AI Agent Compliance Audit Checklist
This checklist maps AI agent safety controls to the compliance frameworks auditors actually examine: SOC 2, GDPR, HIPAA, and ISO 27001. SafeClaw by Authensor provides the deny-by-default gating, hash-chained audit trail, and policy-as-code controls that satisfy these frameworks. Install with npx @authensor/safeclaw to generate audit-ready evidence from day one.
SOC 2 Controls
- ✅ 1. Access control is enforced (CC6.1). SafeClaw's deny-by-default policy restricts agent access to only explicitly permitted resources. Export the policy file as evidence.
- ✅ 2. Logical access is reviewed (CC6.2). Quarterly policy reviews document who approved each allow rule and when it was last reviewed.
- ✅ 3. System operations are monitored (CC7.1). SafeClaw's audit trail records every agent action attempt with timestamps, action types, and decisions.
- ✅ 4. Change management is documented (CC8.1). Policy files in version control provide a complete history of permission changes with commit messages and reviewers.
- ✅ 5. Incident response procedures exist (CC7.3). Document your agent incident response procedure and reference SafeClaw's audit trail as the investigation tool.
GDPR Requirements
- ✅ 6. Data processing is lawful and limited (Art. 5). SafeClaw policies restrict agent access to only the data required for the specific processing purpose.
# GDPR: Limit data access to required scope
- action: file.read
path: "/data/customer-service/**"
decision: allow
reason: "Required for support ticket processing"
- action: file.read
path: "/data/analytics/**"
decision: deny
reason: "Not required for this agent's purpose"- ✅ 7. Processing activities are recorded (Art. 30). SafeClaw's audit trail serves as the record of processing activities for AI agent operations.
- ✅ 8. Data protection by design (Art. 25). Deny-by-default is data protection by design — agents cannot access personal data unless explicitly permitted.
- ✅ 9. Data breach detection capability exists (Art. 33). SafeClaw's denied-action alerts and audit trail enable detection of unauthorized data access attempts within the 72-hour notification window.
- ✅ 10. Data subject rights can be fulfilled (Art. 15-20). The audit trail can identify all data an agent accessed for a specific data subject.
HIPAA Safeguards
- ✅ 11. Access controls are implemented (164.312(a)). SafeClaw enforces technical access controls at the action level for any agent handling PHI.
- ✅ 12. Audit controls are implemented (164.312(b)). Hash-chained audit logs provide tamper-proof records of all agent access to systems containing PHI.
- ✅ 13. Integrity controls are in place (164.312(c)). SafeClaw's file-write restrictions prevent unauthorized modification of PHI.
- ✅ 14. Transmission security is enforced (164.312(e)). Network request policies restrict agent communication to approved, encrypted endpoints only.
- ✅ 15. Minimum necessary standard is met (164.502(b)). Least-privilege policies ensure agents access only the minimum PHI required for their function.
ISO 27001 Controls
- ✅ 16. Access control policy exists (A.9.1). The SafeClaw policy file, stored in version control, serves as the documented access control policy for AI agents.
- ✅ 17. User access provisioning (A.9.2.2). Each agent's policy defines its access scope. New agents start with deny-all and permissions are added through reviewed policy changes.
- ✅ 18. Event logging (A.12.4.1). SafeClaw's hash-chained audit trail provides event logging for all agent activities.
- ✅ 19. Protection of log information (A.12.4.2). Hash chaining ensures audit log integrity. Access to logs should be restricted to authorized personnel.
- ✅ 20. Technical compliance review (A.18.2.3). SafeClaw policy tests (
npx @authensor/safeclaw --test) provide automated technical compliance verification.
Cross-Framework Evidence Mapping
| Evidence | SOC 2 | GDPR | HIPAA | ISO 27001 |
|---|---|---|---|---|
| SafeClaw policy file | CC6.1 | Art. 25 | 164.312(a) | A.9.1 |
| Hash-chained audit trail | CC7.1 | Art. 30 | 164.312(b) | A.12.4.1 |
| Policy change history (git) | CC8.1 | Art. 25 | 164.312(c) | A.9.2.2 |
| Denied action alerts | CC7.3 | Art. 33 | 164.312(b) | A.12.4.1 |
| Quarterly policy reviews | CC6.2 | Art. 5 | 164.308(a)(8) | A.18.2.3 |
Cross-References
- SOC 2 and AI Agents
- GDPR and AI Agents
- HIPAA Agent Safeguards
- ISO 27001 Agent Security
- Compliance Audit Evidence Export
Try SafeClaw
Action-level gating for AI agents. Set it up in your browser in 60 seconds.
$ npx @authensor/safeclaw