Drata watches the controls. AuditBoard runs the audit. Neither holds what an agent decided when it stitched evidence into an attestation packet. The agent reads a Drata control, picks a sample, drafts the assertion, a human signs. That decision needs its own row, with a pointer back to the Drata control and the AuditBoard request. See Dock for security operations for the broader pattern. Compliance overlap is in Dock for compliance.
Drata and AuditBoard stay the system of record for the raw data. Dock is the system of record for what the AGENT INTERPRETS. Each Dock row carries a pointer back to the platform record, agent identity, decision, reviewer, and timestamp. The agent re-fetches platform data via fresh API reads when it needs current state.
The Dock table: attestation_packet
| control_id | drata_ctrl | framework | agent_assertion | evidence_sample | reviewer | status | timestamp |
|---|---|---|---|---|---|---|---|
| AP-2041 | DRT-CC6.1 | SOC 2 | "Access reviews completed Q1 for all prod systems; 2 exceptions remediated within SLA" | drata://evidence/cc6-1-q1-2026 | wren@co | signed | 2026-05-28T14:02Z |
| AP-2042 | DRT-A.8.2 | ISO 27001 | "Privileged access logged via Okta; no anomalies flagged by SIEM in audit window" | drata://evidence/a8-2-q1-2026 | wren@co | signed | 2026-05-28T15:11Z |
| AP-2043 | DRT-164.308 | HIPAA | "Workforce training 100 percent complete; one contractor pending, due 06-15" | drata://evidence/164-308-2026 | rhea@co | pending | 2026-05-29T09:40Z |
The drata_ctrl column is the pointer back. The agent never caches the evidence body. When the auditor opens row AP-2041, the agent re-fetches the current Drata evidence so the assertion always reflects today's state.
One workflow: drafting the SOC 2 packet
The agent pulls the AuditBoard request list. For each control, it queries Drata for the active evidence artifact, samples per the audit plan, and drafts an assertion paragraph in the row. It assigns a reviewer by control family. Wren reviews access. Rhea reviews workforce and training. The reviewer reads the assertion, opens linked Drata evidence in a new tab, and signs in Dock. Sign-off flips status and emits a webhook that updates the AuditBoard request as ready for fieldwork. The agent ran read-only against Drata and write-only against its own row. See the dangerous ops contract for why write scope stays narrow.
Why this matters
Drata and AuditBoard answer "what is the state of the control today." Neither answers "which agent drafted this assertion, against which sample, reviewed by whom." Without that row, the auditor reconstructs the chain from chat logs. With it, the packet is queryable. Filter by reviewer, framework, agent identity (see agent identity), or status. Hand the table to the auditor as working paper. Agent audit and compliance covers the deeper rationale.
Drata describes its product as automating "control monitoring, evidence collection, and mapping to reduce prep time, ensure multi-framework readiness" (Drata). That keeps your control state current. AICPA SSAE 18, which governs SOC 2 attestation, requires the practitioner to obtain sufficient appropriate evidence and document the basis for the opinion (AICPA-CIMA). The Dock row is where the agent's basis lives, separate from Drata's evidence and separate from the auditor's report.
Start a Dock workspace for your next attestation cycle.
FAQ
Does Dock replace Drata or AuditBoard? No. Drata stays the control monitor. AuditBoard stays the audit workflow. Dock holds the agent's drafted assertions and the reviewer sign-off, with pointers back to both.
What if Drata evidence changes after sign-off? The pointer resolves to whatever Drata serves today. The agent re-fetches on read. If the underlying evidence shifted after sign-off, the row's timestamp shows when the reviewer approved against the state at that moment, and the agent flags drift on the next pull.
Can the agent sign off on its own assertions? No. The reviewer column requires a human identity. The agent drafts, a human signs. The status field cannot flip to signed without a reviewer credential.
How does this work across frameworks like SOC 2 and ISO 27001? One row per control assertion. The framework column tags scope. The same Drata control often maps to multiple frameworks, so the agent drafts one assertion per framework even when the underlying evidence overlaps.