A New Claude Cowork Plugin to Govern Your Software Vendors — 17,000 Lines of Code, 15 Regulatory Frameworks, Zero ExcusesNew Post

There’s an asymmetry in the relationship between organizations and their software vendors that I find genuinely fascinating. The company spends weeks picking an ERP — committees, demos, decision matrices with arbitrary weights someone invented on a Tuesday, reference checks that never actually happen — signs a contract that nobody on the business side has read cover to cover, and then spends the next five years managing that relationship with a spreadsheet, three forwarded emails, and the institutional memory of someone who “left the company two years ago but I think she knew where the documentation was.” It’s the corporate equivalent of inspecting every component of a car before buying it and then never getting it serviced again.

And I’m not talking about scrappy startups with no budget. I’m talking about organizations with procurement departments, program management offices, certified ITIL frameworks, and 200-page security policies that nobody has read — including the CISO, who has too many open incidents to read his own documentation. The problem isn’t resources. It’s design. Nobody has built an operating system for ongoing software vendor management because, until now, building one was impractical: too many fronts, too many regulations, too many edge cases, and a cost-benefit ratio that only worked for consulting firms charging more to manage the vendor relationship than the vendor itself cost.

That’s changed. And what follows is the proof.

I’ve published a plugin for Claude Cowork — Anthropic’s desktop AI agent for Mac and Windows — called it-vendor-provision. It codifies the entire lifecycle of an IT software vendor relationship, from the moment someone says "we need this tool" to the moment, years later, someone says "we need to get off this tool." Eight specialized skills. Eleven executable slash commands. Twelve configurable connectors for whatever tools your organization runs. Seventy-one files totaling over 17,000 lines of codified trade knowledge. Fifteen regulatory checklists spanning four jurisdictions: EU (GDPR, NIS2, AI Act, DORA, ENS), UK (UK GDPR/DPA 2018, FCA SS2/21), US (HIPAA, CCPA/CPRA, NIST CSF, SOC 2), and Global (PCI DSS, ISO 27001/20000/22301). A 17-question screening engine that automatically detects which regulations apply to each vendor based on sector, jurisdiction, and data type. Vendor communication templates. Incident response protocols. KPI frameworks. Audit evidence maps. Segmentation models. Shadow IT governance. SaaS spend control with a FinOps lens. And executive reporting for both the C-suite and the board.

Why publish it open? Because I’ve spent twenty years saying that IT vendor management in most organizations is a structural disaster, and it’s time to back that up with something more than opinions. This isn’t a whitepaper. It isn’t a 40-slide deck with pretty diagrams and zero code. It’s a working, executable operating system — validated against fifteen regulatory frameworks across four jurisdictions — that anyone can install in Claude Cowork, inspect, and judge. When someone wants to know whether I actually know what I’m talking about when it comes to vendor governance, the answer isn’t a résumé. It’s a repository with 71 files you can read, run, and verify. Source code doesn’t lie. Corporate PDFs always do.

The repo is public: github.com/ricardodevis/it-vendor-provision. Apache 2.0 license. Clone it, fork it, ship it. If you’re a CIO, CISO, CPO, or Head of Procurement, what you’re looking at is a vendor governance operating system you can install in Claude Cowork this afternoon. If you’re a consultant, you have the foundation to build a practice on. If you’re a vendor, you have the mirror your customers are about to hold up to you — and you’d better hope what it reflects is presentable.

Managing software vendors isn’t one problem. It’s twelve problems wearing a trenchcoat, each with its own complexity, its own regulation, its own calendar, and its own ability to generate a crisis at 5 PM on a Friday.

Initial assessment. Does this vendor meet baseline security requirements? Are their certifications real or decorative PDFs? Does their licensing model have traps? Does their SLA mean anything, or is it the same boilerplate everyone copies from the same template? The Cowork plugin evaluates across six dimensions — technical, security, compliance, financial, support, and stability — with configurable weights and a segmentation system that classifies vendors as strategic, tactical, commodity, or bottleneck. It’s not a questionnaire. It’s an analysis framework with the questions a good CIO would ask already baked in — the ones nobody actually asks because there’s no time, because “we’ll look at that later,” because the vendor’s sales rep is in a hurry and the project was supposed to start yesterday.

Contracts. Block-by-block review: scope, SLA, DPA, intellectual property, pricing, term and exit, liability, governance. Automated red flags. Redline recommendations. DPA verification against GDPR Article 28 — not against what someone thinks Article 28 says, but against what it actually says, which tend to be very different things. I’ve lost count of how many signed contracts I’ve seen with nonexistent exit clauses, SLAs with no real penalties, and DPAs that don’t mention sub-processor arrangements. Which is to say: all of them.

Licensing. Eight licensing models codified, four-phase audit framework, shelfware detection, SaaS spend governance with a FinOps perspective. Thirty percent of the average organization’s software license spend is pure waste — licenses nobody uses, subscriptions that auto-renewed because nobody set an alert, pricing tiers that kicked in without procurement noticing. That’s not my number. That’s Gartner, Flexera, and the common sense of anyone who’s ever audited a software portfolio.

Shadow IT. Those 47 SaaS tools someone in marketing signed up for with the corporate card — no IT review, no security assessment, no DPA, nobody even knowing they exist until they show up on the invoice. Or worse, until they show up in the breach disclosure. The Cowork plugin includes a full shadow IT governance skill: discovery, risk assessment, and remediation.

Multi-jurisdiction compliance. A vendor serving a Spanish financial firm (DORA + ENS) is not the same as one serving a US hospital (HIPAA), or a UK fintech (FCA SS2/21 + UK GDPR), or one processing payments anywhere in the world (PCI DSS). And when a vendor operates across multiple jurisdictions simultaneously — which is the default for any serious SaaS company — the regulations don’t add up. They multiply. A US-based vendor with a UK subsidiary serving a Spanish financial services client can face eight regulations at the same time. The plugin ships with fifteen jurisdiction-specific checklists: EU (GDPR, NIS2, AI Act, DORA, ENS), UK (UK GDPR/DPA 2018, FCA SS2/21), US (HIPAA, CCPA/CPRA, NIST CSF/CMMC, SOC 2), and Global (PCI DSS, ISO 27001/20000/22301). Plus a seventeen-question screening engine that automatically determines which frameworks apply to each specific vendor. Plus a data classification matrix that aligns information sensitivity with vendor capabilities — because not every vendor should be touching every class of data, and not every data class requires the same level of protection, but without an explicit matrix those decisions get made by inertia or by panic, which are the two worst ways to make decisions.

Contract lifecycle. Renewal alerts at 120 days out. Amendment tracking. Incident protocols with response times and escalation paths. Communication templates for SLA breaches, GDPR requests, and quarterly review agendas. All the stuff nobody prepares until they need it, at which point they improvise with results ranging from comedic to litigable.

Reporting. Executive dashboard for the leadership team. KPI framework with thresholds and trend analysis. Active risk register. And a board-level reporting template — because board members don’t want to know how many tickets were opened last month. They want to know whether technology dependency risk is under control, whether spend is growing faster than value, and whether someone is making sure a critical vendor doesn’t become a single point of failure.

Audit readiness. An evidence map that cross-references every control across ISO 27001, SOC 2, HIPAA, NIS2, GDPR, FCA, UK ICO, DORA, ISO 20000, and ISO 22301 with the corresponding evidence source in your vendor portfolio. So that when the external auditor asks for “evidence of critical vendor management,” the answer isn’t a three-week scramble. It’s a Claude Cowork slash command: /audit-prep.

Exit. Because every contract should be signed with an exit plan, and none of them are. The plugin structures the entire exit execution: data migration, portability verification, communications, contract closure, and evidence preservation.

Requirement: Claude Cowork — Anthropic’s desktop AI agent for Mac and Windows. It does not run in the browser version. The local sandbox is a security design decision, not a limitation.

Double-click it-vendor-provision.plugin and Cowork handles the rest.

The Releases page has the it-vendor-provision-v0.6.0.plugin file ready to install. Download, double-click, done.

All slash commands are available immediately in Claude Cowork: /vendor-assess, /contract-review, /rfp-generate, /license-audit, /vendor-review, /vendor-dashboard, /vendor-incident, /vendor-onboarding, /shadow-audit, /audit-prep, /vendor-exit. Each one launches a guided workflow that requests the necessary information, references the relevant knowledge base, and produces structured output.

The connectors — twelve integrations with your organization’s tools — are configured by replacing generic ~~ references with your actual tools. The CONNECTORS.md file in the repo documents each connector, its function, and examples of compatible tools. For instance: ~~document repository could be iManage, SharePoint, or Google Drive; ~~asset management tool could be ServiceNow CMDB, Snow, or Flexera; ~~finance tool could be SAP, NetSuite, or Coupa. Configuration is conversational — tell Cowork what tools you use and the agent adapts the references automatically.

The plugin contains codified trade knowledge: frameworks, checklists, protocols, evaluation criteria, templates, workflows. You can read every line, understand every design decision, and learn why the checklists ask what they ask and not something else. That’s deliberate. An opaque system proves nothing — it proves someone has something to hide. Publishing the code is publishing the reasoning.

But generic reasoning doesn’t solve specific problems. What weight should each evaluation dimension carry for your industry? What SLA thresholds are reasonable for your context? Which regulatory frameworks apply to your situation and which don’t? How does this connect to your CMDB, your document management system, your GRC platform? What happens when a vendor is simultaneously strategic and high-risk — the most common situation and the one that’s worst managed? How does this integrate with your existing IT governance model without looking like another layer of pointless bureaucracy?

Those decisions require understanding the business, the regulations, the tooling, and the exact point where all three intersect. The plugin proves I know how to build the instrument. Making it play in your organization requires someone to tune it for your context.

Software supply chains have become the preferred attack vector — SolarWinds wasn’t an accident; it was the logical outcome of an ecosystem where nobody scrutinized their vendors with the attention they deserved. NIS2 has elevated CIO and CISO accountability for third-party dependencies to a level many still haven’t internalized. DORA does the same for financial services. In the UK, the FCA requires regulated firms to manage the operational risk of their technology vendors as if it were their own. In the US, HIPAA turns every vendor with access to health data into a link in the compliance chain, CCPA/CPRA does the same for California consumer data, and NIST CSF has become the de facto standard for any organization that wants to demonstrate cybersecurity maturity. And the EU AI Act adds yet another layer for any vendor offering artificial intelligence capabilities.

Vendor management hasn’t just gone from optional to important. It’s gone from an administrative headache to a legal obligation with material consequences for noncompliance. And most organizations are trying to meet that obligation with last century’s tools: spreadsheets, email threads, quarterly meetings where nobody brings data and everybody brings opinions.

This is a serious attempt — 17,000 lines of serious attempt, four jurisdictions, fifteen regulatory frameworks — to change that dynamic. To codify what works. To put it in the hands of the people who need it. To turn the conversation about vendor governance from an abstraction into a Claude Cowork slash command that a professional can execute this afternoon.

The repo is open. The code is yours. What you do with it is your call.

Ricardo Devis — Bilbao.AI — LinkedIn

Plugin v0.6.0 available at github.com/ricardodevis/it-vendor-provision. Direct download: Release v0.6.0. Apache 2.0 License. Related articles: “Claude Cowork: Setup and Customization Guide” and “C-Level Vibe Working” (Devis AI Report, February 2026).