Intent‑Based AI Routing Engine for Real‑Time Security Questionnaire Collaboration

Security questionnaires, compliance audits, and vendor risk assessments are a persistent pain point for SaaS companies. The traditional workflow—manual triage, static assignment lists, and ad‑hoc email chatter—creates latency, introduces human error, and makes it difficult to scale as the volume of questionnaires grows.

What if every single question could be instantly routed to the exact person (or AI‑assistant) who possesses the required knowledge, while simultaneously surfacing supporting evidence from a live knowledge graph?

Enter the Intent‑Based AI Routing Engine (IBARE), a new architectural pattern that powers real‑time, intent‑driven collaboration inside platforms like Procurize. IBARE blends cutting‑edge natural language understanding, a continuously enriched knowledge graph, and a lightweight micro‑service orchestration layer to deliver:

Sub‑second question classification – the system understands the underlying intent of a question (e.g., “encryption at rest”, “incident response flow”, “data residency”) rather than relying on keyword matching alone.
Dynamic expert matching – using skill‑profiles, workload metrics, and historical answer quality, IBARE selects the most appropriate SME, AI‑assistant, or hybrid pair.
Context‑aware evidence retrieval – the routing decision is enriched with relevant policy excerpts, audit artifacts, and versioned evidence drawn from a federated knowledge graph.
Real‑time feedback loop – each answered question feeds back into the model, improving intent detection and expert ranking for future questionnaires.

In the sections below we dissect the architecture, walk through a real‑world use case, explore key implementation details, and quantify the business impact.

1. Why Intent, Not Keywords?

Most existing questionnaire automation tools rely on simple keyword or rule‑based routing:

if "encryption" in question → assign to Security Engineer
if "GDPR" in question → assign to Data Privacy Lead

These approaches break down when questions are phrased ambiguously, contain multiple topics, or use domain‑specific jargon.

Intent detection goes a step further by interpreting what the asker actually needs:

Example Question	Keyword‑Based Assignment	Intent‑Based Assignment
“Do you encrypt backups in transit?”	Backup Engineer (keyword: “backup”)	Security Engineer (intent: “data‑in‑transit encryption”)
“How do you handle a ransomware incident?”	Incident Response Lead (keyword: “ransomware”)	Incident Response Lead plus Security Engineer (intent: “ransomware response process”)
“What contractual clauses cover data residency for EU customers?”	Legal Counsel (keyword: “EU”)	Compliance Lead (intent: “data residency contract clauses”)

By extracting the semantic intent, the system can route the question to a team member whose expertise aligns with the action or concept rather than merely a surface term.

2. High‑Level Architecture

Below is a Mermaid diagram that visualizes the primary components and data flow of IBARE.

  flowchart TD
    subgraph Frontend
        UI[User Interface] -->|Submit Question| API[REST / GraphQL API]
    end

    subgraph Core
        API --> Intent[Intent Detection Service]
        Intent --> KG[Dynamic Knowledge Graph]
        Intent --> Skills[SME Skill‑Profile Service]
        KG --> Evidence[Evidence Retrieval Service]
        Skills --> Ranking[Expert Ranking Engine]
        Evidence --> Ranking
        Ranking --> Router[Routing Engine]
    end

    subgraph Workers
        Router -->|Assign| SME[Subject‑Matter Expert / AI Assistant]
        SME -->|Answer| Feedback[Feedback Collector]
        Feedback --> KI[Knowledge‑Graph Ingestion]
        Feedback --> Model[Model Retraining Loop]
    end

    classDef external fill:#f9f9f9,stroke:#333,stroke-width:1px;
    class UI,API,SME external;

Key components

Component	Responsibility
Intent Detection Service	Converts raw question text into a multi‑label intent vector using a fine‑tuned transformer (e.g., RoBERTa‑large).
Dynamic Knowledge Graph (KG)	Stores entities such as policies, evidence, controls, and their relationships. Continuously enriched from answered questions.
SME Skill‑Profile Service	Maintains a profile for each human expert and AI‑assistant, including domain expertise, certifications, recent workload, and answer quality scores.
Evidence Retrieval Service	Queries the KG for the most relevant documents (policy clauses, audit logs, versioned artifacts) based on intent.
Expert Ranking Engine	Combines intent similarity, expert skill match, availability, and historical latency to produce a ranked list of candidates.
Routing Engine	Selects the top candidate(s), creates a task in the collaboration hub, and notifies the assignee(s).
Feedback Collector	Captures the final answer, associated evidence, and a satisfaction rating.
Knowledge‑Graph Ingestion	Incorporates new evidence and relationship updates back into the KG, closing the loop.
Model Retraining Loop	Periodically retrains the intent model using newly labeled data to improve accuracy over time.

3. Detailed Walkthrough of a Real‑World Scenario

Scenario: A sales engineer receives a request from a prospective enterprise customer:

“Can you provide details on how you isolate customer data in a multi‑tenant environment and what encryption mechanisms you use for data at rest?”

Step 1 – Submission

The engineer pastes the question into the Procurize dashboard. The UI sends a POST request to the API with the raw text.

Step 2 – Intent Extraction

The Intent Detection Service passes the text through a fine‑tuned transformer that outputs a probability distribution over a taxonomy of 120 intents. For this question the top three intents are:

Tenant Isolation – 0.71
Encryption‑at‑Rest – 0.65
Data Residency – 0.22

These intents are stored as a multi‑label vector attached to the question record.

Step 3 – Knowledge Graph Query

The KG receives the intent vector and executes a semantic similarity search (using vector embeddings of policy clauses). It returns:

Document	Relevance Score
“SOC 2 – System‑Level Control 5.3: Tenant Isolation”	0.84
“ISO 27001 Annex A.10: Cryptographic Controls”	0.78
“Internal Whitepaper: Multi‑Tenant Architecture v2.4”	0.66

The most relevant artifacts are packaged as evidence packages.

Step 4 – Skill‑Profile Matching

The Skills Service looks up all experts tagged with Cloud Architecture, Security Engineering, and Compliance. Each expert’s skill embedding is compared against the intent vector. Simultaneously, the service factors in:

Current workload (pending tasks, queue length)
Answer quality score (averaged from past questionnaire responses)
Time‑zone proximity (to reduce latency)

The top‑ranked candidate is Alex Patel (Senior Cloud Security Engineer), with a composite score of 0.92. An AI‑assistant specialized in cryptographic policy (named CryptoBot) is also suggested with a score of 0.87.

Step 5 – Routing & Notification

The Routing Engine creates a collaboration task that includes:

The original question
Detected intents
Evidence package (download links)
Suggested AI‑assistant (optional)

Alex receives a push notification in Slack and the Procurize UI, while CryptoBot is instantiated as a background micro‑service ready to augment the answer.

Step 6 – Answer Composition

Alex reviews the evidence, adds additional context about recent platform upgrades, and invokes CryptoBot to auto‑generate a concise paragraph describing the encryption algorithm (AES‑256‑GCM). The merged answer is edited, approved, and submitted.

Step 7 – Feedback Loop

The customer marks the answer as “fully satisfactory”. The Feedback Collector records:

Answer text
Linked evidence IDs
Satisfaction rating (5/5)

The Knowledge‑Graph Ingestion service adds a new node “Answer‑2025‑10‑21‑001” linked to the original question, the evidence, and the intent labels. This node becomes part of future similarity searches.

Step 8 – Model Update

The newly labeled data (question + confirmed intents + answer) is added to the training pipeline. After accumulating a batch of 1,000 such interactions, the intent model is retrained, sharpening its ability to detect nuanced intents like “tenant‑level key management”.

4. Core Technical Building Blocks

4.1 Intent Detection Model

Architecture: RoBERTa‑large fine‑tuned on a proprietary dataset of 50k annotated questionnaire sentences.
Loss Function: Binary cross‑entropy for multi‑label classification.
Training Augmentation: Back‑translation for multilingual robustness (English, German, Japanese, Spanish).
Performance: Macro‑F1 = 0.91 on a held‑out validation set; average latency ≈ 180 ms per request.

4.2 Knowledge Graph Platform

Engine: Neo4j 5.x with built‑in vector similarity indexes (via the Neo4j Graph Data Science library).
Schema Highlights:
- Entity Types: Policy, Control, Evidence, Question, Answer, Expert.
- Relationships: VALIDATES, EVIDENCES, AUTHORED_BY, RELATED_TO.
Versioning: Every artifact is stored with a version property and a valid_from timestamp, enabling audit‑ready time travel.

4.3 Skill‑Profile Service

Data Sources: HR directory (skills, certifications), internal ticketing system (task completion times), and a quality score derived from post‑answer surveys.
Embedding Generation: FastText embeddings of skill phrases, concatenated with a dense workload vector.
Ranking Formula:

score = α * intent_similarity
      + β * expertise_match
      + γ * availability
      + δ * historical_quality

where α=0.4, β=0.35, γ=0.15, δ=0.10 (tuned via Bayesian optimization).

4.4 Orchestration & Micro‑Services

All services are containerized (Docker) and coordinated through Kubernetes with Istio service mesh for observability. Asynchronous communication uses NATS JetStream for low‑latency event streaming.

4.5 Security & Privacy Considerations

Zero‑Knowledge Proofs (ZKP): For highly sensitive evidence (e.g., internal penetration‑test reports), the KG stores only ZKP commitments; the actual file remains encrypted in an external vault (AWS KMS) and is decrypted on‑demand for the assigned expert.
Differential Privacy: The intent model training pipeline adds calibrated Laplace noise to aggregated gradient updates to protect any individual questionnaire’s content.
Audit Trail: Every routing decision, evidence lookup, and answer edit is logged in an immutable append‑only ledger (Hyperledger Fabric), satisfying SOC 2 traceability requirements.

5. Measuring Business Impact

Metric	Baseline (Manual)	After IBARE Deployment
Average questionnaire turnaround (days)	12	3.4 (‑71.7 %)
Average time to first assignment (hours)	6.5	0.2 (‑96.9 %)
Answer accuracy (post‑review revisions)	18 % of answers need revision	4 %
SME satisfaction (survey score 1‑5)	3.2	4.6
Compliance audit findings related to questionnaire handling	7 per year	1 per year

A pilot with three enterprise SaaS customers over six months showed a net ROI of 4.3×, primarily driven by shortened sales cycles and reduced legal overhead.

6. Implementation Checklist for Teams

Define Intent Taxonomy – Collaborate with security, legal, and product teams to enumerate high‑level intents (≈ 100–150).
Curate Training Data – Annotate at least 10 k historical questionnaire sentences with intents.
Build Skill Profiles – Pull data from HR, Jira, and internal surveys; normalize skill descriptors.
Deploy Knowledge Graph – Ingest existing policy documents, evidence artifacts, and version history.
Integrate with Collaboration Hub – Connect the routing engine to Slack, Teams, or a custom UI.
Establish Feedback Loop – Capture satisfaction ratings and add them to the retraining pipeline.
Monitor KPIs – Set up Grafana dashboards for latency, routing success rate, and model drift.

7. Future Directions

7.1 Multi‑Modal Intent Detection

Incorporate document images (e.g., scanned contracts) and audio clips (voice‑recorded briefings) using CLIP‑style multimodal models, expanding routing capability beyond plain text.

7.2 Federated Knowledge Graphs

Enable cross‑organization graph federation where partner companies can share anonymized policy snippets, improving intent coverage without exposing proprietary data.

7.3 Auto‑Generated Expert Profiles

Leverage large‑language models (LLMs) to synthesize a draft skill profile for new hires based on résumé parsing, reducing onboarding friction.

8. Conclusion

The Intent‑Based AI Routing Engine reimagines how security questionnaire workflows are orchestrated. By interpreting the true intent behind each question, dynamically matching it to the right human or AI expert, and grounding answers in a living knowledge graph, organizations can:

Accelerate response times from weeks to hours,
Raise answer quality through context‑aware evidence,
Scale collaboration across distributed teams, and
Maintain auditable, compliant processes that satisfy regulators and customers alike.

For SaaS firms looking to future‑proof their vendor risk management, IBARE offers a concrete, extensible blueprint—one that can be incrementally adopted and continuously refined as the compliance landscape evolves.