SOC 2 was built for humans. Agents break every assumption. Here's how AgentPass maps to the Trust Service Criteria -- and fills the gaps auditors will ask about.
Without AgentPass: "Our API key." That's not attributable to an individual or agent. Audit finding.
With AgentPass: "payment-bot-7, trust level L3, scope sanctions:search, cert serial 7863537063706505361, issued by Acme Corp CA." Full attribution.
Without MCPS: "We trust the HTTPS connection." Not sufficient for non-repudiation. Audit finding.
With MCPS: "Every response is digitally signed. Here's the signature, nonce, and timestamp. Verify it yourself." Non-repudiable proof.
Without AgentPass: "All agents share the same API key with full access." Violates least privilege. Audit finding.
With AgentPass: "Each agent has specific scopes (sanctions:search, ach:create). An analytics agent cannot initiate payments." Per-agent enforcement.
Without AgentPass: "Rotate the API key. All 50 agents go down." Disproportionate response. Audit finding.
With AgentPass: "Revoke that one agent's certificate. Other 49 agents unaffected. Immediate, surgical." Proportionate control.
| Control | SOC 2 Requirement | Agent gap | AgentPass control | Status |
|---|---|---|---|---|
| CC6.1 | Logical access security | Agents share API keys. No individual identity. Can't distinguish agent A from agent B. | Per-agent certificates with unique identity, trust level, and scopes. Every agent individually identifiable. | Live |
| CC6.2 | Credentials before access | API key is the only credential. No agent-level authentication. | Agent presents certificate on every request. Verified against customer's CA before any operation executes. | Live |
| CC6.3 | Least privilege | All agents have the same API key permissions. No differentiation. | Scope enforcement per agent. sanctions:search agent cannot initiate payments. ach:create agent cannot issue cards. | Live |
| CC6.6 | Protect against threats | No mechanism to block rogue agents at the application layer. Traditional WAFs don't understand agent identity. | AgentPass rejects unknown CAs, expired certs, and insufficient trust before any business logic runs. Application-layer agent threat prevention. | Live |
| CC6.7 | Manage credentials lifecycle | API keys rarely rotated. No per-agent credential lifecycle. | Certificates have configurable expiry (hours to months). Revocation via CRL. Agent lifecycle managed through dashboard. | Live |
| CC6.8 | Prevent unauthorised access | Rogue agent with valid API key has full access. No way to block one agent without blocking all. | Unknown CA rejected. Expired certs rejected. Wrong scope rejected. Low trust rejected. Individual agent revocation without affecting others. | Live |
| CC7.1 | Detect anomalies | No agent-level behaviour monitoring. Can't detect drift or unusual patterns. | AEBA: Agent Event Behaviour Analytics. Baseline vs observed behaviour. Anomaly alerting on signed event streams. | Coming |
| CC7.2 | Monitor system components | Infrastructure monitored but agent activity is a blind spot. | Every agent action logged with agent identity, trust level, timestamp, and result. Audit trail per agent. | Live |
| CC7.3 | Evaluate detected events | Agent actions not attributable. Can't evaluate what happened or why. | Signed audit trail with agent identity. Reconstruct exactly which agent did what, when, at what trust level. | Live |
| CC7.4 | Respond to identified events | Can only rotate API key (kills all agents) or do nothing. | Revoke individual agent certificates instantly. Downgrade trust level. Restrict scopes. Surgical response. | Live |
| CC8.1 | Authorise changes | Agent capabilities can change without tracking. No change control for agent permissions. | Agent scopes and trust level locked in certificate at issuance. Changes require new cert from CA. Auditable. | Live |
| A1.1 | System availability and recovery | Compromised agent with shared API key -- must rotate key and redeploy all agents. Extended downtime. | Revoke one certificate. Other agents unaffected. Recovery in seconds, not hours. No service disruption to uncompromised agents. | Live |
| PI1.3 | Processing integrity -- data processed completely and accurately | Responses travel unsigned. Man-in-the-middle can modify results without detection. No proof of processing integrity. | MCPS signs every response with digital signature, nonce, and timestamp. Any modification breaks the signature. Non-repudiable proof of processing integrity. | Live |
| PI1.5 | Processing integrity -- outputs stored completely and accurately | Log files with "API key X called endpoint Y." No agent-level attribution. Outputs not verifiably linked to processing. | Every action: agent ID, trust level, scope, result, timestamp, digitally signed. Outputs verifiably linked to the agent and processing step that produced them. | Live |
AgentPass + MCPS cover these today. Production ready.
AEBA anomaly detection. Patent filed. Building now.
No SOC 2 agent controls left uncovered.
Across CC6, CC7, CC8, A1, and PI criteria.
Every agent request includes: verified certificate chain, trust level, permitted scopes, issuing CA, certificate serial number, and expiry. Rejected requests logged with reason (unknown CA, expired, insufficient trust, missing scope).
Every response includes: digital signature, nonce, timestamp. Auditor can independently verify any historical response was not modified after the fact. Non-repudiable.
Agent permissions (scopes, trust level) are locked in the certificate at issuance. Any change requires new certificate from the CA. Certificate issuance log provides change history.
Individual agent certificates can be revoked immediately via CRL. Revocation log shows: which agent, when, why, who authorised. Other agents unaffected. Recovery time: seconds.
| Framework | Relevant controls | AgentPass coverage |
|---|---|---|
| SOC 2 Type II | CC6, CC7, CC8, A1, PI1 | 12 of 14 controls live. 1 coming (AEBA). |
| ISO 27001 | A.9 Access Control, A.10 Cryptography, A.12 Operations Security | Agent identity, signed responses, audit logging. |
| PCI DSS v4.0 | Req 7 (access control), Req 8 (identification), Req 10 (logging) | Per-agent access, unique identity, signed audit trail. |
| EU AI Act | Art 12 (record-keeping), Art 14 (human oversight), Art 50 (transparency) | Agent attribution, trust-gated access, verifiable records. |
| NIST AI RMF | Govern, Map, Measure, Manage functions | Agent governance via trust levels, behaviour measurement via AEBA. |
| OWASP AISVS | C10 MCP Security controls | 3 requirements surviving in AISVS 1.0 (10.2.13, 10.4.11, 10.6.4). |
AgentPass maps to SOC 2, ISO 27001, PCI DSS, EU AI Act, and NIST AI RMF. One integration, multiple frameworks covered.
See the live demo →