Agent-collected control evidence through ServiceNow GRC without losing the reviewer trail
A compliance agent reads ServiceNow GRC control records, gathers evidence from Vanta, drafts a sign-off note, and routes it to a reviewer. ServiceNow stays the control system of record. Dock stores the interpretation, the linked evidence, the reviewer decision, and the timestamp. The auditor sees one row per control test with agent identity and human approver attached.
The split
ServiceNow GRC and Vanta stay the system of record for raw data: control definitions, test results, evidence artifacts. Dock is the system of record for what the agent interprets from that data. Each Dock row points back to the platform record (servicenow_control_id, vanta_test_id) with agent identity, proposed decision, reviewer, and timestamp. The agent re-fetches control state via fresh API reads. The row is the interpretive layer, not a cached copy.
The Dock surface
A single control-evidence-log table holds one row per control test cycle.
| servicenow_control_id | framework | agent | agent_finding | evidence_links | reviewer | decision | decided_at |
|---|---|---|---|---|---|---|---|
| CTRL-AC-02 | SOC 2 CC6.1 | claude-grc-v3 | "14 prod IAM roles reviewed in 90d. 2 stale flagged in Vanta VT-9921. Mitigation INC0042118 open." | vanta://VT-9921, snow://INC0042118 | priya@ | approve_with_note | 2026-05-28T14:22Z |
| CTRL-CM-03 | ISO 27001 A.12.1 | claude-grc-v3 | "CAB minutes present for 12 of 12 prod changes this quarter. No unauthorized changes." | snow://CHG0034221 | priya@ | approve | 2026-05-28T15:01Z |
| CTRL-IR-04 | SOC 2 CC7.3 | claude-grc-v3 | "Tabletop ran 2026-04-12. Gap: EU on-call rotation undocumented." | snow://KB0010441 | mark@ | reject_needs_rework | 2026-05-29T09:14Z |
The row is the evidence packet. The auditor reads it left to right and sees agent identity, finding, source links, and the human who signed.
The workflow
The agent pulls open control tests from ServiceNow GRC each Monday. For CTRL-AC-02, it queries Vanta for the latest IAM access review, reads failing assertions, checks ServiceNow for open remediation tickets, and writes the synthesis into a new Dock row with decision_proposed = approve_with_note. The row routes to Priya, who reads the finding, opens the linked Vanta test to spot-check, then approves. Dock writes the approval back to ServiceNow as an evidence attachment with Priya's name and the agent identity stamped on the metadata. If Priya rejects, the row stays open and the agent gets a follow-up task. No evidence reaches the auditor without a named human signature. This is the dangerous-ops contract applied to attestation: the agent drafts, the human signs, and irreversible publish actions go through a two-key handshake.
Why it matters
Auditors care about attribution. SOC 2 trust services criteria require evidence of who tested each control and when (AICPA, SOC for Service Organizations). When an agent collects evidence, the trail has to name the agent, name the reviewer, and link to the platform record. ServiceNow IRM already "automatically creates issues and assigns tickets based on various risk and audit findings" (ServiceNow IRM). Dock adds the reviewer log.
Without this split, findings get pasted into Slack and lost, or written back to ServiceNow with no human in the loop. Neither passes an audit. The Dock row is the missing artifact: human judgment, attributed and timestamped.
The pattern carries to IT operations. Compliance is the strict version. See the compliance pillar and agent audit guide for the evidence schema.
One step
Run a single SOC 2 control through Dock this quarter. Pick one, route the agent finding through a Dock row, capture the reviewer signature, and show the row to your auditor in the next walkthrough.
FAQ
Does Dock replace ServiceNow GRC? No. ServiceNow remains the control system of record. Dock holds the agent interpretation and reviewer log.
What if the agent finding is wrong? The reviewer rejects the row. The agent gets a follow-up task. No evidence reaches ServiceNow without an approved Dock row.
How does the auditor see this?
The auditor reads the Dock control-evidence-log filtered to their scope. Each row links to ServiceNow and Vanta sources and names the reviewer.
Why not write findings straight into ServiceNow? ServiceNow does not distinguish agent-drafted from human-collected evidence. Dock captures that distinction before evidence enters the control record.
