Quarterly access reviews fail when the spreadsheet is the deliverable. In Dock, the agent assembles a per-user packet from Okta entitlements, ServiceNow ticket history, and Vanta evidence, then routes it to the named manager for attestation. The row is the review. The manager's signature is logged. The packet links back to the source records in each platform. Vanta auditors see who attested what, when, and against which evidence. See Dock for SecOps for the wider rail.
Okta, ServiceNow, and Vanta stay the system of record for the raw data. Dock is the system of record for what the agent interprets. Each Dock row carries a pointer back to the platform record, agent identity, decision, reviewer, and timestamp. The agent re-fetches platform data via fresh API reads when it needs current state.
The access review surface
| user | app | role | last login | risky activity | agent draft | reviewer | decision |
|---|---|---|---|---|---|---|---|
| p.singh@co | Salesforce | Admin | 2 days ago | bulk export 14k rows on 5/12 | downgrade to Standard | r.alvarez@co | revoke admin (signed 5/29) |
| j.tan@co | AWS prod | PowerUser | 41 days ago | none | revoke (inactive) | k.osei@co | revoke (signed 5/29) |
| m.diaz@co | GitHub org | Owner | 3 hours ago | normal | keep | r.alvarez@co | keep (signed 5/29) |
Each row points to the Okta user ID, the ServiceNow access-request ticket that granted the entitlement, and the Vanta control mapping. The decision column is signed by a named human; the agent never closes its own draft.
Worked workflow
The agent (reviewer.secops) runs on the first business day of the quarter. It pulls every privileged entitlement from Okta, joins it to ServiceNow grant tickets, pulls 90-day activity from CloudTrail and Salesforce login history, and writes one row per (user, app, role). The draft column proposes keep, downgrade, or revoke based on activity thresholds and least-privilege rules. The agent then routes each row to the entitlement's listed manager in Okta. The manager opens the row, sees the packet, and either accepts the draft or overrides it. Both paths produce a signed attestation under the manager's name. Revocations are queued for the on-call engineer under the dangerous-ops contract. At quarter-end, Dock exports the signed table directly into the Vanta evidence locker.
Why it matters
Auditors do not want a spreadsheet. They want named human attestation tied to source evidence. NIST 800-53r5 control AC-2 requires account review at an organization-defined frequency; SOC 2 common criterion CC6 in the AICPA Trust Services Criteria requires logical access controls with documented authorization. Dock satisfies both by recording the reviewer, the timestamp, the evidence URLs, and the agent's draft on the same row. The agent does the assembly work; the human does the attesting. See Dock for compliance and agent audit and compliance for the audit trail mechanics, and agent identity lifecycle for how reviewer.secops itself gets reviewed. Joiner-mover-leaver tie-ins live in Dock for people ops.
Start your next quarterly review in Dock.
FAQ
Does the agent revoke access on its own? No. The agent drafts the recommendation. A named manager signs the decision. Revocation execution is a separate queued step under a dangerous-ops contract.
What if Okta and ServiceNow disagree about who owns the entitlement?
The agent flags the row as owner_conflict and routes it to the security-ops queue rather than the manager. The conflict itself becomes the audit artifact.
How does this satisfy SOC 2 CC6? Each row carries the reviewer's identity, the timestamp, a link to the Vanta control, and links to the Okta and ServiceNow source records. That bundle is the evidence auditors ask for.
Can the agent read Salesforce or AWS activity without standing credentials?
Yes. reviewer.secops holds its own scoped OAuth tokens, scoped to read entitlements and activity logs. The Dock row records which token was used on each fetch.
