1. Home
  2. Compliance
  3. SOC 2
  4. SOC 2 for AI Agents — Checklist
Draft page (status: review). Visible in build for editor review - not yet promoted to "published".
Compliance Solution

SOC 2 for AI Agents — Checklist

Practical SOC 2 checklist for teams running AI agents in production. Use it to scope your audit, identify gaps, and collect evidence.

Last updated 25 May 2026

A practical, agent-specific SOC 2 checklist. Use it to scope your audit, identify gaps, and collect the evidence auditors expect.

This is a practical guide, not legal advice. Coordinate with your auditor for final scope.

Why AI agents change your SOC 2 posture

If you have an AI agent that reads or processes data, makes decisions affecting users, or calls third-party services, it is in scope. SOC 2 expectations haven't changed — but your existing controls need to extend to the agent layer.

The agent-specific checklist

Inventory & ownership

  • [ ] Every production agent has an owner and is in a maintained inventory
  • [ ] Every agent has documented purpose, scope, and intended users
  • [ ] Each agent has a designated data classification level
  • [ ] Each agent has a risk classification (low / medium / high)

Access & identity

  • [ ] Agents authenticate with non-human identities, not shared credentials
  • [ ] Each agent's tool access is scoped to least privilege
  • [ ] Access reviews include agents, not just human users
  • [ ] Service accounts are time-limited or rotated

Change management

  • [ ] All prompt changes go through review before production
  • [ ] All policy changes have approval and effective-date records
  • [ ] All agent version promotions require approval
  • [ ] Production agent changes have rollback procedures

Monitoring & logging

  • [ ] Every agent invocation is logged with timestamps and user attribution
  • [ ] Tool calls are logged with arguments (PII redacted as appropriate)
  • [ ] Cost and rate limits are monitored per agent
  • [ ] Anomalies trigger alerts with documented response procedures
  • [ ] Logs are tamper-evident or write-once
  • [ ] Log retention meets your declared retention policy

Data protection

  • [ ] PII detection runs on agent inputs and outputs
  • [ ] PII is redacted, tokenized, or encrypted in traces per policy
  • [ ] Customer data classification is honored in agent context
  • [ ] Data flows to/from third-party model providers documented

Vendor / sub-processor management

  • [ ] Each model provider is in the sub-processor list
  • [ ] Each provider has current security attestation on file
  • [ ] DPA/BAA executed where required
  • [ ] Sub-processor changes notified per customer agreements

Incident response

  • [ ] AI-specific incident types defined (hallucination, prompt injection, PII leak)
  • [ ] Detection, triage, response procedures cover agent incidents
  • [ ] Incident records retained per policy
  • [ ] Customer notification procedures cover agent-caused incidents

Quality & testing

  • [ ] Eval suite exists for each production agent
  • [ ] Evals run continuously, not just pre-deploy
  • [ ] Regression alerts fire on quality drops
  • [ ] Pre-prod environment matches prod for testing

Common SOC 2 findings in agent systems

1. Logs exist but aren't tamper-evident.

2. Change management doesn't cover prompt edits.

3. Access reviews don't include agent service accounts.

4. Incident response doesn't include AI-specific scenarios.

5. Sub-processor list is stale.

Related

Get a readiness review

[Book a briefing →]

Ready to control your agents?

Maintain visibility and control across agents, frameworks, and AI providers. Prefactor helps teams monitor activity, enforce boundaries, and manage operational risk.

Book a Demo View Docs