Compliance mapping
SOC 2 controls for AI agents
This page is about your SOC 2 audit, not ours. Cosignet's own SOC 2 is on the roadmap (see the security page for our current posture), and we do not claim to be SOC 2 certified today. What Cosignet does provide is evidence that can support several of the control families your auditor will test when your AI agents take consequential actions.
Scope. Cosignet provides verifiable approval evidence only; it does not determine legal applicability, certify compliance, replace regulated controls, or substitute for legal, compliance, or audit advice.
SOC 2 is a framework of the AICPA. Cosignet is not affiliated with, endorsed by, or certified by the AICPA, and you remain responsible for mapping any evidence to the controls in your own audit scope with your auditor.
Control families Cosignet supports
SOC 2 is built on the Trust Services Criteria. The criteria most affected by autonomous agent actions are authorization, logical access, and monitoring. For each, an auditor asks for evidence, and Cosignet produces a concrete artifact:
| Control area | What the auditor requests | Cosignet artifact |
|---|---|---|
| Authorization of changes and transactions | Evidence that consequential actions were approved by an authorized person before execution | A payload-bound passkey signature over the exact action; the action runs only on an explicit approved decision (fail-closed) |
| Logical and physical access controls | Strong authentication of the approver | WebAuthn with user verification (biometrics, PIN, passcode, or security key, depending on the authenticator); the private key never leaves the approver's authenticator |
| System monitoring | Tamper-evident records of privileged or high-risk operations | Append-only Merkle transparency log with an Ed25519-signed tree head and Bitcoin anchoring |
| Audit evidence and completeness | Records that can be reconstructed and independently verified | Exportable evidence pack that verifies offline with an open-source verifier, no vendor trust required |
Map these areas to the specific Trust Services Criteria in your audit scope (for example the CC-series common criteria) with your own auditor. The exact criteria tested depend on the scope you select.
How teams use this in practice
When your auditor samples change-management or transaction-authorization controls, an agent-triggered deploy or payment is often the hardest evidence to produce credibly. A Slack thumbs-up is neither bound to the exact change nor tamper-evident. A Cosignet evidence pack is both: it shows that a specific enrolled approver credential or account approved the specific action, with real-world identity established by your enrollment process, and that the record has not been altered. That turns a hand-wave into a verifiable artifact.
Related reading
- ISO/IEC 42001: the same evidence, mapped to an AI management system.
- For auditors: verify a record end to end.
- Cosignet security posture and roadmap.
- All compliance mappings.
Give your auditor a verifiable artifact, not a screenshot
Free to start, no credit card.
Informational, not legal advice. This page describes how Cosignet artifacts can support the customer's SOC 2 audit. Cosignet is not SOC 2 certified (roadmap only) and this is not an attestation. Confirm control mappings with your auditor.