Your SOC 2 auditor is already asking about AI agents. Do you have an answer that isn't a spreadsheet?
Auditors now probe AI agent actions; most stacks can't answer. ComplyAI produces CC6/CC7-shaped evidence from the action boundary.
In 2026 audit cycles, AICPA-aligned auditors are explicitly probing for AI-system action records. Without a per-action audit trail with identity attribution, expect a qualification on system operations. The fix is not a policy update — it is instrumented evidence.
SOC 2 controls ↔ ComplyAI capabilities.
| SOC 2 control | Requirement | How ComplyAI satisfies it |
|---|---|---|
CC6.1 | Logical access controls protect against unauthorized access | Policy engine denies AI agent actions that fall outside declared scope, even when the underlying credential permits them. |
CC6.6 | Boundary protection between internal and external | Block destructive operations, secret-file reads, and out-of-scope API calls — at the action boundary. |
CC6.8 | Prevent or detect unauthorized software | MCP gateway and subagent guard prevent untrusted tools and prompts from entering the action surface. |
CC7.1 | Monitor system components for anomalies | Per-action audit ledger feeds your SIEM via OpenTelemetry. Anomaly detection runs in your existing pipeline. |
CC7.2 | Monitor for actual or attempted unauthorized activity | Every denied action recorded with rule name, risk score, identity, and model. |
CC7.3 | Evaluate security events for incidents | Replay-ready immutable ledger; webapp surfaces all denied actions filtered by user/team/rule. |
Artifacts your auditor can run with.
- Pre-built policy mapped to CC6/CC7 controls
- Control-by-control mapping document (PDF + Markdown source)
- Audit-export template — JSONL ledger filtered to CC-relevant events
- Webapp access log: who viewed which session (audit-of-the-audit)
- Quarterly summary report template for the audit committee
- Bridge document for your existing SOC 2 narrative — what to add for AI
Common questions on SOC 2 Type II.
We already have a SOC 2 — do we need to re-cert?
No. ComplyAI produces AI-system evidence in SOC 2 CC6/CC7 format. Your auditor reviews this evidence as part of your existing audit scope. Your control narratives gain AI coverage; the rest is unchanged.
Is ComplyAI itself SOC 2 certified?
ComplyAI is not yet SOC 2 Type II certified. ComplyAI produces audit evidence in SOC 2-compatible format. For ComplyAI security posture details, contact sales.
Where does the evidence live?
On your infrastructure. No audit data leaves your environment unless you explicitly route it to your SIEM or provide it to your auditors.
Your agents are already taking actions. Governance shouldn't be an afterthought.
ComplyAI is in early access. We're working directly with security and engineering teams to deploy, configure, and demonstrate value in their environment — in a single session.