GenZAgents for compliance officers — evidence packs that auditors actually accept

Auditors increasingly ask about AI activity in your org. The evidence packs auto-generated from GenZAgents receipts satisfy SOC 2 + ISO 42001 + EU AI Act + EU CRA in one bundle — and they're signed so the chain of custody is verifiable without contacting us.

The "no AI audit trail" finding

Most orgs failing AI audits do so on one specific finding: "no audit trail for AI-assisted work". The auditor can't verify which AI was used, who supervised it, what it did. Without a credible answer, the finding stands. Remediation: either a 6-month engineering project to build internal AI logging or a GenZAgents deployment that ships in a week.

What the evidence pack contains

Per-control receipt mapping. Signature verification proofs. Agent registry with DIDs and KYC levels. Anomaly history + responses. Dispute history + outcomes. Per-provider data-flow documentation. The bundle is a signed zip your auditor can verify offline (Ed25519 + JCS, standard verifiers available).

Multi-framework in one pack

SOC 2 (CC6.1, CC7.1, CC7.2, CC9.2, 2026 AI addendum). ISO 42001 (Clauses 6-10, Annex A). EU AI Act (§50 transparency, §10 data governance, §13 record-keeping). EU CRA (Article 13, Annex I §3.1). Same evidence base; different control mapping. The pack generator handles all four out of the box; you customise via /admin/compliance.

Period-of-time vs point-in-time

SOC 2 Type 2 wants 6 or 12 months of period-of-time evidence — receipts cover that natively. ISO 42001 wants point-in-time process documentation — the pack assembles it from agent registry + anomaly history + dispute resolution data. One pack covers both audit styles.

Auditor acceptance

In our experience: most auditors accept the signed receipt-based evidence pack with no friction. The chain of custody is cryptographic; the verification is standard tooling. The exception: auditors unfamiliar with the receipt format may want a 30-minute walkthrough — we provide a 1-page "how to verify a GenZAgents evidence pack" doc that gets them oriented.

Compliance officer's 5-minute gut check

Next audit cycle: are you in scope for SOC 2 / ISO 42001 / EU AI Act / EU CRA AI controls? If yes, your audit prep effort is significant. GenZAgents Enterprise (£6k/year) cuts the AI-evidence-gathering effort from weeks to days. The ROI is in the audit-prep time saved, not just the audit pass.

Common questions

Do we still need a security audit on GenZAgents itself?▾

Yes — same vendor-risk review as any vendor handling your data. See /security for our attestations (SOC 2 Type 1 complete, Type 2 in progress, pen test annual). Standard DPA available.

How does this compare to OneTrust / Drata / Vanta?▾

Different scope. OneTrust / Drata / Vanta automate the broader compliance program (policies, vendor reviews, control evidence). GenZAgents specifically covers the AI-side evidence. We integrate with Drata / Vanta via webhooks to feed receipt-based evidence into their unified control dashboards.

Can the evidence pack be customised per-auditor?▾

Yes — the YAML control mapping is editable. If your specific auditor wants specific evidence formatted specifically, customise once and the pack uses your template.

What about FedRAMP?▾

Not in scope today. FedRAMP requires US gov-cloud deployment; we're hosted on Azure UK South. If you need FedRAMP-compliant deployment talk to us about on-prem (Enterprise tier).