GuardClaw and SOC 2: A Control Mapping

Your auditor asks: “How do you control what your AI agents access?”

You have two options. You can show them a policy document that says “we only give agents minimum required access.” Or you can show them a cryptographically verified log of every action every agent took, every access decision that was made, and proof that nobody altered the record.

One is a promise. The other is evidence.

GuardClaw’s security controls map directly to several SOC 2 Trust Services Criteria. This post shows which controls align, what evidence to present, and how to prepare for the conversation with your auditor.

Quick primer: what SOC 2 requires

SOC 2 is organized around five Trust Services Criteria. The ones most relevant to AI agent security are:

• CC6 — Logical and Physical Access Controls: How you control who (and what) can access your systems
• CC7 — System Operations: How you monitor, detect, and respond to security events
• CC8 — Change Management: How you manage changes to your infrastructure and software

Each criterion has specific controls. GuardClaw doesn’t cover all of SOC 2 (it’s not a compliance platform), but it directly addresses the controls that apply to automated agents acting on your systems.

The mapping

CC6.1 — Logical Access Security

What the auditor asks: “How do you restrict access to information assets?”

What GuardClaw provides: Deny-by-default policy enforcement. Every agent action passes through the security gate. File system boundaries prevent access outside the project directory. Network boundaries restrict which domains the agent can reach. Shell command patterns block dangerous operations.

Evidence to show: Your guardclaw.yaml policy file (what’s allowed) plus the receipt chain filtered to denials (what was actually blocked). The denials prove the policy is enforced, not just written.

CC6.3 — Access Based on Authorization

What the auditor asks: “How do you ensure only authorized actions are performed?”

What GuardClaw provides: Capability tokens. Even when a policy allows an action, the agent needs a cryptographic token to execute it. Tokens are single-use, time-bound, and scope-limited. A token for reading files can’t be used to run shell commands.

Evidence to show: Receipt chain entries showing capability token validation for each action. Failed token validations (expired, wrong scope) are logged as denials.

CC7.2 — Monitoring of System Components

What the auditor asks: “How do you monitor your systems for anomalies?”

What GuardClaw provides: Real-time behavioral monitoring during supervised execution. Anomaly detection for rate spikes, unusual action sequences, and resource abuse. Every monitored event is logged in the receipt chain.

Evidence to show: Dashboard threat stats showing monitoring coverage. Receipt chain entries with anomaly scores. Alert history (if configured).

CC7.3 — Evaluation of Security Events

What the auditor asks: “How do you evaluate whether detected events represent actual security incidents?”

What GuardClaw provides: OWASP ASI category classification for every detected threat. Each denial includes the specific attack category, severity score, and the detection tier that caught it. The audit trail distinguishes between true threats and false positives through policy adjustments over time.

Evidence to show: Dashboard audit trail filtered by severity. Attack simulation reports showing detection coverage by OWASP category.

CC7.4 — Incident Response

What the auditor asks: “How do you respond to identified security incidents?”

What GuardClaw provides: Automatic blocking of detected threats (the deny action). Fatal receipt handling that can terminate an agent session when critical threats are detected. Human-in-the-loop approval for high-risk actions (configurable).

Evidence to show: Receipt chain entries showing deny decisions with enforcement actions. Fatal termination events for critical threats.

CC8.1 — Change Management

What the auditor asks: “How do you manage changes to security controls?”

What GuardClaw provides: Policy files are YAML, versionable with git. Policy changes create a new version in your repository with full commit history. The receipt chain shows when policy changes took effect (new enforcement patterns appear at specific timestamps).

Evidence to show: Git history of your guardclaw.yaml file. Receipt chain timestamps showing before/after enforcement changes.

The conversation with your auditor

Most SOC 2 auditors haven’t evaluated AI agent security controls before. This is new territory for everyone. Here’s how to frame the conversation:

Start with the problem: “We use AI agents that interact with our systems — reading code, running commands, calling APIs. These agents need the same access controls and monitoring that human operators get.”

Show the controls: Walk through the mapping above. For each control, show the policy (what you configured) and the evidence (what actually happened).

Lead with the receipt chain: This is your strongest evidence. It’s not a log that someone could have edited. It’s a cryptographically linked chain where any tampering is mathematically detectable. Most audit log controls require “integrity of logs.” The receipt chain exceeds that requirement.

Be honest about scope: GuardClaw covers agent access controls, monitoring, and audit logging. It doesn’t cover your network security, physical access, HR policies, or vendor management. It’s one control in a broader framework.

What to prepare

Before your SOC 2 audit, gather these artifacts from GuardClaw:

1. Policy file (guardclaw.yaml) — your current security configuration
2. Attack simulation report (guardclaw test --audit --attack) — your detection coverage
3. Receipt chain export — your audit trail for the review period
4. Dashboard screenshots — threat stats and compliance mapping
5. Git history — version history of policy changes

The dashboard’s compliance tab pre-maps some of this for you, but having the raw artifacts ready makes the conversation faster.

Next post: the same mapping exercise for GDPR — what applies when your agents process data covered by European privacy regulations.