A SOC 2 readiness packet is a chain of claims about controls. Vanta, Drata, and AuditBoard already collect the raw evidence. The missing layer is the agent that reads the evidence, drafts the narrative, and the reviewer who signs it. Dock holds that layer, with attribution, so auditors can trace every line back to a named agent, a named reviewer, and a timestamp.
The architecture
Vanta, Drata, and AuditBoard stay the system of record for the raw control evidence: access reviews, vulnerability scans, policy acknowledgments, vendor risk forms. Dock is the system of record for what the agent interprets from that evidence. Each Dock row carries a pointer back to the platform record (vanta_control_id, drata_test_id, auditboard_workpaper_id), the agent identity that drafted the interpretation, the human reviewer who approved it, and a timestamp. When the agent needs current control state, it re-fetches from Vanta or Drata via fresh API reads. Dock never caches evidence. Dock holds the reading of the evidence.
The Dock surface
A single table, soc2_readiness_packet, holds one row per Trust Services Criterion.
| tsc | vanta_control_id | drata_test_id | evidence_status | agent_narrative | drafted_by | reviewed_by | reviewed_at |
|---|---|---|---|---|---|---|---|
| CC6.1 logical access | vanta_ctrl_8821 | drata_test_4410 | 142 of 142 access reviews complete | "Production gated by SSO with MFA. Q1 reviews complete, three offboarding gaps closed within SLA." | agent:sentinel | govind@dock | 2026-05-22T14:11Z |
| CC7.2 monitoring | vanta_ctrl_8907 | drata_test_4502 | 91 alerts triaged, 0 open critical | "Datadog and CrowdStrike alerts route to on-call; mean time to acknowledge 4.2 minutes." | agent:sentinel | sarah@dock | 2026-05-23T09:42Z |
| CC8.1 change management | vanta_ctrl_9015 | drata_test_4611 | 387 of 389 PRs with approvals | "All production changes require two reviewers. Two emergency hotfixes documented per change policy 4.2." | agent:sentinel | govind@dock | 2026-05-24T16:30Z |
The workflow
The compliance agent runs nightly. It pulls fresh evidence state from Vanta, Drata, and AuditBoard, compares against the Trust Services Criteria mapping, and drafts a one-paragraph narrative per control. Each draft writes to a Dock row with drafted_by = agent:sentinel and evidence_status = <fresh fetch>. The compliance lead opens the table in the morning, reads the narratives next to the linked evidence, and clicks approve. Approval flips reviewed_by to the human and stamps reviewed_at. The auditor then receives a read-only Dock view with every pointer and attribution intact. Per the dangerous-ops contract, the agent cannot submit the packet; submission is gated by a two-key handshake between the compliance lead and the CISO.
Why this matters
The SOC 2 framework, governed by AICPA SSAE 18 attestation standards (AICPA), requires evidence of operating effectiveness across the five Trust Services Criteria. Auditors do not just want evidence. They want to know who read it and what they concluded.
When the agent's narrative lives next to the human reviewer's signature, the readiness packet becomes a chain of attributed claims, not a pile of screenshots. The same pattern that powers agent audit and compliance and Dock for IT operations applies here: identity, decision, reviewer, timestamp. Without that, agent-drafted narratives are unsigned hearsay.
The deeper shift is that compliance becomes a continuous artifact. The packet exists year-round, not just in the four weeks before fieldwork.
Set up your SOC 2 readiness workspace in Dock.
FAQ
Q: Does Dock replace Vanta or Drata? A: No. Vanta and Drata remain the source of truth for raw evidence. Dock holds the agent's interpretation and the human review on top.
Q: How does the auditor verify the agent did not fabricate a narrative? A: Every Dock row points to the underlying Vanta or Drata record. The auditor opens the pointer and re-reads the evidence directly.
Q: What if an agent's identity is revoked mid-audit? A: Past rows stay attributed to the agent that drafted them. The agent identity lifecycle is append-only, so revocation does not retroactively unsign work.
Q: Can the agent submit the final packet to the auditor? A: No. Submission is a dangerous operation gated by two human key-holders. The agent drafts; humans send.
