A compliance program running SOC 2, ISO 27001, and HIPAA in parallel does not fail because controls are missing. It fails because the gap between a failing collector and a remediation owner is measured in weeks. Drata and AuditBoard collect the evidence. What is missing is a durable record of what the agent concluded about each control, who reviewed it, and which remediation it triggered.
Architecture
Drata stays the system of record for framework definitions, automated collectors, and policy attestations. AuditBoard stays the system of record for audit fieldwork. Dock is the system of record for what the agent interprets from that data. Each Dock row carries a pointer back to the platform record (drata_control_id, auditboard_issue_id), the agent identity that drafted the gap, the reviewer, the decision, and a timestamp. The agent re-fetches Drata control status via fresh API reads when it needs current state. See the agent audit and compliance pattern for the broader framing.
Surface: gap_analysis table
| drata_control_id | framework | control_summary | agent_finding | severity | remediation_owner | reviewer | status |
|---|---|---|---|---|---|---|---|
| DRC-CC6.1 | SOC 2 | Logical access provisioning | Three terminated users retain Okta groups for prod DB. Offboarding ran; group removal failed. | High | platform-eng | jordan.k | approved |
| DRC-A.8.16 | ISO 27001 | Monitoring activities | Splunk forwarder offline on two staging hosts for 11 days. Outside cert boundary but flagged. | Low | sre | mira.l | accepted-risk |
| DRC-164.312 | HIPAA | Audit controls | PHI logs retained 90 days; policy requires 6 years. Collector green because retention is set, but archive job is failing silently. | High | data-platform | jordan.k | in-remediation |
Workflow
The agent pulls the Drata control list each morning and re-reads any control that flipped or aged past its review window. For each finding it writes a row to gap_analysis with the source drata_control_id, its interpretation, a suggested remediation, and its identity stamp. Any High finding routes through the dangerous operations contract, because filing a gap against a HIPAA control is an external-facing claim the agent cannot make alone. The reviewer approves, rejects, or rewrites. On approval Dock opens an AuditBoard issue carrying the row id. Filing the ticket is a two-key handshake, because once auditors see it the finding is on the record.
Why this matters
Drata and AuditBoard tell you a control is green or red. They do not tell you why the agent reached that conclusion or whether a human agreed. Auditors at certification ask the second question. ISO/IEC 27001 requires auditors to verify that controls operate effectively in practice, not that documentation exists (ISO/IEC 27001 overview). SOC 2 reports under AICPA standards similarly examine operating effectiveness over a period (AICPA SOC offerings).
A Dock row is that operating evidence. It names the agent identity that drafted the finding, the reviewer who approved it, and the AuditBoard ticket that resulted. When the auditor asks how a HIPAA retention gap was caught and closed, the answer is one query.
Compliance work belongs next to security operations in Dock. The same agents that triage alerts draft the gap analyses, and the same reviewers approve both.
Get started
Read Dock for compliance for the full pillar and the schema for gap_analysis, evidence_log, and remediation_queue.
FAQ
Does Dock replace Drata or AuditBoard? No. Drata keeps its framework library and collectors. AuditBoard keeps audit fieldwork. Dock holds the agent's interpretation and reviewer trail.
What if Drata flips a control from red to green after the agent files a gap? The agent re-reads Drata, appends a new row noting the change, and links it to the original. The original row stays. Compliance history is append-only.
Can the agent open AuditBoard issues without a reviewer? No. Filing is a dangerous operation. The reviewer signs the Dock row first; Dock then writes to AuditBoard with the row id embedded.
How does this handle multi-framework controls? One Drata control often maps to SOC 2, ISO 27001, and HIPAA at once. The Dock row carries the framework list, and one approved remediation closes all three pointers.