The questionnaire is becoming an org chart.
Traditional vendor review asks about encryption, subprocessors, retention, incident response, and access control. Those questions still matter. But when the reviewed system contains agents that can act, reviewers ask a second class of questions: who is responsible for this worker?
The answer cannot be a model name or an integration diagram. It has to be a personnel record with a manager, a role, approved systems, runtime constraints, and an exit process.
Four answers unblock most reviews.
First, show the agent roster. Procurement wants to see which digital employees exist, what function they perform, and who can approve changes to their job.
Second, show credential custody. Shared API keys and unmanaged service accounts make the agent look like a control gap. Per-agent credentials scoped by connector and action make it reviewable.
Third, show approval evidence. A Slack thumbs-up is not enough for high-risk writes. Reviewers need to know where the action paused, which manager approved it, and what policy was evaluated.
Fourth, show termination. The clean exit proves that the organization can remove the agent without hunting through prompts, keys, workflows, and tickets.
The trust packet should explain lifecycle control, not just platform security.
ARX packages the operating evidence.
ARX turns a review from a static questionnaire into an evidence packet: roster, credential map, approval policy, audit trail, evaluation posture, and termination attestation. The goal is to make the first governed cohort legible to security, legal, finance, HR, and the business owner.