15 Research Lab -Adversarial Safety Evaluation of Frontier AI Systems

John Kearney

SOC 2 Compliance for AI Agents

March 5, 202615 Research Lab

complianceagent-safetymethodology

SOC 2 audits evaluate whether an organization's controls meet the trust service criteria defined by the AICPA. AI agent deployments introduce new control considerations that auditors are increasingly asking about.

Relevant Trust Service Criteria

CC6: Logical and Physical Access Controls. For AI agents, this means: who can configure agent behavior (system prompts, tool access, policies)? Who can access agent logs? How are API keys for tool access managed? Role-based access to agent configuration must be enforced and logged.

Agents themselves are access subjects. An AI agent with database access is equivalent to a service account. It needs the same controls: least privilege, credential rotation, access logging.

CC7: System Operations. This covers monitoring and incident management. For agents: behavioral monitoring must be active, alerts must be investigated, and incidents must have defined response procedures. If your agent's monitoring detects an anomaly and no one responds, that is a control failure.

CC8: Change Management. Changes to agent behavior (system prompt updates, tool access changes, policy modifications) must follow change management procedures. Version control, review, testing, and approval before deployment.

CC9: Risk Mitigation. Risk assessment must cover agent-specific threats: prompt injection, tool misuse, data exfiltration, privilege escalation. Mitigations must be documented and tested.

Agent-Specific Control Requirements

Tool access as access control. SOC 2 requires that logical access to information and systems is restricted to authorized individuals. For agents, "individuals" includes agent instances. Document which agents have access to which tools, enforce it through policy, and log every tool call.

Agent credentials. API keys and tokens used by agents for tool access are credentials subject to the same controls as human credentials: rotation schedules, secure storage, monitoring for unauthorized use.

Configuration as code. Agent behavior is determined by its configuration: system prompt, tool definitions, policy rules. Treat configuration changes the same as code changes: version controlled, reviewed, tested, and approved.

Audit logging. Every agent action must produce an audit record. SOC 2 auditors will ask for evidence that logging is complete, tamper-resistant, and retained for the audit period (typically one year).

Evidence Collection

Auditors need evidence, not assertions. For agent deployments, prepare:

Access control matrices showing which roles can configure which agents
Policy engine rules and change history
Audit trail exports showing tool calls, policy decisions, and approvals
Monitoring configuration and alert response records
Incident reports and response documentation
Red team test results showing control effectiveness

Hash-chained receipts from Authensor provide tamper-evident audit evidence that satisfies both the completeness and integrity requirements SOC 2 auditors expect.

Practical Approach

Start with a gap analysis: compare your current agent controls against the trust service criteria. Identify gaps. Prioritize by severity and likelihood of audit finding. Implement controls. Test them. Document everything.

SOC 2 compliance for AI agents is not fundamentally different from SOC 2 for any other system. The same principles apply. The specific controls are new.