SAMPLE

Demonstration Only — All data is fictional and pre-populated for enterprise evaluation. Not real audit evidence.

SOC 2 Type II Trust Service Criteria covered in this package:
CC6.1 CC6.2 CC6.6 CC7.1 CC7.2 CC8.1 CC9.2
SOC 2 Evidence Package

What Your SOC 2 Auditor
Actually Receives

Every ThetaZero agent execution maps to AICPA Trust Service Criteria automatically. This is the evidence package your Type II auditor sees — control ID, description, artifact, status.

See how this maps to your workflows → View Generic Evidence

SAMPLE — Demonstration Only · All data is fictional · Safe to share with auditors

🔐
SOC 2 Type II — What Auditors Need to See
AICPA Trust Service Criteria · Security, Availability, Confidentiality

SOC 2 Type II requires operational evidence — not just policy documents. Your auditor wants proof that controls are operating effectively over time: who accessed what, when, under what authorization, and whether anyone detected policy violations.

ThetaZero produces this evidence automatically on every governed agent run. The package below shows a Privileged Access Review Agent execution — the scenario most SOC 2 auditors focus on for CC6.1 and CC8.1. Every data access is logged, permission-checked, TEE-attested, and mapped to a control ID.

7
TSC Controls Covered
8
TEE-Attested Audit Records
0
Policy Violations Detected
100%
Audit Coverage
📋
Section 1 — Agent Execution Report
SAMPLE
Agent Name
Privileged Access Review
Agent Purpose
Reviews privileged account changes, validates authorization, and produces SOC 2 evidence
Execution ID
TZ-EXEC-20260411-007304
Timestamp (UTC)
2026-04-11T09:14:02.338Z
Status
COMPLETED
Duration / Tokens
6,211 ms · 3,104 tokens
Model Version
claude-3-7-sonnet-20250219
Compute Source
TZ-EC-9b2a4c · us-east-1
TEE Attestation
HMAC-SHA256 Signed
Input Task / Prompt

Review all privileged account changes in the Apr 1–11 2026 window for Meridian Health Systems. Identify: (1) new admin/superuser accounts created, (2) permission escalations, (3) accounts not deprovisioned within SLA after employee departure. Cross-check each change against the change management log (ServiceNow). Flag any unauthorized modifications. Produce SOC 2 CC6.1 / CC7.2 / CC8.1 evidence artifacts.

Execution Log
Execution Trace · 11 actions · 0 policy violations
TZ-EXEC-20260411-007304
09:14:02.338INFOExecution initialized · agent=privileged-access-review · model=claude-3-7-sonnet-20250219
09:14:02.491ACTIONREAD iam_audit_log · scope=admin_account_changes · period=2026-04-01/2026-04-11 · input_hash=b7c1d4f8…
09:14:02.814CHECKPermission granted: iam_audit_log.read · credential=svc-access-review · ✓ authorized
09:14:03.271ACTIONQUERY iam_audit_log · 4 admin account changes found in period · output_hash=3a5c7e9b…
09:14:03.590ACTIONREAD change_mgmt_log (ServiceNow) · cross-referencing 4 changes against CHG records
09:14:04.128CHECKCHG-2026-04182 → admin_create:j.walsh · ✓ AUTHORIZED — CHG approved 2026-04-02, manager=c.okonkwo
09:14:04.562CHECKCHG-2026-04291 → priv_escalation:svc-etl-prod · ✓ AUTHORIZED — CHG approved 2026-04-07, manager=d.reyes
09:14:05.037CHECKCHG-2026-04388 → admin_create:m.tanaka · ✓ AUTHORIZED — CHG approved 2026-04-09, manager=c.okonkwo
09:14:05.481CHECKDeprovision SLA check · departed_users=2 · deprovisioned_within_24h=2 · ✓ SLA MET
09:14:05.914ACTIONWRITE soc2_evidence_log · record_type=access_review · policy_violations=0 · tee_attested=true
09:14:06.549DONEExecution complete · 4 changes reviewed · ALL AUTHORIZED · 0 violations · evidence written
✓ Agent Determination

ALL CLEAR — 4 privileged access changes reviewed. All 4 cross-matched against approved change tickets. Deprovision SLA met for both departures (within 24h). No unauthorized modifications detected. Permission boundary enforced throughout: 4 allowed scopes accessed, 3 sensitive scopes blocked per policy. Evidence artifact written to SOC 2 evidence log. CC6.1, CC7.2, and CC8.1 controls supported.

Permission Boundary (Enforced at Runtime)
✓ Allowed Scopes (4)
✓ iam_audit_log.read
✓ change_mgmt_log.read
✓ hr_termination_log.read
✓ soc2_evidence_log.write
✗ Blocked Scopes (3)
✗ iam.write (read-only agent)
✗ user_credentials.read
✗ production_db.write
🗺️
Section 2 — SOC 2 Control Mapping
SAMPLE
Below is the control mapping your SOC 2 auditor receives — automatically generated from this agent execution. Each row maps a Trust Service Criteria control ID to the evidence artifact produced in this run.
Control ID Control Description Evidence Type Evidence Artifact Status
CC6.1
Logical Access Controls
The entity implements logical access security software, infrastructure, and architectures to protect against threats from unauthorized access.
 execution_artifact Permission boundary enforced at runtime — 4 allowed scopes, 3 blocked. All accesses logged in audit_trail.json with input/output hashes and TEE attestation. ✓ EVIDENCE GENERATED
CC6.2
User Registration & Authorization
Prior to issuing system credentials, the entity registers and authorizes new internal and external users whose access is administered by the entity.
 execution_artifact Each admin account creation in the review period was cross-matched against an approved ServiceNow CHG ticket with named approver. All 4 changes confirmed authorized. ✓ EVIDENCE GENERATED
CC6.6
Logical Access — External Access
The entity implements controls to prevent or detect and act upon logical access from outside its boundaries that could threaten the achievement of objectives.
 policy_document External access policy documented in Trust Pack §4. Agent credential (svc-access-review) uses scoped service token — no direct user credential access. Boundary enforced in TEE. ◎ MAPPED
CC7.1
Vulnerability & Infrastructure Detection
To meet its objectives, the entity uses detection and monitoring procedures to identify changes to configurations that introduce new vulnerabilities.
 execution_artifact 0 policy violations detected in this execution. Violation count tracked per run and queryable. Anomalous permission requests blocked and logged automatically. ✓ EVIDENCE GENERATED
CC7.2
System Monitoring
The entity monitors system components and the operation of those components for anomalies that indicate malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives.
 execution_artifact All 8 audit events logged with TEE attestation. SHA-256 hashes computed at time of recording within TEE — cannot be retroactively modified. Deprovision SLA monitored and confirmed met. ✓ EVIDENCE GENERATED
CC8.1
Change Management
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its change management commitments and requirements.
 execution_artifact 4 privileged access changes validated against ServiceNow change tickets. Each change mapped: CHG ticket ID → approver → timestamp → IAM log entry. Full chain documented in audit_trail.json. ✓ EVIDENCE GENERATED
CC9.2
Vendor Risk Management
The entity assesses and monitors risks associated with vendors and business partners.
 policy_document Third-party vendor access policy documented in Trust Pack §6. Agent only accesses vendor-managed systems via scoped read-only credentials. No write access to vendor systems permitted. ◑ DOCUMENTED
✓ EVIDENCE GENERATED Artifact produced in this specific execution run
◎ MAPPED Control addressed by platform configuration or Trust Pack policy
◑ DOCUMENTED Control documented in policy — not observable in single execution
🔗
Section 3 — Cryptographic Audit Trail
SAMPLE

Every API call, data access, and output produced during execution is logged here with SHA-256 input/output hashes and a TEE attestation ID. Hashes are computed within the Trusted Execution Environment at time of recording — they cannot be retroactively modified.

09:14:02.491
READ · iam_audit_log/admin_account_changes
Credential: svc-access-review · Permission: granted · Scope: iam_audit_log.read · Records returned: 4
input_hash: b7c1d4f8e2a0b3c5d7e9f1a3b5c7d9e1f3a5b7c9 · output_hash: 3a5c7e9b1d3f5a7c9e1b3d5f7a9c1e3b5d7f9a1b
TEE ✓ AUD-90201
09:14:03.590
READ · change_mgmt_log (ServiceNow) — CHG-2026-04182
Credential: svc-access-review · Permission: granted · Scope: change_mgmt_log.read · Change: admin_create:j.walsh · Authorized by: c.okonkwo
output_hash: 9c1e3b5d7f9a1b3d5f7a9c1e3b5d7f9a1b3d5f7a · record_hash: d4f6a8b0c2d4f6a8b0c2d4f6a8b0c2d4f6a8b0c2
TEE ✓ AUD-90202
09:14:04.562
READ · change_mgmt_log (ServiceNow) — CHG-2026-04291
Credential: svc-access-review · Permission: granted · Scope: change_mgmt_log.read · Change: priv_escalation:svc-etl-prod · Authorized by: d.reyes
output_hash: e2f4a6b8c0d2e4f6a8b0c2d4e6f8a0b2c4e6f8a0 · record_hash: f6a8b0c2d4f6a8b0c2d4f6a8b0c2d4f6a8b0c2d4
TEE ✓ AUD-90203
09:14:05.037
READ · change_mgmt_log (ServiceNow) — CHG-2026-04388
Credential: svc-access-review · Permission: granted · Scope: change_mgmt_log.read · Change: admin_create:m.tanaka · Authorized by: c.okonkwo
output_hash: a1b3c5d7e9f1a3b5c7d9e1f3a5b7c9d1e3f5a7b9 · record_hash: b0c2d4e6f8a0b2c4e6f8a0b2c4e6f8a0b2c4e6f8
TEE ✓ AUD-90204
09:14:05.481
READ · hr_termination_log — Deprovision SLA Check
Credential: svc-access-review · Permission: granted · Scope: hr_termination_log.read · Departures in period: 2 · Deprovisioned ≤24h: 2 · SLA_MET: true
output_hash: c4d6e8f0a2c4d6e8f0a2c4d6e8f0a2c4d6e8f0a2 · record_hash: e8f0a2c4d6e8f0a2c4d6e8f0a2c4d6e8f0a2c4d6
TEE ✓ AUD-90205
09:14:05.914
WRITE · soc2_evidence_log/access_review_20260411
Credential: svc-access-review · Permission: granted · Scope: soc2_evidence_log.write · policy_violations: 0 · changes_reviewed: 4 · all_authorized: true
output_hash: f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8 · record_hash: a2b4c6d8e0f2a4c6d8e0f2a4c6d8e0f2a4c6d8e0
TEE ✓ AUD-90208
TEE Attestation Summary
Compute Node: TZ-EC-9b2a4c · us-east-1
Attestation Method: HMAC-SHA256 platform attestation
Records Attested: 8 / 8 (100%)
Policy Violations: 0
Execution Hash: tz_tee_v1:007304:b7c1d4f8:2026-04-11T09:14:02.338Z
manifest.json — Integrity Checksums
execution_logs.json · sha256: 7c3f9a1b5d2e8f4a0c6d3b9e5f1a7c2d8e4f0a6c… · 9,182 bytes
soc2_control_mapping.json · sha256: 4a8b2c6d0e4f8a2c6d0e4f8a2c6d0e4f8a2c6d0e… · 4,021 bytes
audit_trail.json · sha256: b1c5d9e3f7a0b4c8d2e6f0a4b8c2d6e0f4a8b2c6… · 12,844 bytes
tee_attestation.json · sha256: e0f4a8b2c6d0e4f8a2c6d0e4f8a2c6d0e4f8a2c6… · 4,391 bytes
README.txt · sha256: c8d2e6f0a4b8c2d6e0f4a8b2c6d0e4f8a2c6d0e4… · 1,284 bytes
All 7 TSC controls addressed
·
🔐
TEE-attested audit trail
·
📊
0 policy violations
·
📦
Signed ZIP downloadable
·
Generated automatically — no manual work
Other Framework Evidence Templates
🔐
SOC 2
CC6.1 · CC7.2 · CC8.1 — You are here
🏥
HIPAA
§164.312 access · audit · transmission
📋
Generic (KYC)
EU AI Act · SOC 2 · GDPR

See How This Maps to Your Workflows

A 1-hour Governance Review shows exactly which of your AI agent workflows would produce this evidence package — and what gaps exist today.

Book a Governance Review → View Trust Pack

$4,900 fixed fee · Deliverables you own · No vendor lock-in