends, of which it has few - and it consists largely of proving, on demand, that your company is doing the things it already said it does.
You take a screenshot. You put it in a folder. You answer a 300-question security questionnaire that is 90% identical to the one you answered last quarter. You test a control, write down that you tested it, and then remember, in eleven months, that you have to test it again. It is honest work. It is also, structurally, the kind of work a sufficiently careful machine could do - which is the entire premise of Zania.
Zania is a Palo Alto company, founded in 2023, that builds autonomous AI agents for security, risk, and compliance. The distinction the company is fond of drawing - and it is a genuinely useful one - is between software that organizes your work and software that does it. Most compliance tools are the first kind. They give you a dashboard, a checklist, a tidy place to store the evidence you gathered by hand. Zania's pitch is that the gathering itself, the testing, the answering, the flagging of gaps, can be handed to what it calls "AI teammates" that run a task from start to finish and then move on to the next one.
The founder is Shruti Gupta, and her resume is the argument. Before Zania she was a Chief Information Security Officer at Airbnb, Instacart, and Brex, and led AI work at Microsoft. This matters because GRC is a market where credibility is the product. It is very easy to build a compliance tool that a compliance professional would never trust, and Gupta has spent enough time on the buyer's side of that table to know exactly which promises make a CISO roll their eyes. "Transforming it from tools that merely organize work into true AI teammates," she has said, "that execute highly complex and critical tasks from start to finish." It is a mission statement that sounds modest and is, in fact, enormous.
Here is roughly what that looks like in practice. Zania's agents do third-party risk management - the grind of vetting every vendor you hand data to, tiering them by risk, collecting their evidence, checking it, and then, crucially, continuing to watch them, because a vendor that was fine in January can be breached in March. They do controls testing, around the clock, checking whether the safeguards you claim to have are both well-designed and actually operating. They do continuous compliance, quietly gathering evidence and surfacing gaps against whatever framework you point them at. They answer security questionnaires in your own voice, backed by real evidence. And there is an "Ask Zania" chat interface, because at some point every enterprise product acquires a chat interface.
The frameworks are the alphabet soup of modern regulation: SOC 2, ISO 27001, HIPAA, GDPR, PCI DSS, the newer ISO 42001 for AI management systems, NIST CSF. If you have ever been in a room where people argued about whether a control satisfies SOC 2's CC6.1, you understand both why this work is tedious and why getting it wrong is expensive.
Zania puts numbers on the value it claims to deliver, and the numbers are the kind that make a slide deck sing: work delivered up to 30 times faster, at 90% lower cost, with 94%-plus accuracy. The most interesting figure, though, is a small one - a claimed hallucination rate below 0.01%. That is an oddly specific number for an AI startup to volunteer, and it is aimed squarely at the one audience that will not be charmed by speed: auditors, who want receipts, and who are professionally allergic to a system that occasionally invents things. Zania's answer is explainability. Every agent action is meant to be traceable, which is less a feature than a survival requirement in a business where "the AI said so" is not an acceptable answer.
The trust story extends to the boring-but-load-bearing details. Zania is SOC 2 Type 2 compliant - it would be awkward if the compliance company were not - runs on private models, and says it does not train on customer data. For a Fortune 500 security team, those three facts are frequently the entire evaluation. You can have the cleverest agents in the world; if the answer to "does our data train your model" is anything but a flat no, the conversation ends.
That conversation appears to be going well. In September 2025 Zania raised an oversubscribed $18 million Series A led by NEA, bringing its total funding to roughly $20 million. The round is a small tell about where the smart money thinks enterprise AI is going. Among the investors is the Anthology Fund, backed by Anthropic and Menlo Ventures - so a leading AI lab is helping to fund the automation of compliance paperwork, which is either the least glamorous or the most quietly sensible use of frontier models, depending on your mood. Palm Drive Capital joined, along with an angel syndicate of executives from Amazon, Airbnb, PayPal, ByteDance, Reddit, Roblox, and PwC.
Some of those names double as customers, which is the pattern you want to see. Zania cites Plaid, Roblox, Reddit, PayPal, Stanford University, and Amplitude among its users, alongside audit and advisory firms - Grant Thornton, Armanino, BDO, Baker Tilly, HCLTech - who use it to move faster through the engagements they bill for. When the auditors themselves adopt your tool, it is a decent sign the tool survives contact with auditors.
The market Zania is walking into is not empty. Vanta and Drata built large businesses helping companies get compliant; Secureframe, OneTrust, AuditBoard, and Cypago all occupy adjacent ground. What Zania is betting is that this incumbency was built for an era of organizing, and that the next era is about executing - agents that don't just track the work but complete it. It is a real bet, not a sure thing, and the honest version of the pitch admits as much. The company plans to use its new money to triple its engineering and go-to-market teams and to invest in proprietary models for the multi-step reasoning that GRC actually requires.
The timing of all this is not an accident. Two things had to happen before autonomous compliance was even plausible: models had to get good enough at multi-step reasoning to be trusted with consequential work, and enterprises had to get comfortable pointing those models at their most sensitive systems. Both shifted in 2024, which is roughly when Zania's agents launched and its revenue, by the company's account, started climbing. A company founded in 2023 that shipped in late 2024 and raised a Series A in 2025 is moving at the pace of a market that just opened, not one it is trying to pry open.
There is a cultural point worth making here, because it shapes what Zania is and isn't trying to be. Founder-led companies tend to inherit the founder's instincts, and Gupta's instinct is a CISO's: assume the worst, prove everything, trust nothing you can't verify. That is why the product leads with private models, data isolation, and audit trails rather than with the flashier demos an AI startup might reach for first. In a category where the buyer is professionally paranoid, that ordering of priorities is itself a form of marketing - and a more honest one than most.
It is also worth being clear-eyed about what "autonomous" means and does not mean. Zania is not proposing that the compliance function evaporate; it is proposing that the humans move up the stack. Someone still has to decide the company's risk appetite, interpret an ambiguous regulation, and own the signature at the bottom of the audit. What the agents remove is the mechanical layer beneath those judgments - the fetching, collating, cross-referencing, and re-answering that consumes the hours but rarely the intellect. If that sounds modest, consider that most compliance teams spend the overwhelming majority of their time on exactly that layer, and the scarcest resource in security is a senior person's attention.
What can you do with Zania, if you are the person losing your weeks to this? Roughly: stop doing evidence collection by hand, stop rewriting the same questionnaire, stop remembering to test the control, and stop treating vendor risk as an annual scramble instead of a continuous state. The promise is your team's judgment applied to the decisions, and the agents applied to everything leading up to them. Whether it fully delivers is the sort of thing that gets settled one audit at a time - which, conveniently, is exactly the timescale on which Zania's agents are designed to work.
"True AI teammates that execute highly complex and critical tasks from start to finish." Shruti Gupta • Founder & CEO, Zania
Vendor reviews with tiering, evidence collection, validation, and continuous monitoring - not a once-a-year scramble.
Internal risk assessments combining qualitative and quantitative evaluation.
24/7 automated testing of control design and operating effectiveness.
Autonomous evidence collection and gap identification against any framework.
AI-drafted answers to vendor and customer assessments, in your voice, backed by evidence.
A chat interface to surface issues and trigger actions, plus policies that auto-update with regulations and your stack.
Former CISO Shruti Gupta starts Zania in Palo Alto to build AI agents for security, risk, and compliance.
Zania ships autonomous agents for third-party risk, controls testing, and continuous compliance, kicking off rapid customer growth.
NEA leads an oversubscribed round with the Anthology Fund and Palm Drive Capital, bringing total funding to about $20M.
Zania builds autonomous AI agents that perform governance, risk, and compliance (GRC) work - third-party risk reviews, controls testing, evidence collection, security questionnaires, and continuous compliance - across frameworks like SOC 2, ISO 27001, and HIPAA.
Zania was founded in 2023 by Shruti Gupta, a former CISO at Airbnb, Instacart, and Brex who also led AI work at Microsoft.
Zania raised an $18M Series A led by NEA in 2025, bringing total funding to roughly $20M. Investors include the Anthology Fund (backed by Anthropic and Menlo Ventures) and Palm Drive Capital.
SOC 2, ISO 27001, HIPAA, GDPR, PCI DSS, ISO 42001, and NIST CSF, among others - and it can work against custom frameworks.
Zania is SOC 2 Type 2 compliant, uses private models, and does not train on customer data. It emphasizes full explainability of every agent action, which is designed to satisfy auditors.