What SOC 2 Auditors Will Start Asking About Your AI Agents
SOC 2 audits are catching up to agentic AI deployments. Here's what auditors will ask, what evidence they'll expect, and why application-layer logs are not sufficient.
The Lede
A SOC 2 auditor at a Big Four firm told us last quarter: "We are starting to ask about AI agents the same way we asked about cloud infrastructure five years ago — as an uncontrolled access surface that most organizations cannot account for." The gap is not that companies are using AI agents. It is that they cannot prove what those agents accessed, when, and whether it was authorized.
The Questions Coming
Based on conversations with auditors and the emerging NIST AI Risk Management Framework (AI RMF 1.0), here are the questions SOC 2 auditors will start asking about AI agent deployments:
1. "What data can your AI agents access?"
This is the CC6.1 (Logical Access) question applied to non-human identities. Auditors want to see a defined access scope per agent — not "it has the developer's permissions." They want per-agent policies that enumerate allowed file paths, network destinations, and subprocess capabilities.
2. "How do you monitor AI agent activity in real time?"
CC7.1 (System Monitoring) requires continuous monitoring. For agents, this means session-level visibility: which files were accessed, which network connections were made, which subprocesses were spawned. Application-layer logs ("the agent made 47 API calls") are not sufficient — they show what the agent reported, not what it actually did.
3. "Can you prove an agent stayed within its authorized scope?"
This is the hardest question. It requires two things: a declared scope (what the agent was authorized to do) and an observed behavior record (what the agent actually did at the OS level). The delta between these two is the audit evidence.
Application-layer logs can be influenced by the agent itself. Kernel-level audit logs cannot — they are generated by the OS, outside the agent's control.
4. "What happens when an agent exceeds its scope?"
CC6.6 (Boundary Protection) and CC7.2 (Anomaly Detection). Auditors want to see automated response: alerting, blocking, or human escalation. "We review logs weekly" is not an acceptable control for autonomous systems.
Why Application-Layer Logs Fail the Audit
Most organizations that have started agent monitoring rely on application-layer logging — the agent's own telemetry, LLM provider usage logs, or API gateway access logs. These logs have a structural problem for audit purposes:
They are generated by the entity being audited.
An AI agent that has been prompt-injected can be instructed to suppress or alter its own logging. The model can omit actions from its output, misreport its behavior, or route around application-layer monitoring by spawning subprocesses.
Kernel-level logs do not have this problem. The kernel records every file open, process exec, and network connect regardless of what the application layer reports. This is the same reason auditors prefer OS-level access logs over application-reported access logs for traditional systems.
What Ring Zero Provides for SOC 2
| SOC 2 Requirement | Ring Zero Evidence |
|---|---|
| CC6.1 Logical Access | Per-agent scoped policies (file paths, network, subprocesses) |
| CC7.1 System Monitoring | Real-time kernel-level session telemetry |
| CC7.2 Anomaly Detection | Provenance graph + intent vs. behavior delta alerts |
| CC6.6 Boundary Protection | Kernel-level enforcement (block unauthorized actions) |
| Audit Trail | Tamper-evident kernel logs (not agent-generated) |
Takeaways
- SOC 2 auditors are beginning to treat AI agents as uncontrolled access surfaces — expect questions within the next audit cycle
- Application-layer logs are insufficient for audit because they are generated by the entity being audited
- Kernel-level telemetry provides tamper-evident evidence that auditors can trust
- Per-agent scoped policies satisfy CC6.1 (Logical Access) requirements for non-human identities
- The "intent vs. behavior" delta is the most auditor-friendly control for autonomous systems
Want our AI Agent Compliance Checklist? Contact us for a copy.
Protect your AI agents today
Install Ring Zero in under 5 minutes. Free for up to 3 agents.