What you need to know: Suffolk is a national construction company running 100+ software pilots a year across 150+ worksites with 5,000+ active suppliers and no dedicated procurement team. Using Levelpath, the Office of the CIO deployed AI Agents to manage supplier risk at scale, scoring security responses against government compliance standards, surfacing contract exposure, and flagging risk before suppliers are ever onboarded. The result: a 50%+ reduction in contract review cycle times and a risk program that runs without headcount.

The Risk Problem Construction Companies Do Not Talk About

Construction margins have stayed roughly flat for decades as productivity gains slow. The companies breaking out are the ones leaning hardest into technology: piloting new software, deploying drones for site surveys, using robotics to accelerate the build.

The side effect of that appetite for innovation is supplier volume. More pilots mean more contracts, which leads to more risk sitting in documents that no one has fully read. Security terms that made sense two years ago may no longer meet compliance standards. Auto-renewal clauses quietly extend relationships that the team no longer wished to continue. Data access provisions that predate an AI integration create exposure nobody anticipated.

For most organizations, this risk stays invisible until something goes wrong. The contracts are hosted in SharePoint, the reviews happen over email, and the knowledge lives only with whoever was in the room when the deal was signed.

Meet Suffolk

Suffolk is one of the nation's largest construction companies, headquartered in Boston and operating across the United States and US Territories. Their structure is intentionally decentralized. Until recently, they had no formalized technology procurement team at all. Supplier risk management responsibility sat with the Office of the CIO.

The Challenge: Email Threads and SharePoint Archives

When Meg Kociemba joined Suffolk as Senior Director in the Office of the CIO, contract risk management was scattered, inconsistent, and non-auditable.

Their contracts lived only in SharePoint. If someone needed to know what the organization's exposure was in a specific area, there was no fast way to find out. Searches were limited to metadata filters and reading the actual document was the only way to understand what was in it. For a team managing so many suppliers and running new software evaluations every year, that model does not scale.

Additionally, the intake process happened entirely over email. When someone in an innovation role came forward with a new technology they wanted to pilot, they learned the approval process through trial and error. There was no consistent methodology for security reviews. Requests were difficult to track, with no visibility into how many were in flight, how long they were taking, or whether there was overlap. Reviewing the actual contract terms happened at the end of the process, if it happened at all.

"What we were finding when I came on board is that our insight into the contracts was a bit challenging,” said Meg. “We didn't have a front door that we could easily query against and pull those terms out."

The Turning Point: AI Agents Handle the Work

Suffolk implemented Levelpath to give their team the infrastructure a procurement function would normally provide, without building a procurement function to run it.

The first shift was visibility. AI Agents now search across all contracts instantly, surfacing risk language and obligations without manual review. When a new supplier comes in, the workflow is structured and visible. Team members can see exactly where a request sits in the process. The institutional knowledge that used to live in email threads is documented, searchable, and accessible to the whole team.

The second shift was how risk gets evaluated. Suffolk built a custom AI Agent grounded in the CMMC framework, a government cybersecurity standard, to score supplier security responses automatically. The AI Agent was live in under 20 minutes.

The AI Agent compares each supplier’s answers against the standard and surfaces whether they meet Suffolk's requirements, flagging anything that needs a closer look or a mitigation plan.

"What we did to build this AI Agent is we pulled down the government handbook and said: based on our suppliers' responses, can you score their information security responses against the CMMC guidelines and give us advice on whether it's going to meet our requirements?" said Meg.

"It was less than 20 minutes. It's kind of shocking how little time it took." – Meg Kociemba, Senior Director, Office of the CIO, Suffolk

Proactively Act on Identified Risk

One of Meg's favorite capabilities is what happens after risk is identified. Levelpath automatically creates follow-up tasks that are scored low, medium, or high, with scheduled actions, due dates, and ownership assigned to a team member.

"If we're identifying the risks but we're not making them documented and accountable, why are we doing it?" asked Meg. For a team running 100+ pilots a year in a decentralized environment, that accountability layer is what keeps things from falling through the cracks. Suffolk logs a risk task at contract close and a 30-day follow-up timer is set automatically. 

The Contract Discovery Agent adds another layer. Suffolk loads their gold standard MSA into the tool, and the AI Agent compares each incoming agreement against it, identifying deviating clauses, risky terms, and the points worth negotiating. When a supplier recently failed to deliver an SSO implementation they had contractually committed to, Meg turned to the Contract Discovery Agent to understand the exposure and draft a response. The AI Agent surfaced the breach, drafted a professional email to the supplier, and produced a formal breach letter on request.

"It took all the emotion out of it for me," she said. "And I was really impressed at how it drafted the breach letter."

Why AI Agents Matter for Supplier Risk

AI Agents matter for supplier risk because they allow organizations to move faster while still limiting their exposure to risk. Most organizations treat supplier risk as a legal problem, something to manage after contracts are signed. With AI Agents, Suffolk is treating it as an operational capability, one that runs continuously and surfaces what matters before it becomes an issue.

When AI Agents handle the compliance scoring, clause comparison, and follow-up tracking, the team's expertise can go toward decisions rather than document review. The people who understand the business, who know why TLS 1.2 matters for a particular integration or what an insurance gap means on a construction site, can spend their time on the calls and negotiations that require judgment. Not reading PDF attachments.

Risk managed well at intake means easier renewals, cleaner exits, and fewer surprises down the line. That is the compounding benefit. 

"We looked at the risk up front so the renewals are painless,” noted Meg.

Your Next Step

Supplier risk no longer requires a procurement team to manage it well. It requires the right AI Agents doing the work.

If your organization is managing a growing supplier portfolio with limited visibility into what is actually in your contracts, request a demo to see how Levelpath's AI Agents work in practice. Or explore the AI Masterclass series to hear how teams like Suffolk are building modern risk programs with the resources they already have.

— Gemma