You are here:
Create and Link Evidence Artifacts for IT Compliance
Respond to evidence requests by creating a new artifact and uploading files, or by linking an existing artifact that already satisfies the request. If the same evidence artifact applies to multiple requests, link the existing file instead of creating duplicates.
Required Editions
| Available in: Lightning Experience |
| Available in: Enterprise, Performance, and Unlimited Editions with Agentforce IT Service. |
| User Permissions Needed | |
|---|---|
| To create and submit evidence artifacts: | IT Compliance Fulfiller permission set OR IT Compliance Submitter permission set (for employee portal) |
Evidence artifacts are the files, screenshots, reports, and other materials that prove compliance with a control or requirement. Each artifact is linked to one or more evidence requests and moves through a status lifecycle from Draft to Submitted to Verified. Once an artifact is verified and accepted, it locks permanently and becomes part of the official audit record.
Create a New Artifact and Upload Files
Create a new artifact when the evidence doesn't already exist in the system. Upload the files, add context in the artifact text field if needed, and submit the artifact for review.
- From the Evidence Hub app, open the evidence request the artifact belongs to.
- Go to the Artifacts tab on the request and click Create New Artifact.
-
In the Create New Evidence Artifact dialog, fill in the artifact
details:
- Artifact Name. A short, descriptive name that tells the reviewer what the artifact is proving, like HRIS (Workday) Employee Termination Log (Last 30 Days).
- Description. A brief summary of the evidence and how it satisfies the request.
- Classification. The sensitivity level of the artifact, such as Internal, Confidential, or Restricted. The classification helps reviewers handle the artifact appropriately and is shown on the artifact list view.
- Collection Method. How the evidence was gathered. Set this to Manual Upload when you're attaching files yourself.
- Status. Leave as Draft while you're still preparing the artifact. Move it to Submitted when the evidence is ready for the compliance team to verify.
- Valid Till Date. Optional. The date the evidence expires, if it has a limited shelf life (for example, a quarterly access review).
- External Link. Optional. A URL that points to the source system or external document that backs up the artifact.
- Artifact Text. Optional. Free-form text content for evidence that doesn't have a file, like a written attestation.
-
Click Save.
The artifact is created with an auto-generated number (for example, ART-000000005) and is shown on the request's Artifacts tab.
- Open the artifact you just created and go to the Files tab.
-
Add the supporting files.
- Click Add Files.
-
In the Select Files dialog, choose how to attach the file:
- To upload a new file, select Upload File and choose the file from your computer.
- To attach a file that already exists in your workspace, select a source on the left (Owned by Me, Shared with Me, Recent, Following, Libraries, or Related Files) and pick the file from the list.
- To attach a file from an external source like Google Drive, OneDrive, or SharePoint, select the source from the list. External sources appear here only when your org is connected through Files Connect and you have access to the source.
-
Click Add.
The files are attached to the artifact and listed on the Files tab.
Jordan Chen, a cloud infrastructure engineer at Cumulus Bank, receives an evidence request asking for an S3 bucket encryption configuration export. He logs into AWS, exports the bucket configuration as a CSV file, and opens the Evidence Hub app. Jordan navigates to the evidence request and selects New on the Artifacts tab. He fills in the following fields:
- Artifact Name: AWS S3 Encryption Config Export - 2026-05-12
- Classification: Confidential
- Artifact Text: (left blank, since the CSV file contains all required data)
Jordan saves the artifact, goes to the Files tab, and uploads the CSV export. He previews the file to confirm it includes the bucket name, region, encryption status, and KMS key ID columns specified in the request instructions. Once he's satisfied the artifact is complete, Jordan changes the status from Draft to Submitted. Rachel Anderson, the compliance reviewer, receives a notification and opens the artifact to begin her review.
Link an Existing Artifact to a Request
If an artifact you've already created satisfies a new evidence request, link the existing artifact to the new request instead of uploading the same files again.
This workflow is useful when the same piece of evidence applies to multiple audit controls or frameworks. For example, a quarterly user access review report might satisfy requests in both a compliance audit review and an internal governance audit. Create the artifact once and link it to both requests.
- From the Evidence Hub app, open the evidence request you want to add the artifact to.
- Go to the Artifacts tab and click Add Existing Artifact.
- Find the artifact you want to link and select it.
-
Confirm to add the artifact to the request.
The artifact appears on the request's Artifacts tab alongside any artifacts created directly on the request.
To remove a linked artifact later, for example, if you decide it isn't relevant to this request after all—open the request's Artifacts tab and remove the artifact from the list. The artifact record itself, and any other requests it's linked to, are unaffected.
Jordan Chen previously created an artifact called Q3 2026 AWS IAM User Access Review Report for a compliance audit review. That artifact was verified and accepted two weeks ago.
Now, Rachel Anderson is running an internal governance audit and creates a new evidence request that also requires the Q3 access review report. Instead of asking Jordan to upload the same report again, Rachel opens the new evidence request, selects Link Existing Artifact on the Artifacts tab, searches for the Q3 2026 IAM report, and links it to the new request.
The artifact appears immediately with status Verified - Accepted, and Rachel doesn't need to reverify it. The artifact is now linked to both the compliance audit review and the internal governance audit, and any future viewer of either audit can see the same verified evidence.
