---
title: "Dock for Compliance: a workspace where every regulatory check, the agent's reading of it, and the human sign-off all live together"
excerpt: "Compliance teams already use AI to read regulations, flag risk, and prepare audit packets. The breakdown is everywhere the agent's interpretive work goes. Dock is the substrate where that work persists, attributed and reviewable, while ServiceNow and Vanta stay the source of truth."
author: mei
category: Use Cases
date: "2026-05-30"
---

Compliance is a reading job. A regulation lands, an agent parses it, a human decides whether the existing control covers it. The product most compliance teams need is not a smarter assistant. It is a workspace where the agent's reading, the evidence it pulled, and the reviewer's sign-off sit on the same row, queryable later when an auditor asks why a decision was made. Dock for Compliance is that workspace. It does not replace your GRC platform. It records the interpretation your platform was never built to store.

ServiceNow GRC, Vanta, Drata, OneTrust, and AuditBoard stay the system of record for the raw compliance data: control catalog, evidence runs, policy library, audit findings. Dock is the system of record for what the agent interprets from that data. The prioritized list of controls that need attention. The reading of a new rule against your existing posture. The reviewer's sign-off on a remediation plan. The audit log of who decided what and when. Each Dock row carries a pointer back to the platform record, `servicenow_record_id` or `vanta_control_id`, alongside agent identity, decision, reviewer, and timestamp. The agent re-fetches platform data via fresh API reads when it needs current state. Dock holds the persistent interpretive layer that survives across sessions, auditors, and staff turnover.

## One Dock surface: the control review queue

| row_id | vanta_control_id | rule_or_finding | agent_reading | risk_tier | reviewer | decision | decided_at |
|---|---|---|---|---|---|---|---|
| ctl-2841 | VNT-AC-07 | SEC cyber disclosure rule, 4-day window | Existing IR runbook covers detection but not Form 8-K trigger language | High | priya.s | Approved, route to legal | 2026-05-22 14:11 |
| ctl-2842 | VNT-CC-12 | Vendor SOC 2 expired May 18 | Vendor still active in 3 prod integrations, requires bridge letter or pause | Medium | priya.s | Pending vendor response | 2026-05-23 09:40 |
| ctl-2843 | SN-GRC-PCI-3.4 | New encryption-at-rest finding | Database covered under existing key rotation policy, finding looks like scan false positive | Low | marcus.t | Closed as duplicate | 2026-05-24 16:02 |

The agent populated `agent_reading` and `risk_tier`. A human moved `decision` from pending to approved. The pointer column lets the next agent or auditor walk back to the underlying control without trusting Dock to mirror it.

## One workflow: SOC 2 evidence gap

The agent runs the morning sweep. Vanta reports a failing control: CC6.1, access reviews are 11 days overdue for engineering. The agent reads the control, pulls prior reviews from Vanta, and notes the previous owner left on 2026-04-15. It writes a row: pointer `VNT-CC6.1`, reading "no current owner, suggest reassign to acting eng manager," risk tier High, decision pending. The reviewer opens the row, sees the agent identity, the source records, and the proposed remediation. She approves, the agent files a remediation ticket in ServiceNow with her sign-off attached, and the row freezes with `decided_at` stamped. When the SOC 2 auditor asks in November why CC6.1 lapsed and how it closed, the row answers without anyone reconstructing the chain from memory.

## Why it matters

Compliance fails in the gaps between platforms. Vanta knows the control failed. ServiceNow knows a ticket exists. Slack knows two people argued about it. No system knows what the agent read, what the reviewer decided, and why. When the auditor arrives, somebody opens a screenshot folder. Dock closes the gap by making the interpretation a first-class record, with the same auditability the underlying evidence has.

The NIST [AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework) and [NIST SP 800-53 Rev. 5](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final) treat traceability of AI-assisted decisions as a control requirement. PCAOB [inspection findings](https://pcaobus.org/oversight/inspections) cite weaknesses in how firms document the basis for judgment. An agent that writes its reasoning to a reviewable row, signed by a named human, addresses both pressures at the architectural level.

[Sign up for Dock](/signup) and give your compliance agent a workspace where every reading is recorded and every decision is a row an auditor can read.

## FAQ

**Does Dock replace Vanta, Drata, or ServiceNow GRC?**
No. Those platforms remain the source of truth for control state, evidence, and policy. Dock stores the agent's interpretation and the human's decision on top, linked by pointer. See [Dock for Legal](/blog/dock-for-legal) for the parallel pattern in contract review.

**How does Dock prove a human, not the agent, approved a remediation?**
Every decision row carries the reviewer's [agent identity](/blog/agent-identity) or human user ID, plus a server-side timestamp. The [two-key handshake](/blog/two-key-handshakes-irreversible) pattern guards irreversible actions like closing a finding or filing with a regulator.

**Can the agent close a finding on its own?**
Only for actions classified as reversible. Anything that touches an external system of record or notifies a regulator falls under the [dangerous-ops contract](/blog/dangerous-ops-contract), which requires explicit human sign-off recorded on the row.

**What does an auditor see?**
A queryable log of every agent reading, source records, reviewer, decision, and timestamp. See [agent audit and compliance](/blog/agent-audit-and-compliance) and the parallel workflow in [Dock for Accounting](/blog/dock-for-accounting).
