Does GenZAgents satisfy SOC 2 requirements for AI activity?

CC6.1 — receipts log every AI-mediated access to data, with supervising human_id. CC7.1 — anomaly detection runs every 5 minutes against the receipt feed. CC7.2 — anomaly alerts route to your incident-response process. CC9.2 — receipts capture provider per call, so AI vendor usage is queryable. The 2026 AI addendum (CC6.X) — AI activity logging requirement is satisfied by the receipt feed itself.

SOC 2 Type 2 wants period-of-time evidence (6 or 12 months of operational logs). The receipt feed is exactly this — every receipt time-stamped, signed, queryable for the audit window. Type 1 wants point-in-time evidence (the system is in place as of date X). The agent registry + ACL config + anomaly thresholds at the audit date is that snapshot.

A signed zip with: filtered receipts for the audit window, the per-control mapping (CSV showing which receipts evidence which control), signature verification proofs, agent registry snapshot, anomaly history, dispute history. Your auditor verifies it offline without contacting us.

Q: How do we verify the audit trail hasn't been tampered with? A: signatures. Q: How do we know engineer X was the actual operator? A: per-receipt human_id + KYC linkage. Q: How do we know what AI was used? A: per-receipt model field + provider field + DPA mapping. Q: How do we know any of this happened in the audit window? A: per-receipt issued_at timestamp, verifiable via signature.

We cover the AI side of SOC 2. We don't cover: server uptime (your hosting SOC 2), employee KYC (your HR processes), policy documentation (you write the policies). The integration is "GenZAgents fills the AI evidence gap; your existing SOC 2 program covers everything else".

SOC 2 Type 1 complete. Type 2 audit in progress (period 1 Jan 2026 → 30 June 2026). Report available under NDA after completion. See /security for current attestations.