Skip to main content

Compliance Checklists for Agentic AI

Regulatory Framework Templates

Document ID: F5-COMPLIANCE-CHECKLISTS
Version: 1.0
Category: Governance

SOC 2 Type II Checklist

CC6: Logical and Physical Access Controls

ControlRequirementAgentic ImplementationStatus
CC6.1Access control policiesAgent authentication via API keys
CC6.2User registration/deregistrationSession management, token rotation
CC6.3User authenticationOAuth 2.0 / API key validation
CC6.6Restriction of privileged accessTool permission scoping
CC6.7Access reviewAgent capability audits

CC7: System Operations

ControlRequirementAgentic ImplementationStatus
CC7.1Vulnerability managementLLM input sanitization
CC7.2Change managementAgent versioning, deployment gates
CC7.3Security event monitoringAction logging, anomaly detection
CC7.4Incident responseAgent fallback procedures

CC8: Change Management

ControlRequirementAgentic ImplementationStatus
CC8.1Infrastructure changesAgent deployment pipelines

Agentic-Specific Controls

ControlDescriptionImplementation
AGT-01Audit trail for all agent actionsVE paradigm with immutable logging
AGT-02Human-in-the-loop for sensitive operationsConfirmation gates in protocols
AGT-03Output validation and sanitizationSchema validation, PII filtering
AGT-04Token budget controlsPer-task and per-session limits

HIPAA Checklist

Administrative Safeguards (§164.308)

RequirementAgentic ImplementationStatus
Risk analysisThreat modeling for agent access
Workforce trainingOperator training on agent supervision
Access managementRole-based agent permissions
Contingency planAgent failover procedures

Technical Safeguards (§164.312)

RequirementAgentic ImplementationStatus
Access controlAgent authentication, session management
Audit controlsVE paradigm audit logging
Integrity controlsInput/output validation
Transmission securityTLS 1.3 for all communications

PHI Handling Requirements

REQUIRED CONTROLS FOR AGENTIC PHI ACCESS:

1. MINIMUM NECESSARY
   - Agent retrieves only required PHI
   - Context window excludes unnecessary PHI
   - Tool outputs filtered for PHI

2. LOGGING
   - Every PHI access logged with:
     * Timestamp
     * Data elements accessed
     * Purpose
     * Agent/user identifier

3. ENCRYPTION
   - PHI encrypted in transit (TLS 1.3)
   - PHI encrypted at rest (AES-256)
   - PHI masked in logs: SSN → XXX-XX-1234

4. BAA REQUIREMENTS
   - LLM provider BAA in place
   - Cloud provider BAA in place
   - Vector database BAA if storing PHI

GDPR Checklist

Article 5: Data Processing Principles

PrincipleAgentic ImplementationStatus
LawfulnessDocument legal basis for agent processing
Purpose limitationScope agent access to stated purposes
Data minimizationRetrieve only necessary data
AccuracyValidate agent outputs, correction mechanisms
Storage limitationImplement retention policies for agent data
Integrity & confidentialityEncryption, access controls

Article 17: Right to Erasure

IMPLEMENTATION REQUIREMENTS:

1. ERASURE SCOPE
   - User data in knowledge bases
   - Episodic memory entries
   - Audit logs (after retention period)
   - Training data (if applicable)

2. VERIFICATION
   - Confirm deletion across all stores
   - Vector embeddings removed
   - Backup purging scheduled

3. RESPONSE TIME
   - 30 days maximum
   - Automated pipeline recommended

Article 22: Automated Decision-Making

RequirementImplementationStatus
Right to human interventionEscalation paths defined
Right to explanationDecision rationale logging
Right to contestAppeal process documented

SOX Compliance (Section 404)

Internal Controls for Agentic Financial Processes

ControlDescriptionImplementation
Segregation of dutiesAgent cannot approve own outputsMulti-agent with human approval
AuthorizationDefined approval thresholdsVE protocol gates
Audit trailComplete action historyImmutable audit logging
ReconciliationAgent outputs verifiedAutomated validation

Required Documentation

  • Agent process flowcharts
  • Control matrices for each agent workflow
  • Risk assessments for automated decisions
  • Testing evidence (quarterly)
  • Management certification

Financial Services (SEC/FINRA)

Recordkeeping Requirements

RETENTION REQUIREMENTS:

Books & Records (17a-4):
- Agent communications: 3 years (first 2 accessible)
- Transaction records: 6 years
- Audit logs: 6 years

Format:
- Write-once, read-many (WORM) compliant
- Indexed and searchable
- Reproducible in original format

Supervision Requirements

RequirementAgentic Implementation
Written proceduresDocumented agent protocols
Review of activitiesHuman review of agent outputs
Annual compliance reviewAgent audit program
TrainingOperator certification

AI-Specific Regulations

EU AI Act Readiness

RequirementHigh-Risk AILimited Risk
Risk assessmentRequiredRecommended
Data governanceRequiredRecommended
Technical documentationRequiredBasic
TransparencyFull disclosureNotification
Human oversightMandatoryOptional
Accuracy/robustnessTesting requiredBest effort
BASELINE AI GOVERNANCE:

1. TRANSPARENCY
   - Disclose AI use to users
   - Explain capabilities and limitations
   - Provide human alternative option

2. BIAS MONITORING
   - Regular output audits
   - Demographic fairness testing
   - Correction mechanisms

3. SAFETY
   - Content filtering
   - Harmful output detection
   - Incident reporting

4. ACCOUNTABILITY
   - Clear ownership
   - Escalation paths
   - Regular reviews

Compliance Quick Reference

RegulationKey Agent RequirementRecommended Paradigm
SOC 2Audit logging, access controlVE
HIPAAPHI protection, minimum necessaryVE + GS
GDPRData minimization, erasureVE
SOXSegregation, authorizationVE + Human approval
SEC/FINRARecordkeeping, supervisionVE
EU AI ActTransparency, human oversightVE + Human oversight

Document maintained by CODITECT Compliance Team. Consult legal counsel for specific implementations.