Security questionnaire drafter

Build me an agent workflow that drafts answers to inbound vendor security questionnaires (SOC 2, ISO 27001, CAIQ, SIG, and custom vendor questionnaires). I run this on demand when a prospect or customer sends us one.

Inputs the agent should accept on every run:

1. The questionnaire itself, as an attached spreadsheet (xlsx/csv), PDF, Word doc, or pasted text. The agent must parse it into a list of questions with any per-question context (section, expected answer type, free text vs yes/no, evidence requested).

2. Optional extra context: uploaded policy files, pasted notes from the security team, and a short brief like "this is for an enterprise prospect, lean conservative" or "no SSO yet, say roadmap Q3".

For each question, the agent should try knowledge-base sources first, in this order, because those have the freshest evidence:

- Notion: search pages and read their full content as markdown to pull policy language, control descriptions, and prior answers.

- Google Drive: search files (including Docs, Sheets, and PDFs) and download or export their content. Treat folders the user scopes us to (e.g. "GRC/SOC 2 evidence") as authoritative.

- Microsoft SharePoint: search drive items across the configured site, download file content for matches.

- Box: search content across the user's files and download matching evidence.

- Dropbox: search files by name and content, download matching files.

If nothing relevant comes back from the connected knowledge bases, fall back to the uploaded materials and pasted notes provided on this run. If still nothing, mark the question as needing human input rather than guessing.

For every question produce:

- A concise draft answer in the style and length the questionnaire expects (short yes/no, paragraph, control mapping, etc.). Plain English, no marketing fluff, no hedging beyond what the source supports.

- Source citations: for each fact in the answer, the document name, the location (page or section), the system it came from, and a clickable link back to that file or page.

- Evidence pointers: when the questionnaire asks for an attachment (policy, audit report, pen test summary), list the specific evidence file from the knowledge base the reviewer should attach, with its link.

- A confidence tag (high / medium / low) and a review reason if not high.

Build a review queue at the end that surfaces, separately:

- Exceptions: questions where the truthful answer is "no" or "partial" against a control we do not fully meet. These need a security owner to phrase the response.

- Stale evidence: any source document older than 12 months (configurable), or where the document owner is no longer at the company if that signal is available.

- Conflicting sources: when two knowledge bases give different answers for the same control, surface both with their source links and ask the reviewer to pick.

- Unanswered: questions with no usable source in any system.

Output: return the drafted questionnaire in the same shape as the input (e.g. a filled spreadsheet if the input was a spreadsheet, an annotated PDF or a Word doc otherwise), plus a short summary message that lists counts by status (drafted high-confidence, drafted needs review, exceptions, unanswered) and links to the review queue.

Trigger: run on demand. I will hand the agent a questionnaire each time. No schedule.

Tone for answers: factual, specific, no marketing language. Never invent a control or certification we do not have evidence for. When in doubt, route to the review queue.