SOC 2 Trust Services Criteria

AF-2, AF-7.5

agent_owners.verification_status='verified' (proves the human owner was actively confirmed)

Human-side competence is tenant HR. Agent-side qualification (validated model + skills + prompts) is tracked in AF-7.5.

AF-2, AF-7.6

agent_owners row with role='primary' is the named-accountable record per agent

Primary-owner accountability is in AF-2. Executive-sponsor accountability for high-risk agents is AF-7.6.

AF-1

agent_action_events ledger — append-only, slug-FK to canonical vocabulary, decision-bearing per ADR-044

The ledger is the system of record for what agents actually did. Quality is enforced by FK integrity (vocabulary, agent identity) and trigger-enforced append-only.

AF-3

agent_charters.supersedesCharterId (version chain); agent_charters.reviewDueAt (next required review)

Every charter change creates a new row that points back to its predecessor. The hash + version chain is the change-impact record.

AF-1, AF-2

Ledger queryability (per-agent, per-decision, per-time); agent_owners.verification_status row count by status (audit-visible signal)

Both ongoing (live ledger) and point-in-time (verification_status snapshot) evaluations are supported.

AF-6 (detect), AF-7.7 (workflow)

agent_action_events.decision='blocked' rows are the deficiency signal

Deficiency detection is automatic via AF-6. Deficiency communication + corrective action workflow is AF-7.7.

AF-6, AF-1

AF-6 preflight evaluator (control); agent_action_events.decision written back (record)

The preflight + ledger pair is the canonical AI-agent control activity.

AF-1, AF-3

agent_charters.supersedesCharterId chain (config-change record); agent_action_events (live monitoring)

Charter version chain detects intent changes; ledger detects behavioral changes.

AF-1, AF-6

agent_action_events.decision='blocked' (refused action); decision='escalated' (suspicious action awaiting human review)

ADR-044 cites this requirement directly. The decision column is the anomaly signal; ledger queries are the analysis surface.

AF-7.3

—

AF-1 ledger captures the events. Security-event evaluation workflow (incident triage, link to specific ledger entries) is AF-7.3.

AF-7.3, AF-7.7

—

Incident response program is AF-7.3 + AF-7.7. AF-1/AF-6 supply the inputs.

AF-3

agent_charters.signedByOwnerId + signedByOwnerAt (authorization); supersedesCharterId chain (history); charterHash (integrity); status lifecycle (draft → signed → active → retired)

The charter lifecycle is the per-agent change-management process. Each transition is timestamped and authorized; the hash provides integrity.

AF-3, AF-4, AF-6

Charter mayNotActions + approvalRequirements; statement bindings (AF-4) controlling acceptable behaviors; AF-6 enforcement

The three together — declared prohibitions, bound governance statements, runtime enforcement — are the mitigation stack.

AF-7.1 (controlled-disable dimension only)

—

The kill-switch (AF-7.1) is the controlled-disable side of availability. System-level availability (uptime, ledger-write SLA, recovery infrastructure) is tenant-wide infra, addressed elsewhere in the Dictiva observability stack. Not tracking in AF-7.

AF-6

AF-6 preflight enforcement; agent_action_events rows with decision='allowed' represent integrity-checked outputs

AF-6 is the integrity gate for agent-produced output. Charter mayNotActions declares what's out-of-spec; preflight enforces.

None (tenant-wide)

—

out of AF scope

These categories are tenant-wide infrastructure controls — not addressable at the AF layer. The agent_charters.dataAccess[] field exposes which data classes an agent reaches into so a customer's tenant-wide data-classification regime can pin the agent's exposure, but the controls themselves live elsewhere in the platform. Not tracking in AF-7.