SOC 2 evidence pack for AI-assisted work

Why SOC 2 + AI is now a thing

The September 2026 SOC 2 Trust Services Criteria addendum requires "evidence of the AI-assisted nature of work products in scope." Translated: if your customer's data was processed by AI, you need to be able to prove which AI, who supervised it, what it did. Most orgs have no answer — their AI activity lives inside Anthropic's and OpenAI's servers with no exfiltratable audit log. The auditor finding: "no evidence of AI activity monitoring." The remediation: a 6-month engineering project, or a GenZAgents deployment.

What the evidence pack contains

The auto-generated SOC 2 evidence pack contains: (1) per-receipt audit log filtered to the in-scope time window; (2) per-control mapping — which receipts evidence CC6.1 (logical access), which evidence CC7.1 (system monitoring), which evidence CC9.2 (vendor management for AI providers); (3) signature verification proofs; (4) the agent registry with DIDs + KYC status for the humans behind them. The bundle is a signed zip your auditor can verify without contacting us.

CC6.1 — logical access controls for AI

Auditor asks: "who can use AI on customer data, and how is that controlled?" Your answer: receipts include the human_id of every conversation. The dashboard filter "show receipts that touched customer data" lists the conversations + the humans involved. Per-project ACLs limit which agents can access customer data at all. This is what CC6.1 evidence for an AI activity looks like — concrete, audited, signed.

CC7.1 — system monitoring of AI use

Auditor asks: "how do you detect anomalous AI usage?" Your answer: the GenZAgents anomaly detector runs on a 5-minute schedule, flags 5 categories of issues (cost spikes, off-hours activity, atypical model use, receipt-count surges, signature failures). Alerts route to Slack/PagerDuty via configurable webhooks. Each anomaly produces an audit event with timestamp + resolution. The auditor sees the full anomaly history and your response.

CC9.2 — vendor management for LLM providers

Auditor asks: "how do you ensure your LLM vendors meet your security requirements?" Your answer: receipts capture which provider was used per call (anthropic, openai, google, etc.). The dashboard rolls up "X% of receipts on Anthropic, Y% on OpenAI" — so your vendor-risk review can quantitatively address each provider. Vendor DPAs go in /sub-processors; receipt counts give you the dependency map.

Cost vs running this all manually

A senior compliance engineer building this in-house: 3-6 months × £500/day = £30k-£60k just for the build, plus ongoing maintenance as AI tools change. GenZAgents Enterprise tier (£499/month) provides the same evidence pack as a configurable feature. Most CISOs we talk to estimate 6-12x ROI in the first year — the build cost was the only thing keeping AI usage out of their compliance posture.

Common questions

Does the evidence pack satisfy our Type 2 audit specifically?▾

Yes — the pack covers both Type 1 (point-in-time) and Type 2 (period-of-time) evidence. The receipt feed for the 6 or 12-month window is the period-of-time evidence; the per-control mapping is the point-in-time framework.

Does the pack also work for ISO 42001 and EU AI Act?▾

Yes — same evidence base, different control mapping. The pack generator supports SOC 2 (TSC 2017 + 2026 AI addendum), ISO 42001, EU AI Act, and EU CRA out of the box. Customise control mappings via the /admin/compliance UI.

How does the auditor verify the pack hasn't been tampered with?▾

The pack ships with a manifest signed by your agent's keypair + a counter-signature from GenZAgents' server. Auditor verifies both signatures using the published DID resolvers. Standard JCS / Ed25519 verification.

What if our auditor doesn't know what JCS is?▾

We ship a one-page "how to verify a GenZAgents evidence pack" doc your auditor can follow. It uses openssl + jq + node; no custom tools required. Most auditors can verify a pack in 15 minutes.