How SOC 2 Compliance Works for AI Agents That Take Action
SOC 2 compliance for AI agents means proving the controls around the agent, not certifying the model: least-privilege access, complete and tamper-resistant audit logs, monitoring, and approved changes. An AI agent is not SOC 2 compliant by default. You make it compliant by scoping what it can touch, logging every action it takes, and requiring human approval on sensitive operations.
Quick answer
SOC 2 compliance for AI agents means proving the controls around the agent, not certifying the model: least-privilege access, complete and tamper-resistant audit logs, monitoring, and approved changes. An AI agent is not SOC 2 compliant by default. You make it compliant by scoping what it can touch, logging every action it takes, and requiring human approval on sensitive operations.
SOC 2 compliance for AI agents comes down to one principle: the controls live around the agent, not inside the model. When an AI agent connects to your CRM, support desk, and databases and takes action on its own, your auditor does not care which model you use. They care who authorized the action, what data it could reach, whether you can prove every action after the fact, and how changes to the agent get reviewed. Meet those control objectives and an AI agent maps cleanly onto SOC 2. Skip them and you have an unmonitored service account with a language model attached.
SOC 2 rests on five Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) with Security, the Common Criteria, required in every report. An AI agent that reads and writes to your systems touches nearly all of them. This guide breaks down the four control areas that matter most for agents (access controls, audit trails, monitoring, and change management) and shows the exact evidence an auditor will ask for, the mistakes that sink the audit, and a framework for deciding which agents you can safely turn loose.
The short version: an AI agent is not SOC 2 compliant out of the box. You make it compliant by scoping what it can touch with least-privilege roles, logging every action to tamper-resistant storage, monitoring for anomalies, and gating anything sensitive behind approved-change and human-in-the-loop controls. Everything below is about how to do each of those well enough that a Type II auditor signs off after watching the controls run for months.
Why do AI agents change the SOC 2 conversation?
A traditional SaaS integration runs inside fixed, pre-written code paths. An AI agent decides at runtime which tool to call and with what arguments, so its blast radius is defined by the agent's permissions, not by a developer's intent. That shift is exactly what auditors zero in on, because an autonomous actor holding broad credentials is a textbook Security risk.
Three properties of AI agents make this sharper than an ordinary service-to-service integration:
- Non-determinism. The same prompt can produce different tool calls, so code review alone cannot bound behavior. Controls have to constrain the agent at the permission and approval layer instead of relying on a fixed call graph.
- Cross-system reach. One agent often spans your CRM, ticketing, billing, and data warehouse, so a single over-scoped agent can breach Confidentiality across several systems at once rather than leaking from one app.
- Action, not just answers. Agents update deals, close tickets, and trigger workflows, which pulls Processing Integrity and change management into scope, not just access. A chatbot that only answers questions raises a much smaller surface than an agent that writes to production.
The reassuring part is that SOC 2 was never about a specific technology. It is a set of control objectives, and an AI agent satisfies them the same way any privileged system does: bounded access, complete logs, active monitoring, and governed change. The work is mapping each agent capability to a control and producing the evidence. If you have ever taken a database service through audit, the muscle memory transfers directly. The difference is that the agent chooses its own actions, so your controls have to assume it will sometimes try the wrong one.
“SOC 2 does not certify the model. It certifies that you can prove who let the agent act, what it could reach, and what it actually did.”
How do access controls apply to AI agents? Least privilege for agents and users
Access control is the heart of the Common Criteria, and for AI agents it works on two levels: what the agent itself can reach, and what the human or system invoking it is allowed to do. SOC 2 expects least-privilege access that is reviewed on a regular cadence, with any elevated rights time-bound.
For an AI agent, that translates into concrete requirements:
- Scope the agent's tool and data permissions to the minimum it needs: read-only where reads suffice, and no standing write access to systems it rarely touches.
- Bind the agent's actions to the identity of the end user, so it can only do what that authenticated person is already permitted to do, never more.
- Avoid shared, all-powerful service accounts. A single admin API key behind an agent collapses every user into one identity and destroys your access-review story.
- Make elevated access time-bound and revocable, with periodic access reviews that show who and what can invoke the agent, and at what scope.
This is where role-based access control (RBAC) earns its place in the report. Onpilot enforces least-privilege RBAC so each agent, and each user invoking it, is constrained to a defined role rather than inheriting broad credentials. Identity flows through short-lived JWTs minted per session, so the agent acts as the authenticated user with scoped, expiring tokens instead of a static, long-lived key. That gives auditors a clean answer to both "how do you enforce and review access?" and "how are credentials rotated and time-bound?" If you want the mechanics of session-scoped identity, the deep dive on RBAC for AI agents and the identity tokens page walk through how a per-user token caps what the agent can ever do.
“Least privilege is the difference between an agent that can resolve one ticket and an agent that can read every customer's billing record. Auditors will ask which one you built.”
What audit trail do AI agents need? Complete, tamper-resistant, and retained
If access control is the control you design, the audit trail is the evidence you produce. SOC 2 auditors test controls across a window, typically 3 to 12 months for a Type II report, so you need complete, tamper-resistant logs retained for the full period. For AI agents the bar sits higher than logging an HTTP request, because the unit that matters is the action the agent decided to take.
A SOC 2-grade audit trail for an AI agent should capture, for every action:
- Who triggered the run: the authenticated user or system identity, not just "the agent".
- What the agent did: the tool or integration called, the target record, the arguments, plus the result and any error.
- When it happened, and from which channel (web, Slack, Teams, WhatsApp, or API).
- Whether an approval was required, who approved or rejected it, and when.
- The before and after state for write actions, so Processing Integrity claims are verifiable.
| Audit field | What it answers | Typical app log | SOC 2-grade agent log |
|---|---|---|---|
| Actor identity | Who triggered the action | Often a shared service account | Authenticated end user, per session |
| Action detail | What tool ran, with what arguments | Endpoint hit, status code | Tool, target record, arguments, result |
| Approval record | Was sign-off required and given | Not captured | Required flag, approver, timestamp |
| Before/after state | Did the right change happen | Rarely captured | Pre- and post-write values |
| Immutability | Can the entry be altered later | Mutable, rotated by retention policy | Append-only, retained full period |
Two qualities make these logs audit-ready. First, completeness: no silent paths where the agent can act without leaving a record. Second, tamper resistance: append-only, immutable storage so a log entry cannot be altered or deleted after the fact, which is exactly what auditors mean by integrity of evidence. Onpilot writes an immutable audit log of every agent action, retained across the audit period, so you can reconstruct precisely what happened on any given day instead of reverse-engineering it from scattered application logs. For a fuller treatment of what belongs in each entry and how long to keep it, see the breakdown of AI agent audit logs.
“The audit question is not "do you log?" It is "can you prove the logs are complete and unchanged for the entire period under audit?"”
How do you monitor AI agents and respond to incidents?
SOC 2's Common Criteria require you to detect, evaluate, and respond to anomalies. You cannot claim a control works if nothing is watching it. For AI agents, monitoring spans both operational health and behavioral safety, because an agent failing silently and an agent acting outside its lane are different incidents that call for different responses.
Effective monitoring for an agent program includes:
- Real-time visibility into agent runs, tool calls, and failures, so an unhealthy integration or a runaway loop is caught quickly (this supports the Availability criteria).
- Alerting on anomalous behavior: spikes in write actions, access to sensitive records, repeated permission-denied events, or attempts outside an agent's role.
- Rejected and approved actions surfaced for review, so a pattern of risky requests becomes visible before it becomes an incident.
- A defined incident-response path: how an action gets flagged, who investigates, how the agent's access is revoked or paused, and how the event is recorded.
Because Onpilot routes every action through the same audit and approval pipeline, monitoring draws from one consistent source instead of a patchwork of vendor logs. That single chokepoint is what makes alerting and incident review tractable: you watch one stream of governed actions rather than reconciling activity across a dozen connected tools. It also gives your incident response a clean kill switch. If an agent starts behaving oddly, pausing its role at the gateway stops every downstream action at once, instead of you racing to revoke a dozen scattered API keys while the agent keeps running.
Does change management apply to AI agents? Config changes and human-in-the-loop approvals
Yes, change management applies to AI agents, and it applies twice. SOC 2 expects changes to be documented, reviewed, and approved before they reach production, and agents introduce two kinds of change to govern: changes to the agent's configuration, and the changes the agent makes to your data while it runs.
On the configuration side, treat an agent's prompts, tools, permissions, and connected integrations as production assets:
- Document and review changes to an agent's instructions, allowed tools, and access scope before they go live.
- Require approval from someone other than the author for any change that expands access or adds write capability.
- Keep version history so you can show what the agent was authorized to do at any point in the audit period.
- Test changes before deployment and keep a record of that testing.
On the runtime side, human-in-the-loop (HITL) approvals are the control that keeps an autonomous agent inside change-management boundaries. Rather than letting the agent write to production unchecked, sensitive actions (updating a deal value, deleting a record, issuing a refund) pause for a human to approve or reject, and that decision is captured in the audit log. This is how you satisfy both Processing Integrity (the right change happened, and it was authorized) and change management (the change was approved) for actions an agent takes on the fly.
Onpilot's approval gates let you mark specific actions as requiring human sign-off by default, typically create and delete operations, so the agent proposes the change and a person authorizes it before it executes. The approval, the approver, and the timestamp all land in the immutable log, giving you the documented-and-approved evidence trail SOC 2 wants. The guide to human-in-the-loop AI agents covers how to choose which actions to gate without grinding the agent to a halt.
“An autonomous agent without approval gates is an unapproved-change machine. HITL turns every sensitive action into a documented, authorized change.”
How an action flows through SOC 2 controls
It helps to trace a single agent action end to end. Suppose a support lead asks the agent to refund a customer who was double-charged. Every SOC 2 control area touches that one request, in order, and each step leaves evidence behind.
- 1
Authenticate
The request runs under the user's short-lived token, capping scope to their permissions.
- 2
Authorize
RBAC checks the agent's role can call the refund tool on this account.
- 3
Propose
The agent drafts the refund as a pending action instead of executing it.
- 4
Approve
A human reviews and signs off, since refunds are a gated action.
- 5
Execute
The refund runs, and before/after state is recorded for Processing Integrity.
- 6
Audit
Actor, action, approver, and timestamp land in the immutable log.
How a single write action passes through access, approval, execution, and audit controls.
Notice that the model is nowhere in that chain of controls. It proposes; the controls decide. That is the whole point of governing agents at the platform layer: the riskiest moment (a write to production) is wrapped in identity, authorization, approval, and evidence before anything reaches your systems of record. Reverse the order or drop a step, and you have a gap an auditor will find.
Worked scenario: taking a support agent through audit
Concrete beats abstract, so here is a realistic case. A mid-market SaaS company runs an Onpilot support agent connected to Zendesk and Salesforce. It triages tickets, drafts replies, updates case fields, and escalates billing disputes. The company is mid-way through its SOC 2 Type II observation window and the auditor asks to see the agent's controls in action.
Here is what the team can show, control by control:
- Access: the agent holds read access to Zendesk and Salesforce broadly, but write access only to ticket status and case notes. It cannot delete records or touch billing objects, and every action runs under the requesting agent's identity, so the access review lists real people, not one shared key.
- Audit: the auditor picks a random Tuesday from four months ago. The team pulls every action the agent took that day, each with actor, tool, target ticket, and result, from one immutable log, in minutes.
- Monitoring: a dashboard shows a spike in permission-denied events two months back, when someone tried to wire the agent into refunds without scoping it. The alert fired, the attempt was blocked, and the incident note records the fix.
- Change management: when the team added a 'merge duplicate contacts' capability, the diff shows a second reviewer approved it, a test record proves it ran against a sandbox first, and the version history pins the date.
- HITL: every case escalation to a human and every field write above a set threshold paused for approval. The sample the auditor pulls shows approver, decision, and timestamp on each one.
The audit passes not because the agent is clever but because the boring parts are airtight. No silent action paths, no shared admin key, no config change that skipped review. That is the bar, and it is reachable. The team that fails the same audit usually fails on one of the pitfalls below, not on anything exotic.
Pitfalls that sink an agent SOC 2 audit
Most agent audit findings are not subtle. They come from a handful of shortcuts that feel harmless during the build and turn into control gaps under examination. Watch for these:
- The shared service account. One admin API key behind the agent means every action attributes to the same identity. Your access review becomes meaningless and you cannot answer 'who did this?' for any individual action. Bind to the end user instead.
- Standing write access 'just in case'. Granting broad write scope because it is convenient gives the agent a blast radius far larger than its job. Auditors test least privilege against actual usage, and unused write permissions read as findings.
- Logging requests, not actions. HTTP access logs tell you an endpoint was hit, not which record the agent changed or what it changed to. Without before/after state and tool-level detail, your Processing Integrity story has holes.
- Mutable or short-retention logs. If log entries can be edited, or they roll off before the observation window closes, the evidence fails the tamper-resistance and retention tests no matter how complete it looked day to day.
- Treating prompt and tool changes as 'not real' changes. Editing an agent's instructions or adding a tool changes what it can do in production. If those edits skip review and version history, you have undocumented change management on a privileged system.
- Gating nothing, or gating everything. No approval gates leaves an unapproved-change machine; gating every trivial read trains reviewers to rubber-stamp. Calibrate HITL to write and destructive actions so approvals stay meaningful.
Every one of these is cheap to fix early and expensive to remediate after a finding. The pattern is the same: design the control so the shortcut is not available in the first place. An agent that physically cannot act without an identity, cannot write beyond its role, and cannot log silently does not depend on anyone remembering the rules.
“Auditors rarely fail an agent for being too autonomous. They fail it for a shared key, a silent action path, or a config change nobody reviewed.”
A decision framework: which agents can you trust to act?
Not every agent needs the same controls, and over-governing a read-only reporting agent wastes the same effort you should spend on one that issues refunds. Use a simple scoring approach to decide how tightly to wrap each agent before it goes live. Rate each agent on four dimensions and let the total drive the guardrails.
Illustrative risk scores (0-100); higher means more controls required before launch. Figures are directional, not benchmarks.
The four dimensions to score: data sensitivity (does it touch PII, financials, or health data?), action reversibility (can a bad write be undone, or is it a refund that moved real money?), system reach (one tool or your whole stack?), and autonomy (does it suggest, or execute unattended on a schedule?). A read-only agent that summarizes yesterday's tickets scores low and needs little more than scoped reads and logging. A finance agent that issues refunds on a schedule scores high and earns hard HITL gates, tight write scope, and the closest monitoring you have.
The practical rule: start every new agent read-only, prove the controls and the logs work, then expand its write scope one reversible action at a time, gating the irreversible ones. That is also the path of least resistance through audit, because each expansion is a documented, reviewed change rather than a big-bang launch you have to defend all at once. For more on validating behavior before you widen scope, see how to test an AI agent before launch.
How do Onpilot's controls map to the SOC 2 criteria?
Onpilot was built to govern agents that take action, so its core features line up with the Trust Services Criteria rather than being bolted on afterward. Here is a practical mapping you can hand to your auditor as a starting point:
- Security (Common Criteria): least-privilege RBAC, per-user scoping, and short-lived JWT identity tokens bound to the authenticated user instead of static service-account keys.
- Confidentiality: access scoped so an agent only reaches data the invoking user is permitted to see, which limits cross-system exposure.
- Processing Integrity: human-in-the-loop approvals on write actions, with before and after state captured in the log so every change is authorized and verifiable.
- Availability: real-time monitoring of agent runs and integrations so failures are detected and handled.
- Audit evidence: an immutable, append-only log of every agent action, retained across the audit period, covering who, what, when, which channel, and which approval.
Two caveats worth stating plainly. First, SOC 2 covers your whole control environment (HR onboarding, vendor management, encryption, change management across all systems) so an agent platform supplies the agent-specific controls and evidence, not your entire program. Second, controls only count if they are operating: a Type II auditor will test that approvals actually fire and logs are actually complete over months, not merely that the features exist. Onpilot gives you the mechanisms and the evidence trail; you still own the policies, reviews, and operating discipline around them.
For implementation details, see how Onpilot handles security and governance, how identity tokens scope each session to the authenticated user, and the broader AI governance framework for agents that ties these controls back to a written policy.
Frequently asked questions
Are AI agents SOC 2 compliant by default?
+
No. An AI agent is a privileged actor in your environment, and SOC 2 certifies the controls around it, not the model. You make an agent compliant by adding least-privilege access controls, complete and tamper-resistant audit logging, monitoring, and approved change management. Without those, an agent is an unmonitored service account with broad reach.
What audit evidence do I need for AI agents under SOC 2?
+
Complete, tamper-resistant logs retained for the full audit period, typically 3 to 12 months for a Type II report. For each agent action the log should show who triggered it, what tool or system was called and with what result, when and from which channel, and whether an approval was required and who granted it. Append-only, immutable storage is what lets you prove the evidence was not altered.
How do access controls apply to AI agents?
+
Through least privilege, reviewed regularly, with elevated rights time-bound. Scope the agent's tools and data to the minimum it needs, bind its actions to the authenticated user so it can never exceed that person's permissions, and avoid shared all-powerful service accounts. Onpilot enforces this with RBAC and short-lived JWT identity tokens minted per session, so credentials are scoped and expiring rather than static.
Does change management apply to AI agents?
+
Yes. Documented, approved changes are required, and for agents this applies in two places. Changes to an agent's prompts, tools, and access scope must be reviewed and approved before production, with version history retained. And the changes the agent makes at runtime should pass through human-in-the-loop approvals on sensitive actions, so each write is an authorized, documented change captured in the audit log.
How does Onpilot help with SOC 2 for AI agents?
+
Onpilot's core controls map directly to the Trust Services Criteria: least-privilege RBAC and per-user identity tokens for Security and Confidentiality, human-in-the-loop approvals on write actions for Processing Integrity, real-time monitoring for Availability, and an immutable audit log of every action for evidence. It supplies the agent-specific controls and evidence trail; you still own your broader SOC 2 program and the operating discipline around it.
What is the difference between SOC 2 Type I and Type II for agents?
+
Type I assesses whether your controls are designed appropriately at a single point in time, while Type II tests that those controls actually operated effectively over a period, usually 3 to 12 months. For AI agents, Type II is the meaningful bar, because it requires evidence that approvals consistently fired and audit logs stayed complete and unaltered across the whole window, not just that the features were configured once.
Which SOC 2 Trust Services Criteria apply to AI agents?
+
Security, the Common Criteria, always applies and is where access controls, monitoring, and incident response live. Because an AI agent reads and writes across systems, Confidentiality (scoped data access), Processing Integrity (authorized, verifiable changes via human-in-the-loop approvals), and Availability (monitoring agent runs and integrations) typically come into scope too. Privacy applies when the agent handles personal data.
Do I need human approval on every AI agent action for SOC 2?
+
No, and gating everything usually backfires by training reviewers to rubber-stamp. SOC 2 wants sensitive changes to be authorized, so the practical approach is to gate write and destructive actions (creating, updating, or deleting records, moving money) while letting read-only and low-risk steps run automatically. Onpilot lets you mark which actions require sign-off, and records the approver and timestamp for the ones that do.
How long do I need to keep AI agent audit logs for SOC 2?
+
At minimum for the full audit observation window, which is 3 to 12 months for a Type II report, and most organizations retain longer to align with their broader security and data-retention policies. The logs must stay complete and tamper-resistant for that entire period, because the auditor may sample any day within the window. Append-only storage that cannot be edited or quietly aged out is what passes the test.
Related
Deploy AI agents your auditor will sign off on.
See how Onpilot's least-privilege RBAC, immutable audit logs, and human-in-the-loop approvals map to your SOC 2 controls.
Book a demo