Why AI agents are in SOC 2 scope
If your AI agents process, store, or transmit customer data, they fall under your SOC 2 audit scope. This is not a gray area. SOC 2 covers any system that handles customer information, and AI agents that read support tickets, access CRM records, or participate in channels where customer data is discussed are systems handling customer information.
The challenge is that AI agents don’t fit neatly into the categories your auditor is used to evaluating. They are not traditional SaaS applications with a well-defined request-response cycle. They are not employees with badge access and security training. They are something in between: software that makes decisions, takes actions, and interacts with multiple tools on behalf of your team.
Your auditor will ask three foundational questions about any AI agent in your environment: How is this agent isolated from other workloads? What data can it access, and who authorized that access? Where are the logs that prove it did what it was supposed to do? If you cannot answer these clearly, the agent is a finding waiting to happen.
The good news is that these questions have concrete answers when your AI agent platform is architected with security controls at the infrastructure level rather than bolted on as an afterthought. The rest of this page maps ClawStaff’s architecture to each of the five SOC 2 trust service criteria so your security team can evaluate with specifics, not abstractions.
Mapping to trust service criteria
SOC 2 is organized around five trust service criteria (TSCs). Not every organization is audited against all five. Security is always in scope, and the others are selected based on what your organization does and what your customers require. Here is how AI agent architecture maps to each one.
Security (Common Criteria)
The Security criterion is the foundation of every SOC 2 audit. It covers protection of information and systems against unauthorized access, both physical and logical. For AI agents, the key questions are: How are agents isolated from each other and from other systems? How is access to the agent platform controlled? How are changes to agent configurations managed?
ClawStaff addresses Security through multiple layers. ClawCage provides container isolation: every organization gets its own isolated container with dedicated resources, storage, and network boundaries. This is not logical separation within a shared runtime. It is process-level isolation where one organization’s agents cannot access another organization’s data, memory, or compute resources. Within an organization, each agent operates with scoped permissions that define exactly which tools it can access and what actions it can perform. No agent has access to anything by default; every permission is explicitly granted.
For your SOC 2 evidence package, this means you can point to architectural documentation showing container boundaries, permission configurations showing least-privilege access, and change logs showing who modified agent settings and when.
Availability
The Availability criterion covers whether your systems are operational and accessible as committed or agreed. For AI agents, this means: What is the uptime? How are agents monitored? What happens when an agent or its infrastructure fails?
ClawStaff runs on managed infrastructure with container health monitoring and automatic recovery. If an agent’s container enters an unhealthy state, the platform detects the failure and initiates recovery without manual intervention. Agent deployments are independent, so one agent’s failure does not cascade to other agents or to the platform itself.
For your audit, document the monitoring approach, recovery procedures, and any uptime commitments from your service agreement. Your auditor will want to see that agent availability is actively managed, not left to chance.
Processing Integrity
Processing Integrity asks whether system processing is complete, valid, accurate, timely, and authorized. For AI agents, this is the criterion that most directly addresses the question: “Is the agent doing what it is supposed to do?”
ClawStaff’s audit trail logs every action taken by every agent: messages read, API calls made, tools accessed, outputs generated. These logs provide the evidence chain that shows what the agent did, when it did it, and what inputs led to what outputs. When a question arises about whether an agent handled a request correctly, the audit log provides the definitive record.
Beyond logging, team feedback mechanisms allow your team to flag incorrect agent outputs and provide corrections. This creates a documented loop between agent actions and human oversight, exactly the kind of control your auditor wants to see for Processing Integrity.
Confidentiality
The Confidentiality criterion covers how sensitive information is protected from unauthorized disclosure. For AI agents, the critical question is: Where does sensitive data go when an agent processes it? Does it leave your control? Does the platform vendor see it?
This is where BYOK (Bring Your Own Key) becomes a SOC 2 control, not just a cost feature. With BYOK, your AI model API calls flow directly from your agent’s container to your AI provider. ClawStaff orchestrates agent behavior (deployment, permissions, routing) but does not sit in the data path between your tools and your model provider. Your prompts, your responses, and your customer data never pass through ClawStaff’s infrastructure for model inference.
For Confidentiality evidence, this architecture significantly simplifies your data flow diagrams. Instead of showing data flowing through a third-party AI platform (which puts the vendor in scope as a sub-processor), you show data flowing from your tools to your AI provider under your existing agreement with that provider.
Scoped permissions further support Confidentiality by limiting which data each agent can access in the first place. An agent configured for Slack triage cannot access your Google Drive. An agent that manages GitHub issues cannot read your CRM. Data exposure is bounded by design.
Privacy
The Privacy criterion applies when your systems handle personal information. For AI agents, the question is: How is PII handled? Can agents access personal data without authorization? Is personal data used for purposes beyond the original intent?
ClawStaff agents only access the tools and channels you explicitly configure. A support triage agent reads the channels you specify, not every channel in your workspace. Scoped permissions mean the agent’s access to personal data is limited to what is necessary for its defined task.
With BYOK, personal data processed through AI model calls stays between your infrastructure and your AI provider. ClawStaff does not aggregate, analyze, or retain personal data from model interactions. Data residency is controlled through your choice of AI provider and their data center regions. See our data residency guide for details.
No data from your agent interactions is used for model training. Your customer data remains your customer data.
What your auditor will ask about AI agents
Based on SOC 2 audit standards and emerging practices for AI systems, here are the questions your auditor is likely to ask, and how to answer them with ClawStaff’s architecture:
“How are AI agents isolated from each other and from other customers?” Each organization gets its own ClawCage container with process-level isolation. No shared memory, no shared storage, no shared network namespace between organizations.
“What data can each agent access?” Each agent has explicitly configured permissions defining which tools it can access and what actions it can perform. Default access is none; every permission is granted intentionally.
“Where do agent outputs go? Who can see them?” Agent outputs go to the configured destination tools (Slack, GitHub, Notion, etc.). Agent scoping (private, team, organization) controls who within the organization can interact with each agent.
“Are agent actions logged? Where are those logs?” Every agent action is recorded in the audit trail: tool access, data reads, outputs, errors, and configuration changes. Logs are accessible through the admin dashboard and can be exported.
“Does the AI platform vendor have access to your data?” With BYOK, ClawStaff does not see prompts, responses, or customer data flowing through model inference. ClawStaff manages orchestration, not data processing.
“How are AI model API keys managed?” Keys are encrypted at rest, scoped to individual agents, and never exposed in logs or dashboards. Key rotation is managed through your AI provider’s dashboard.
“What happens if an agent malfunctions?” Container isolation contains the blast radius. Agents can be stopped immediately. Audit logs provide the evidence for incident investigation.
How ClawStaff supports SOC 2 readiness
SOC 2 readiness is not about checking boxes. It is about having controls that your auditor can evaluate against specific criteria. Here is a summary of how ClawStaff’s architecture maps to SOC 2 controls:
| SOC 2 Control Area | ClawStaff Feature | Evidence |
|---|---|---|
| Logical access controls | Scoped permissions | Per-agent, per-tool permission configurations |
| System boundaries | ClawCage container isolation | Container architecture documentation |
| Change management | Agent configuration audit trail | Timestamped logs of all configuration changes |
| Monitoring and logging | Audit trail | Exportable action logs for every agent |
| Data protection | BYOK | Data flow diagrams showing direct provider routing |
| Incident response | Container isolation + audit logs | Blast radius containment and investigation evidence |
Your SOC 2 audit evaluates your controls, not your vendor’s. But your vendor’s architecture determines how easy those controls are to implement and evidence. When your AI agent platform provides isolation, scoped permissions, audit logging, and BYOK at the infrastructure level, the controls map naturally to SOC 2 criteria instead of requiring workarounds and compensating controls.
For a broader evaluation framework, see our AI Vendor Security Checklist. For governance processes that complement SOC 2 controls, see our AI Governance Framework.