Vanta AI Customer Research: How the Compliance-Automation Leader Decides What to Build

TL;DR#

Vanta, the compliance-automation leader valued at $4.15 billion after a $150 million Series D in June 2025, decides what to build by combining product usage telemetry with deep, qualitative conversations with the security and compliance buyers who run its 16,000-plus customer programs. Vanta aggregates platform usage data through tooling like Polytomic, routes pain points through Customer Success Managers back to its Product team, and has stood up a dedicated Research Panel and Vanta Community to pull executives, security engineers, IT, and compliance leads into its design process. This is harder than typical SaaS discovery because Vanta's users are skeptical, time-poor practitioners whose "why" is buried in audit anxiety, vendor risk, and framework nuance — context a static survey flattens. The same playbook applies to any horizontal SaaS team: behavioral data tells you what happened, but only conversation tells you why. AI customer interviews close that gap by running hundreds of follow-up-driven conversations at once, capturing the reasoning behind a churn signal or feature request that a form never would.

How Vanta Decides What to Build#

Vanta decides what to build by triangulating quantitative usage signals against qualitative practitioner conversations, then routing both into a Product team that treats customer centricity as a core operating principle. According to Vanta's own account of its discovery stack, the company uses Polytomic to aggregate usage trends and surface customer pain points, with Customer Success Managers then investigating those pain points directly with users and reporting findings back to Product. That loop — data flags the anomaly, a human conversation explains it — is the backbone of how a compliance-automation company learns what matters to its market.

The challenge is that Vanta does not sell to casual users. Its customers are CISOs, security engineers, IT administrators, and GRC (governance, risk, and compliance) leads who are accountable for passing SOC 2, ISO 27001, HIPAA, and GDPR audits across more than 35 frameworks Vanta supports. These buyers are precise, busy, and allergic to vendor fluff. Getting an honest "here's what actually slows my audit down" out of them requires more than an in-app NPS prompt — it requires a real conversation that follows the thread.

That is why the patterns Vanta uses map so cleanly onto the broader question of how modern SaaS teams run customer discovery. The same tension shows up at every company we have profiled, from how Notion decides what to build to how Retool's product team picks its roadmap: the data tells you something changed, and only a conversation tells you why.

The Compliance-Automation Context: Why Customer Research Is Harder Here#

Customer research in compliance automation is harder than in most SaaS categories because the buyer's real needs are emotional, regulatory, and deeply contextual at the same time. A security engineer adopting Vanta is not "trying a tool" — they are betting their audit timeline, and sometimes their job, on whether evidence collection actually works. Vanta automates up to 90% of the evidence needed to prove compliance, which means the remaining 10% — the messy, manual, anxiety-inducing edge cases — is exactly where the highest-value product insight lives. That 10% rarely fits inside a dropdown.

Three things make compliance-automation discovery uniquely difficult:

• The buyer is skeptical by trade. Security and GRC professionals are trained to distrust unverified claims. They answer in caveats, exceptions, and "it depends on the auditor" — not clean five-point scores.
• The value is in the edge cases. Frameworks are standardized, but every customer's tech stack, cloud configuration, and HR system differs. The product decisions that matter most live in the variation between customers, not the average.
• The decision-makers are time-poor. A CISO will not sit for a 45-minute moderated interview, but will give you three sharp minutes if you ask the right follow-up at the right moment.

This is the same dynamic behind the 2026 state of customer research: the survey layer is collapsing precisely because it cannot handle uncertainty, and uncertainty is where compliance buyers live.

Vanta's Actual Research Practices: What's Documented#

Vanta's documented research practices fall into three buckets — usage telemetry, CSM-mediated feedback, and direct practitioner panels. Each captures a different layer of the truth, and together they form a model worth studying.

Vanta has publicly described building a customer-centric Community and Research Panel to "gain deeper understanding and insights of the pain points in the security and compliance space," inviting people across executive leadership, engineering, IT, security, and compliance into the design process. That is an explicit acknowledgment that usage data alone is not enough — you have to talk to the humans.

The structural problem is scale. A Research Panel and a network of CSMs can run, optimistically, dozens of meaningful conversations a quarter. Vanta grew from 7,000 customers in FY24 to over 16,000 by April 2026. The depth that worked at 7,000 customers does not automatically scale to 16,000 — and that gap is where AI customer interviews change the math.

Where AI Customer Interviews Fit#

AI customer interviews fit precisely in the gap between Vanta's usage telemetry and its hand-run CSM conversations — they deliver the depth of a moderated interview at the scale of a survey. Instead of a CSM manually following up on each Polytomic-flagged pain point, an AI interviewer can reach every flagged account, ask the open-ended "what made this hard?" question, and probe the answer in real time with relevant follow-ups.

This matters because the alternative — the static survey — fails for the exact reasons compliance buyers are hard to research. A survey forces a CISO to translate a nuanced audit frustration into a 1-to-5 score. As we have argued in the case that AI-first research cannot start with a web form, the moment you flatten a buyer into fixed fields, you lose the reasoning that makes the data actionable. The comparison between AI interviews and surveys comes down to one thing: surveys capture answers, conversations capture context.

For a compliance-automation company, an AI interviewer agent could run a continuous study like this:

• Trigger on a usage signal. A customer's evidence-collection completion rate drops. Instead of waiting for a CSM to notice, an AI interview launches automatically.
• Ask the open question. "Walk me through what slowed your last evidence run." No fixed options.
• Follow up on the vague answer. When the buyer says "the integration was flaky," the AI probes: which integration, what happened, what did you do instead.
• Synthesize across hundreds of conversations. Patterns the average usage chart hides — like a specific HR-system integration breaking for mid-market customers — surface in the automatic transcript analysis.

This is how you turn the "why" behind a churn risk into a roadmap input — because churn is a lagging indicator you should stop treating as a surprise, and the conversational signal is what gives you the lead time.

A Practical Framework: Conversational Discovery for Compliance Buyers#

The practical framework for researching compliance buyers conversationally has four stages, each replacing a slow manual step with a scalable AI-moderated one. This is the model Perspective AI's research teams use, and it maps directly onto Vanta's documented loop.

1. Detect. Use usage telemetry (the Polytomic-style layer) to flag where customers stall — incomplete audits, abandoned integrations, slow evidence runs.
2. Converse. Trigger an AI interview at the moment of friction rather than batching feedback into a quarterly survey. A concierge-style intake agent can also replace the static feedback form on the Trust Center or in-product.
3. Probe. Let the AI follow up on every vague answer until the real constraint is named. This is the step a survey physically cannot do and a CSM can only do for a handful of accounts.
4. Synthesize. Roll hundreds of transcripts into themes, ranked by frequency and revenue exposure, so Product can prioritize with evidence instead of anecdote.

The teams getting this right treat research as continuous discovery rather than a quarterly event. For prioritization specifically, the transcripts feed directly into a feature-prioritization framework built on AI customer research, so the loudest customer doesn't automatically win the roadmap.

It is worth noting that Vanta itself is leaning into agentic AI — its Agentic Trust Platform, announced in November 2025, and a Vanta AI Agent that the company says saves customers an average of four hours per week. A company that ships AI agents to automate its customers' compliance work is a natural fit to apply AI agents to understand those customers in the first place.

How Vanta's Model Compares to Other SaaS Leaders#

Vanta's research model is more telemetry-anchored than most consumer-facing SaaS leaders, because its buyers act on data rather than vibes. Where a design tool might lean heavily on community sentiment, Vanta's loop starts with hard usage signals and then layers conversation on top — a sequencing that suits a skeptical, technical audience. You can see the contrast across the companies we have profiled: the way GitLab listens to 30 million users, how Okta's identity team runs conversational discovery, and how Linear builds its roadmap from customer feedback each balance the same two ingredients differently.

What unites all of them — and what every horizontal SaaS team can copy — is that scaling qualitative depth is the actual bottleneck. Behavioral analytics scaled years ago; conversation did not, until AI customer interviews made it possible to run hundreds at once. The practical starting point is comparing the modern AI-first approach against legacy enterprise survey platforms and pricing a continuous program against the panels and agencies it replaces — a calculation we broke down in the research budget report.

Frequently Asked Questions#

How does Vanta do customer research?#

Vanta does customer research by combining product usage telemetry with qualitative conversation. The company aggregates usage trends through tooling like Polytomic to surface pain points, has Customer Success Managers investigate those points directly with users, and runs a dedicated Research Panel and Vanta Community that pull security, IT, and compliance professionals into its design process. This blend of data plus direct practitioner input drives its product roadmap.

What are AI customer interviews?#

AI customer interviews are research conversations conducted by an AI interviewer that asks open-ended questions, listens to free-text or voice responses, and follows up in real time to probe the reasoning behind an answer. Unlike surveys, which force respondents into fixed fields, AI interviews capture context, uncertainty, and the "why" behind behavior — and they run hundreds of conversations simultaneously, giving qualitative depth at survey-like scale.

Why is customer research harder for compliance-automation companies?#

Customer research is harder for compliance-automation companies because their buyers are skeptical, time-poor security and GRC professionals whose real needs live in regulatory edge cases. Standardized frameworks like SOC 2 and ISO 27001 look uniform, but every customer's tech stack differs, so the highest-value insights hide in the variation between accounts. That nuance is exactly what a static survey flattens and a conversation preserves.

How large is Vanta and how fast is it growing?#

Vanta is a compliance-automation leader valued at $4.15 billion following a $150 million Series D in June 2025, backed by investors including Wellington Management, Sequoia Capital, and CrowdStrike's venture arm. Its customer base grew from 7,000 in FY24 to over 16,000 companies by April 2026, including Atlassian, Ramp, and Duolingo, and its platform supports more than 35 security and privacy frameworks.

Can AI customer interviews replace customer success calls?#

AI customer interviews complement rather than fully replace customer success calls, but they remove the scale bottleneck. CSMs can run deep conversations only with the accounts they personally touch; an AI interviewer can reach every account flagged by usage data, probe each one, and synthesize patterns across all of them. This frees CSMs to focus on high-stakes relationships while research coverage expands to the entire customer base.

Conclusion#

Vanta's discovery model is a clear template for any horizontal SaaS company: start with usage data to find where customers struggle, then use conversation to understand why — and route both into a Product team that treats customer centricity as non-negotiable. The constraint has never been the data; it has been scaling the qualitative depth that turns a usage anomaly into a confident roadmap decision. For a company that has grown to 16,000-plus skeptical, technical buyers, the handful of conversations a CSM network can run no longer covers the surface area.

That is the gap AI customer interviews close. By running hundreds of follow-up-driven conversations at once and synthesizing them automatically, conversational research delivers interview-grade depth at survey-grade scale — exactly what a compliance-automation leader needs to keep deciding what to build. If your team is ready to capture the "why" behind your own usage signals, you can start a conversational research study with Perspective AI and see what your customers tell you when you actually let them talk.