2026-01-12 · Authensor

ISO 27001 Annex A Controls Relevant to AI Agent Operations

Regulation Overview

ISO/IEC 27001:2022 is the international standard for information security management systems (ISMS). Annex A specifies 93 controls across four themes: Organizational, People, Physical, and Technological. AI agents that access files, execute commands, and make network requests fall under the Technological controls theme and require the same information security treatment as any system component with access to information assets. Certification bodies expect documented controls addressing AI agent behavior during audits.

Relevant Requirements

A.5.15 — Access Control

Access to information and other associated assets must be restricted based on business and information security requirements. AI agents are information system users that require formal access control policies.

A.5.33 — Protection of Records

Records must be protected from loss, destruction, falsification, unauthorized access, and unauthorized release. Agent audit trails must maintain integrity.

A.8.2 — Privileged Access Rights

The allocation and use of privileged access rights must be restricted and managed. AI agents with shell_exec or broad file_write capabilities hold privileged access.

A.8.3 — Information Access Restriction

Access to information and application functions must be restricted in accordance with the access control policy. Agent access to specific files and directories must be technically enforced.

A.8.5 — Secure Authentication

Secure authentication technologies and procedures must be established based on information access restrictions. Agents must authenticate before accessing controlled resources.

A.8.15 — Logging

Logs that record activities, exceptions, faults, and other relevant events must be produced, stored, protected, and analyzed. All agent actions and policy decisions require logging.

A.8.16 — Monitoring Activities

Networks, systems, and applications must be monitored for anomalous behavior and appropriate actions taken. Agent action patterns must be observable and alertable.

A.8.9 — Configuration Management

Configurations, including security configurations, of hardware, software, services, and networks must be established, documented, implemented, monitored, and reviewed. Agent policy configurations are security configurations requiring formal management.

Compliance Gap Without Gating

Organizations seeking or maintaining ISO 27001 certification face these nonconformities when deploying ungated AI agents:

How SafeClaw Addresses Each Requirement

| ISO 27001 Control | Requirement | SafeClaw Capability |
|---|---|---|
| A.5.15 | Access control policy enforcement | Deny-by-default policy engine enforces access control rules at the action level. Every file_read, file_write, shell_exec, and network action evaluated against policy. |
| A.5.33 | Protection of records | Tamper-proof audit trail with SHA-256 hash chain prevents falsification, loss, or unauthorized modification of action records. |
| A.8.2 | Privileged access management | shell_exec actions can be globally denied or restricted to specific commands. Privileged operations require explicit policy rules. |
| A.8.3 | Information access restriction | Path-specific rules restrict file_read and file_write to designated directories. First-match-wins evaluation ensures deterministic access decisions. |
| A.8.5 | Secure authentication | API key authentication per agent instance. Invalid keys result in deny-all responses. 7-day renewable keys enforce periodic re-authentication. |
| A.8.15 | Logging | Every action request and policy decision logged with timestamp, action type, target, decision, and reason. Sub-millisecond policy evaluation ensures no logging gaps. |
| A.8.16 | Monitoring | Dashboard at safeclaw.onrender.com provides real-time visibility into agent actions. Denied action patterns indicate potential security events. |
| A.8.9 | Configuration management | Policy files are JSON/YAML, version-controllable in git. Simulation mode enables testing configuration changes before deployment. |

Evidence Generation

| ISO 27001 Control | Audit Evidence | SafeClaw Output |
|---|---|---|
| A.5.15 | Access control policy documentation | Policy configuration files with deny-by-default and explicit allow rules |
| A.5.33 | Record protection mechanism documentation | SHA-256 hash chain specification; hash verification reports |
| A.8.2 | Privileged access inventory | Policy rules showing shell_exec restrictions per agent role |
| A.8.3 | Access restriction implementation records | Path-specific allow/deny rules mapped to information asset classifications |
| A.8.5 | Authentication mechanism documentation | API key issuance records; key rotation schedule (7-day renewable) |
| A.8.15 | Log samples and log integrity evidence | Exported audit trail with hash chain verification |
| A.8.16 | Monitoring reports | Dashboard screenshots; denied action trend reports |
| A.8.9 | Configuration management records | Policy file version history; simulation mode test results |

The control plane processes only action metadata, never information asset contents. This supports the data minimization principle within the ISMS. The 100% open-source client (MIT license) enables the organization's security team to audit the enforcement mechanism, satisfying A.8.9 requirements for understanding security configurations.

Example Policy

An ISO 27001-aligned policy implementing Annex A controls for a document processing agent:

{
  "name": "iso27001-document-processor",
  "defaultAction": "deny",
  "rules": [
    {
      "action": "file_read",
      "path": "/data/classified/public/**",
      "decision": "allow",
      "reason": "A.8.3 — Public classification, unrestricted read"
    },
    {
      "action": "file_read",
      "path": "/data/classified/internal/**",
      "decision": "allow",
      "reason": "A.8.3 — Internal classification, agent authorized"
    },
    {
      "action": "file_read",
      "path": "/data/classified/confidential/**",
      "decision": "deny",
      "reason": "A.8.3 — Confidential classification, agent not authorized"
    },
    {
      "action": "file_write",
      "path": "/data/output/**",
      "decision": "allow",
      "reason": "A.8.3 — Output directory only"
    },
    {
      "action": "shell_exec",
      "decision": "deny",
      "reason": "A.8.2 — No privileged access for this agent role"
    },
    {
      "action": "network",
      "host": "internal-api.company.local",
      "decision": "allow",
      "reason": "A.5.15 — Internal API access only"
    }
  ]
}

Install with npx @authensor/safeclaw. Zero third-party dependencies means the tool itself introduces no additional supply chain risk to the ISMS, simplifying the A.8.9 configuration management scope. All 446 tests run under TypeScript strict mode verify control enforcement.

Audit Trail Export

For ISO 27001 certification audits and surveillance audits:

  1. Export the audit trail from the dashboard covering the audit scope period
  2. Present hash chain verification — demonstrates A.5.33 record protection
  3. Provide policy configuration files — documents A.5.15, A.8.2, A.8.3 implementation
  4. Show denied action statistics — evidences A.8.16 monitoring effectiveness
  5. Include simulation mode test records — proves A.8.9 configuration testing before deployment
The SHA-256 hash chain creates a tamper-proof evidence record that certification auditors can independently verify. Local execution ensures information assets remain within the organization's defined ISMS boundary.

Cross-References

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw