Compliance is a reading job. A regulation lands, an agent parses it, a human decides whether the existing control covers it. The product most compliance teams need is not a smarter assistant. It is a workspace where the agent's reading, the evidence it pulled, and the reviewer's sign-off sit on the same row, queryable later when an auditor asks why a decision was made. Dock for Compliance is that workspace. It does not replace your GRC platform. It records the interpretation your platform was never built to store.
ServiceNow GRC, Vanta, Drata, OneTrust, and AuditBoard stay the system of record for the raw compliance data: control catalog, evidence runs, policy library, audit findings. Dock is the system of record for what the agent interprets from that data. The prioritized list of controls that need attention. The reading of a new rule against your existing posture. The reviewer's sign-off on a remediation plan. The audit log of who decided what and when. Each Dock row carries a pointer back to the platform record, servicenow_record_id or vanta_control_id, alongside agent identity, decision, reviewer, and timestamp. The agent re-fetches platform data via fresh API reads when it needs current state. Dock holds the persistent interpretive layer that survives across sessions, auditors, and staff turnover.
One Dock surface: the control review queue
| row_id | vanta_control_id | rule_or_finding | agent_reading | risk_tier | reviewer | decision | decided_at |
|---|---|---|---|---|---|---|---|
| ctl-2841 | VNT-AC-07 | SEC cyber disclosure rule, 4-day window | Existing IR runbook covers detection but not Form 8-K trigger language | High | priya.s | Approved, route to legal | 2026-05-22 14:11 |
| ctl-2842 | VNT-CC-12 | Vendor SOC 2 expired May 18 | Vendor still active in 3 prod integrations, requires bridge letter or pause | Medium | priya.s | Pending vendor response | 2026-05-23 09:40 |
| ctl-2843 | SN-GRC-PCI-3.4 | New encryption-at-rest finding | Database covered under existing key rotation policy, finding looks like scan false positive | Low | marcus.t | Closed as duplicate | 2026-05-24 16:02 |
The agent populated agent_reading and risk_tier. A human moved decision from pending to approved. The pointer column lets the next agent or auditor walk back to the underlying control without trusting Dock to mirror it.
One workflow: SOC 2 evidence gap
The agent runs the morning sweep. Vanta reports a failing control: CC6.1, access reviews are 11 days overdue for engineering. The agent reads the control, pulls prior reviews from Vanta, and notes the previous owner left on 2026-04-15. It writes a row: pointer VNT-CC6.1, reading "no current owner, suggest reassign to acting eng manager," risk tier High, decision pending. The reviewer opens the row, sees the agent identity, the source records, and the proposed remediation. She approves, the agent files a remediation ticket in ServiceNow with her sign-off attached, and the row freezes with decided_at stamped. When the SOC 2 auditor asks in November why CC6.1 lapsed and how it closed, the row answers without anyone reconstructing the chain from memory.
Why it matters
Compliance fails in the gaps between platforms. Vanta knows the control failed. ServiceNow knows a ticket exists. Slack knows two people argued about it. No system knows what the agent read, what the reviewer decided, and why. When the auditor arrives, somebody opens a screenshot folder. Dock closes the gap by making the interpretation a first-class record, with the same auditability the underlying evidence has.
The NIST AI Risk Management Framework and NIST SP 800-53 Rev. 5 treat traceability of AI-assisted decisions as a control requirement. PCAOB inspection findings cite weaknesses in how firms document the basis for judgment. An agent that writes its reasoning to a reviewable row, signed by a named human, addresses both pressures at the architectural level.
Sign up for Dock and give your compliance agent a workspace where every reading is recorded and every decision is a row an auditor can read.
FAQ
Does Dock replace Vanta, Drata, or ServiceNow GRC? No. Those platforms remain the source of truth for control state, evidence, and policy. Dock stores the agent's interpretation and the human's decision on top, linked by pointer. See Dock for Legal for the parallel pattern in contract review.
How does Dock prove a human, not the agent, approved a remediation? Every decision row carries the reviewer's agent identity or human user ID, plus a server-side timestamp. The two-key handshake pattern guards irreversible actions like closing a finding or filing with a regulator.
Can the agent close a finding on its own? Only for actions classified as reversible. Anything that touches an external system of record or notifies a regulator falls under the dangerous-ops contract, which requires explicit human sign-off recorded on the row.
What does an auditor see? A queryable log of every agent reading, source records, reviewer, decision, and timestamp. See agent audit and compliance and the parallel workflow in Dock for Accounting.
