How does Dock handle compliance policy review and updates?
Dock runs a structured workflow on top of OneTrust and Drata. An agent reads current policy text and control mappings from those platforms, compares them against a tracked source of regulation drift, and drafts a redline. The draft lands as a row in a Dock policy review table with a named owner. The owner reads the interpretation, approves or edits, and Dock writes the approved version back to OneTrust as a new policy revision. Nothing publishes without the named approver.
What sits where
OneTrust and Drata stay the system of record for the raw data: live policy text, control evidence, audit findings, framework mappings. Dock is the system of record for what the agent interprets from that data. Each row in the Dock policy review table carries a pointer back to the source record (onetrust_policy_id or drata_control_id), the agent identity that drafted the change, the named reviewer, the decision, and the timestamp. When the agent needs current state, it re-fetches from OneTrust and Drata through fresh API reads rather than trusting any cached interpretation. The interpretation layer is auditable on its own terms. See the broader compliance pillar for the full pattern.
The Dock surface: policy review table
| onetrust_policy_id | policy | drift_source | agent_draft_summary | reviewer | status | decided_at |
|---|---|---|---|---|---|---|
| ot_pol_4471 | Data Retention Policy | NIST 800-53r5 SI-12 update | Add 90-day log retention floor; clarify customer-data tier | priya.s@acme.com | approved | 2026-05-28T14:11Z |
| ot_pol_4623 | Vendor Risk Policy | EU AI Act Article 28 | Add model-provider sub-processor disclosure clause | jordan.k@acme.com | changes_requested | 2026-05-29T09:22Z |
| ot_pol_4488 | Incident Response Policy | SEC cyber disclosure rule | Tighten 4-day materiality assessment window | priya.s@acme.com | pending | 2026-05-30T08:40Z |
The worked workflow
The agent runs nightly. It pulls the active policy text from OneTrust, pulls the linked control set from Drata, and reads the regulation drift feed the compliance team maintains. For each policy with drift, the agent drafts a redline and writes a row to the Dock policy review table with status: pending, the diff, and the citation chain. The named policy owner opens the row, reads the agent's reasoning, and clicks approve, request changes, or reject. On approve, Dock posts the new version to OneTrust as a draft revision and pings Drata to re-link affected controls. The publish step in OneTrust still requires the human policy owner inside OneTrust. That is the two-key handshake we require on irreversible writes.
Why this matters
Regulation drift is constant and policy decay is silent. Most teams notice a stale policy only when an auditor flags it. An agent that reads continuously closes that gap, but only if its interpretations are reviewable and the publish gate stays human. Dock holds the interpretation layer so reviewers see the agent's draft, citation chain, and prior approvals in one row, not buried in a chat log.
The separation also satisfies the auditor. OneTrust shows the published policy and its revision history. Drata shows the control evidence. Dock shows who interpreted what, when, and on whose authority. The three logs reconcile cleanly. We cover that reconciliation pattern in the agent audit and compliance post.
Policy drafting is also a dangerous operation under our contract: wrong language in a published policy creates legal exposure. The named-approver gate is non-negotiable, the same way it is for legal review work.
Next step
Set up a Dock policy review table pointed at your OneTrust tenant and your Drata workspace, name the approvers per policy family, and let the agent draft against your live regulation drift feed.
FAQ
Does the agent ever publish to OneTrust without a human? No. Dock writes a draft revision. The publish click happens inside OneTrust by the named policy owner. The audit log shows both signatures.
What if OneTrust and Drata disagree on a control mapping? The agent flags the conflict on the Dock row and does not draft. Reviewer resolves the mapping in the source platform, then re-runs the agent.
Which regulations does the drift feed cover? Whatever the compliance team subscribes to. Common picks are NIST SP 800-53 Rev 5, the EU AI Act, SEC cyber rules, and sector frameworks like HIPAA or PCI. Policy drafting follows the IAPP consumer privacy notice template structure for privacy-adjacent policies.
Can reviewers edit the agent's draft inline? Yes. Edits write back to the same Dock row with reviewer attribution, then post to OneTrust as the approved revision.
