You are here:
IT Compliance Workflow
IT Compliance brings the Governance, Risk, and Compliance (GRC) discipline into Agentforce IT Service. Learn how the five major workflows connect from external regulations through risk management, audits, and remediation.
Required Editions
| Available in: Lightning Experience |
| Available in: Enterprise, Performance, and Unlimited Editions with Agentforce IT Service. |
Governance, Risk, and Compliance (GRC) is the discipline of aligning your organization's operations with external regulations and internal expectations. IT Compliance applies this discipline to your IT estate, giving compliance teams, IT operations, and employees a single workspace to follow regulations, enforce policies, manage risk, and prove that controls are working.
Five workflows make up the IT Compliance lifecycle. Each can run independently, but they become powerful when they connect: a regulation drives a policy, a policy is enforced by a control, a control reduces a risk, an audit collects evidence that the control worked, and a failed control triggers remediation.
Regulation to Policy | Risk Management | Controls and Testing | Audits and Evidence | Issues and Remediation | Business Operations | IT Service Integration
| workflow | what happens | key records |
|---|---|---|
| Regulation to Policy | Capture external regulations, translate them into internal policies, map regulation clauses to policy clauses, and publish policies for employee acknowledgment. | Regulatory Authority, Regulation, Regulation Clause, Compliance Policy, Policy Clause |
| Risk Management | Register compliance risks, evaluate them through stakeholder surveys, calculate inherent and residual risk scores, and build treatment plans when residual risk is too high. | Compliance Risk, Risk Evaluation, Risk Scenario, Risk Scope |
| Controls and Testing | Define safeguards that enforce policies, group them into compliance procedures, and validate their effectiveness through periodic compliance tests. | Compliance Procedure, Compliance Control, Compliance Test, Test Execution |
| Audits and Evidence | Plan audit cycles, request evidence from fulfillers, review and verify submitted artifacts, and lock accepted evidence for external auditor review. | Compliance Audit, Evidence Request, Evidence Artifact |
| Issues and Remediation | Capture compliance findings from failed controls or rejected evidence, build remediation action plans from templates, and validate fixes with evidence. | Compliance Finding, Compliance Issue, Action Plan Template |
From Regulation to Policy
Compliance starts with the rules your organization has to follow. Regulators issue regulations, your organization translates them into internal policies, and those policies flow out to employees.
| step | what happens |
|---|---|
| Track the regulatory landscape | Compliance admins capture regulations from authorities such as the SEC, FINRA, or ISO. As regulators publish amendments, your team ingests the updates and stages new versions for review. |
| Author and review policies | Compliance authors draft internal policies that respond to those regulations. Drafting can happen directly in Microsoft Word using the Salesforce Compliance Connector, with bi-directional sync so changes stay in step. Einstein AI can help draft and summarize policy content, and AI-assisted clause extraction can pull structured clauses out of uploaded policy documents. |
| Map policies to regulations | As policies move through review, your team maps each internal clause back to the regulation clause it addresses. This mapping is the foundation of the audit trail and lets you prove which regulations your policies cover. |
| Publish and acknowledge | Approved policies are published to the Employee Portal, where targeted campaigns route them to the right audience. Employees read and acknowledge each policy, and the system tracks acknowledgments for reporting and audit. |
Risk Management
Risk management is where your organization decides what could go wrong and how much protection it needs.
| step | what happens |
|---|---|
| Capture risks | Compliance teams register risks from a curated scenario library or log them manually. Background agents can flag new risks automatically when they detect changes in your IT environment or controls that fail. |
| Evaluate risks | Compliance managers send structured surveys to IT and business stakeholders to gather feedback on how likely a risk is to materialize and how bad the impact would be. |
| Score risks | The Business Rules Engine calculates the inherent risk score (the natural severity) and the residual risk score (the severity after your existing controls are applied). AI-generated summaries help reviewers see the narrative drivers behind a score. |
| Treat risks | If the residual score is too high, your team builds a treatment plan with action items. Treatment work can hand off into standard IT Service Management Change Requests or Problem records, so remediation runs on the same operational rails your IT team already uses. |
| Monitor continuously | Real-time dashboards, risk heat maps, and background monitoring agents keep your team informed as the risk posture shifts. |
Controls and Testing
Controls are the practical safeguards that turn a policy on paper into something measurable.
| step | what happens |
|---|---|
| Define controls | Controls describe what your organization does to satisfy a regulation or enforce a policy. Each control is grouped under a compliance procedure that reflects a real workflow. |
| Test controls | Compliance tests validate that a control behaves as expected. When a test runs, the result is recorded as a test execution. |
| Detect failures | When a test fails or a background agent detects drift, the failure can feed straight into the risk and remediation workflows. |
Audits and Evidence Collection
Audits are where the system proves to internal stakeholders and external auditors that the compliance program is working.
| step | what happens |
|---|---|
| Plan the audit | An audit program manager creates an audit cycle that defines the observation and execution windows for a specific compliance review, such as a quarterly SOC 2 assessment. |
| Request evidence | Within the audit, the manager creates evidence requests that map to the controls or policies being reviewed. Each request is assigned to a fulfiller with a due date. |
| Fulfill and submit | Fulfillers open the Evidence Hub, gather the proof, and submit evidence artifacts that include the relevant files and metadata. |
| Review and lock | Compliance reviewers preview the files, verify that the evidence meets the request, and accept or reject the artifact. Accepted artifacts lock immediately, preserving an unaltered chain of custody for external auditors. |
Issues and Remediation
When something fails or is rejected, the compliance program needs to fix it and prove it stays fixed.
| step | what happens |
|---|---|
| Capture findings | Failed controls, rejected evidence, audit observations, and risk-driven gaps are all captured as compliance findings. |
| Plan remediation | Each finding gets a remediation action plan, often built from out-of-the-box action plan templates that standardize how your team responds. |
| Execute and validate | Remediation tasks are assigned to the right owners. As owners complete the work, they upload evidence that the gap has been closed. Validated remediation records the resolution and keeps the audit trail intact. |
Business Operations Processes
Business operations processes represent the real workflows your organization runs, such as Customer Data Processing or Employee Onboarding. They sit at the intersection of regulations, policies, and controls.
| step | what happens |
|---|---|
| Link processes to compliance records | Each business operations process connects to the regulation clause versions that apply, the compliance policy clause versions that govern it, and the compliance control versions that protect it. |
| Assign functional and technical owners | Business operations processes have designated owners who are responsible for ensuring that the process operates within its compliance obligations. |
| Assess risk by process | Compliance risks link to the business operations processes they threaten, so your team can evaluate which processes are most exposed and prioritize treatment. |
How IT Compliance Integrates with IT Service Management
IT Compliance is built into Agentforce IT Service, so the compliance program runs alongside your incident, problem, change, and asset workflows instead of in a separate tool.
| integration point | what happens |
|---|---|
| Changes are compliance-aware | Change requests can be reviewed for compliance impact before they're approved, and remediation work raised by IT Compliance can be executed as standard change requests. |
| Incidents and problems can trigger risk reviews | When an incident or problem surfaces a recurring weakness, your team can register it as a compliance risk and assess it using the same survey and scoring tools. |
| Assets carry compliance context | The Asset records that IT operations already maintain link to the regulations, policies, and controls that apply to them, so asset owners can see their compliance obligations without leaving the asset record. |
