Company

From 57 Conversations to Product: What We Learned

R
Rusha
Founder, Garnet AI
February 1, 2026 5 min read

Building on Conversations, Not Assumptions

Before we wrote a single line of production code, we had 57 discovery conversations with security leaders, GRC professionals, procurement teams, and legal ops across the EU.

Here's what we learned.

Pattern 1: Everyone Knows It's Broken

Not a single person we spoke to described their vendor assessment process as "efficient" or "working well." The words we heard most:

  • "Tedious"
  • "Inconsistent"
  • "Bottleneck"
  • "Manual nightmare"

The pain is universal. From 50-person startups to 10,000-employee enterprises, the process is fundamentally the same: download documents, read them manually, write up findings.

Pattern 2: The Problem Isn't Discovery — It's Verification

Many teams have vendor risk management platforms (OneTrust, ServiceNow, Prevalent). These tools are great at tracking which vendors need assessment and managing workflows.

But when it comes to actually reading and verifying the compliance documents? Every platform sends the analyst back to PDFs and manual review.

The gap isn't workflow management — it's document intelligence.

Pattern 3: GDPR Is a Hard Constraint, Not a Preference

Every European security leader we spoke to had the same non-negotiable: vendor data cannot leave the EU.

This isn't a preference — it's a compliance requirement. Any AI solution that sends documents to US-hosted APIs is a non-starter. This informed our decision to build everything on EU-sovereign infrastructure.

Pattern 4: Trust Requires Transparency

Security professionals don't trust black boxes. When we asked what they'd need from an AI-powered verification tool, the top answers were:

  • Document citations: "Show me exactly where in the document you found this"
  • Confidence scoring: "Don't just say pass/fail — tell me how confident you are"
  • Audit trail: "I need to explain this to regulators"
  • Human override: "I want AI to flag, not decide"

Every one of these is now a core feature of Garnet AI.

Pattern 5: Time Savings Must Be Dramatic

Incremental improvements don't change behavior. If we saved 20% of time, teams would keep doing things the old way. The threshold for adoption is 90%+ time reduction — turning days into minutes.

That's our north star metric: from 40 hours per vendor to under 4 hours, with 90% of the work automated.

What This Means for Our Product

These conversations didn't just validate the problem — they shaped every product decision:

  • EU-sovereign infrastructure (Pattern 3)
  • Document-level citations (Pattern 4)
  • Confidence scoring (Pattern 4)
  • 90% automation target (Pattern 5)
  • GRC integration, not replacement (Pattern 2)

We're now onboarding alpha users and iterating based on real usage. If you're dealing with the same challenges, we'd love to talk.

Previous
SOC 2 Reports: What AI Catches That Humans Miss