Skip to content
Cordum
Cordum
Compliance

AI Agent Compliance Mapping: SOC 2, ISO 27001, NIST AI RMF

Framework mapping is easy to draw and hard to prove. Auditors ask for runtime evidence, not architecture slides.

Compliance14 min readApr 2026
TL;DR
  • -Most teams fail audits on evidence quality, not on policy intent.
  • -For autonomous agents, one control should map to three frameworks and one evidence contract.
  • -Approval workflows are compliance controls only if snapshot drift and request tampering are rejected at runtime.
SOC 2

Trust criteria mapped to runtime controls

ISO 27001

Annex A control linkage and evidence ownership

NIST AI RMF

GOVERN, MAP, MEASURE, MANAGE outcomes

On this page
Scope

This guide is for operational compliance of autonomous agent actions in production. It focuses on traceability and evidence contracts, not policy document templates.

The compliance problem

Teams can usually explain their controls in interviews. Audits still fail because runtime records are inconsistent. One run includes policy snapshot, another has approver identity only, a third has neither.

For autonomous agents, compliance breaks where approval and execution meet. If the job changed or policy changed after approval, your evidence is invalid even if your policy design looked perfect on paper.

What top sources miss

SourceStrong coverageMissing piece
Bastion AI guardrails for SOC 2/ISO 27001Useful SOC 2 and ISO 27001 control framing for prompt injection, data leakage, and autonomous actions.No concrete runtime evidence schema for proving decision integrity between approval and execution.
NIST AI RMF crosswalk documents (AIRC)Authoritative concept/term crosswalk resources between AI RMF and related standards.Crosswalks describe alignment, but do not define implementation-level control telemetry for audits.
NIST AI RMF roadmapPriority areas, profiles, TEVV expansion, and standards alignment direction.No system-specific pattern for SOC 2/ISO evidence packaging from agent runtime events.

Control mapping table

Agent controlSOC 2ISO 27001NIST AI RMFRequired evidence
Submit-time policy gate before persistence/publishCC6.1, CC6.3A.5.15, A.8.15, A.8.16MANAGE 1.1 / MANAGE 4.1Decision outcome, policy snapshot, reason, timestamp, actor
Approval-required state with snapshot+hash integrityCC7.2, CC7.3A.5.35, A.5.37, A.8.32GOVERN 2.1 / MAP 3.2 / MANAGE 3.3approval_required=true, job_hash, policy_snapshot, conflict status if drift
Idempotent approve/reject with distributed lockCC7.1, CC8.1A.8.33, A.8.34MEASURE 2.2 / MANAGE 2.3already_approved/already_rejected counters, lock-busy conflicts
Replay of approved jobs after transient worker outageCC7.2, CC7.4A.8.14, A.8.17MANAGE 4.3replayed approved job count, replay reason, final execution status

Runtime evidence contract

Treat evidence as a schema, not a report artifact. If one field is optional in production, an auditor will eventually request it during an incident sample.

Minimum fields for approval-gated actions: decision, policy snapshot, job hash, approver identity, role, approval timestamp, and final publish status.

Working examples

Policy rules

agent-compliance-policy.yaml
YAML
version: v1
rules:
  - id: require-approval-prod-finance
    when:
      topic: finance.payment.execute
      env: production
    decision: require_human

  - id: deny-unscoped-external-export
    when:
      topic: customer.data.export
      destination: external
      scope_validated: false
    decision: deny

Approval evidence event

approval-event.json
JSON
{
  "job_id": "job_4ab2",
  "trace_id": "trc_91ff",
  "decision": "require_human",
  "approval_required": true,
  "policy_snapshot": "snap_2026_04_01_17",
  "job_hash": "sha256:8c4f...",
  "approved_by": "[email protected]",
  "approved_role": "admin",
  "approved_at": 1775037723000000,
  "status": "approved_and_published"
}

Audit completeness check

evidence-check.sql
SQL
-- Fail fast when approval events miss critical fields.
SELECT job_id
FROM agent_approval_events
WHERE approval_required = true
  AND (
    policy_snapshot IS NULL
    OR job_hash IS NULL
    OR approved_by IS NULL
    OR approved_at IS NULL
  );

Limitations and tradeoffs

  • - Rich evidence schemas improve audits and increase storage volume and retention costs.
  • - Strict integrity checks reduce false approvals and produce more 409 conflicts during policy changes.
  • - Mapping one control to three frameworks reduces duplicate work and can hide framework-specific nuance.
  • - Automation speeds evidence collection and can mask low-quality controls if ownership is unclear.

Next step

Run this two-week compliance hardening plan:

  1. 1. Define one canonical runtime evidence schema for approval-gated actions.
  2. 2. Add schema validation to every publish path and reject incomplete events.
  3. 3. Map each schema field to SOC 2, ISO, and NIST outcomes in a single control matrix.
  4. 4. Sample 30 production runs and verify evidence completeness and hash/snapshot integrity.
  5. 5. Fix missing fields before your next external audit window.

Continue with AI agent audit trails guide and LLM safety kernel design.

Related posts
AI Agent Audit Trails: Compliance Guide for Production Teams

A practical guide to designing immutable AI agent audit trails for compliance, incident response, and governance reviews.

AI Agent Security Best Practices: 12 Production Controls (2026 Guide)

12 AI agent security controls that actually work in production. Covers pre-dispatch policy gates, least-privilege scoping, output quarantine, credential rotation, and validation runbooks with code.

LLM Safety Kernel for AI Agents (2026): Deterministic Policy Decisions and Runtime Guardrails

A production guide to building an LLM safety kernel for AI agents: deterministic policy outcomes, approval binding, constraints, and output safety controls.

Audit-ready execution

If your evidence cannot survive replay, drift, and retries, it is not compliance evidence. It is a memo.

QuickstartArchitectureView on GitHub