# Send SOC 2 AI Agent Compliance to your agent
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
## Fast path
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
## Suggested prompts
### New install

```text
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete.
```
### Upgrade existing

```text
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run.
```
## Machine-readable fields
```json
{
  "schemaVersion": "1.0",
  "item": {
    "slug": "afrexai-soc2-compliance",
    "name": "SOC 2 AI Agent Compliance",
    "source": "tencent",
    "type": "skill",
    "category": "安全合规",
    "sourceUrl": "https://clawhub.ai/1kalin/afrexai-soc2-compliance",
    "canonicalUrl": "https://clawhub.ai/1kalin/afrexai-soc2-compliance",
    "targetPlatform": "OpenClaw"
  },
  "install": {
    "downloadUrl": "/downloads/afrexai-soc2-compliance",
    "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-soc2-compliance",
    "sourcePlatform": "tencent",
    "targetPlatform": "OpenClaw",
    "packageFormat": "ZIP package",
    "primaryDoc": "SKILL.md",
    "includedAssets": [
      "README.md",
      "SKILL.md"
    ],
    "downloadMode": "redirect",
    "sourceHealth": {
      "source": "tencent",
      "status": "healthy",
      "reason": "direct_download_ok",
      "recommendedAction": "download",
      "checkedAt": "2026-04-23T16:43:11.935Z",
      "expiresAt": "2026-04-30T16:43:11.935Z",
      "httpStatus": 200,
      "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard",
      "contentType": "application/zip",
      "probeMethod": "head",
      "details": {
        "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard",
        "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"",
        "redirectLocation": null,
        "bodySnippet": null
      },
      "scope": "source",
      "summary": "Source download looks usable.",
      "detail": "Yavira can redirect you to the upstream package for this source.",
      "primaryActionLabel": "Download for OpenClaw",
      "primaryActionHref": "/downloads/afrexai-soc2-compliance"
    },
    "validation": {
      "installChecklist": [
        "Use the Yavira download entry.",
        "Review SKILL.md after the package is downloaded.",
        "Confirm the extracted package contains the expected setup assets."
      ],
      "postInstallChecks": [
        "Confirm the extracted package includes the expected docs or setup files.",
        "Validate the skill or prompts are available in your target agent workspace.",
        "Capture any manual follow-up steps the agent could not complete."
      ]
    }
  },
  "links": {
    "detailUrl": "https://openagent3.xyz/skills/afrexai-soc2-compliance",
    "downloadUrl": "https://openagent3.xyz/downloads/afrexai-soc2-compliance",
    "agentUrl": "https://openagent3.xyz/skills/afrexai-soc2-compliance/agent",
    "manifestUrl": "https://openagent3.xyz/skills/afrexai-soc2-compliance/agent.json",
    "briefUrl": "https://openagent3.xyz/skills/afrexai-soc2-compliance/agent.md"
  }
}
```
## Documentation

### SOC 2 Compliance Accelerator

Your agent for achieving and maintaining SOC 2 Type I and Type II compliance — from readiness assessment through audit completion.

### What This Does

Guides organizations through the full SOC 2 lifecycle: gap analysis, control implementation, evidence collection, audit prep, and continuous monitoring. Covers all 5 Trust Service Criteria with practical implementation steps.

### How to Use

Tell your agent what stage you're at:

"Run SOC 2 readiness assessment" — 64-point gap analysis across all Trust Service Criteria
"Build SOC 2 control matrix" — Maps controls to criteria with ownership and evidence requirements
"Create SOC 2 evidence collection plan" — Automated and manual evidence gathering schedule
"Prepare for SOC 2 audit" — Auditor-ready documentation package checklist
"SOC 2 continuous monitoring dashboard" — Ongoing compliance tracking after certification

### CC — Common Criteria (Security) — Required

CC1: Control Environment (tone at top, org structure, accountability)
CC2: Communication & Information (internal/external, system boundaries)
CC3: Risk Assessment (risk identification, fraud risk, change impact)
CC4: Monitoring Activities (ongoing evaluations, deficiency reporting)
CC5: Control Activities (policies, technology controls, deployment)
CC6: Logical & Physical Access (access management, authentication, physical security)
CC7: System Operations (vulnerability management, incident response, recovery)
CC8: Change Management (change authorization, testing, approval)
CC9: Risk Mitigation (vendor management, business continuity)

### Optional Criteria

Availability (A1): Uptime SLAs, DR/BCP, capacity planning
Processing Integrity (PI1): Data accuracy, completeness, timeliness
Confidentiality (C1): Classification, encryption, retention, disposal
Privacy (P1): Notice, consent, collection, use, disclosure, access

### Phase 1: Scoping (Week 1)

System Description Checklist:
□ Infrastructure components (cloud, on-prem, hybrid)
□ Software stack (applications, databases, middleware)
□ People (roles, responsibilities, third parties)
□ Procedures (operational, security, change management)
□ Data flows (ingress, processing, storage, egress)
□ Trust Service Criteria selection (Security + which optional?)
□ Subservice organizations (cloud providers, SaaS tools)
□ Carve-out vs inclusive method for subservice orgs

### Phase 2: Gap Analysis (Weeks 2-3)

Score each control area 1-5:

1 — Not Started: No policy, no process, no evidence
2 — Ad Hoc: Informal processes exist but undocumented
3 — Defined: Documented but inconsistent execution
4 — Managed: Documented, executed, some evidence
5 — Optimized: Automated, monitored, auditable evidence

Priority Matrix:

Gap ScoreActionTimeline1-2Critical — implement immediately2-4 weeks3Important — formalize and document1-2 weeks4Minor — fill evidence gaps3-5 days5Maintain — continue monitoringOngoing

### Phase 3: Remediation (Weeks 3-10)

For each gap:
1. Assign control owner (by name, not role)
2. Define implementation steps
3. Set evidence collection method (automated preferred)
4. Establish testing cadence
5. Document exception handling process

### Must-Have Controls (Week 1-4)

Access Management: SSO, MFA on all systems, quarterly access reviews
Encryption: TLS 1.2+ in transit, AES-256 at rest, key management
Logging: Centralized logging, 90-day retention minimum, tamper-evident
Incident Response: Documented plan, defined roles, tested annually
Change Management: Approval workflows, code review, deployment gates
Vendor Management: Vendor inventory, risk assessments, SOC 2 reports from critical vendors
Employee Security: Background checks, security awareness training, acceptable use policy
Vulnerability Management: Regular scanning, patch cadence (critical <72hrs), penetration testing

### Should-Have Controls (Week 4-8)

Business Continuity: DR plan, RTO/RPO defined, tested semi-annually
Data Classification: 4-tier model (Public, Internal, Confidential, Restricted)
Network Security: Segmentation, IDS/IPS, WAF for web applications
Endpoint Protection: EDR, device encryption, MDM for mobile

### Nice-to-Have Controls (Week 8+)

Security Metrics Dashboard: Real-time compliance posture
Automated Compliance Monitoring: Continuous control testing
Zero Trust Architecture: Beyond perimeter security

### Automated Evidence (Set Once, Collect Forever)

ControlEvidence SourceTool ExamplesAccess ReviewsIAM exportsOkta, Azure AD, AWS IAMEncryptionConfig snapshotsAWS Config, CloudTrailLoggingLog aggregationDatadog, Splunk, ELKVulnerability ScansScan reportsQualys, Nessus, SnykChange ManagementPR/deploy historyGitHub, GitLab, JiraUptimeMonitoring dashboardsDatadog, PagerDuty

### Manual Evidence (Scheduled Collection)

ControlEvidence TypeFrequencyBackground ChecksHR recordsPer hireSecurity TrainingCompletion certificatesAnnualRisk AssessmentAssessment documentAnnualPen TestingReportAnnualDR TestingTest resultsSemi-annualBoard/Mgmt ReviewMeeting minutesQuarterlyVendor ReviewsAssessment recordsAnnualPolicy ReviewsVersion historyAnnual

### Type I (Point-in-Time) — 8-12 weeks total

Week 1-2:   Auditor selection + engagement letter
Week 2-4:   System description draft
Week 4-6:   Control documentation + evidence prep
Week 6-8:   Fieldwork (auditor testing)
Week 8-10:  Draft report review
Week 10-12: Final report issued

### Type II (Period of Time) — 3-12 month observation + 4-6 weeks fieldwork

Month 1:     Observation period begins (minimum 3 months, recommend 6-12)
Ongoing:     Evidence collection, control operation
Month 3-12:  Observation period ends
+Week 1-2:   Fieldwork scheduling
+Week 2-4:   Fieldwork (testing over observation period)
+Week 4-6:   Draft report + final report

### Cost Framework

Company SizeType IType IIAnnual MaintenanceStartup (<50)$20K-$50K$30K-$80K$15K-$40KMid-Market (50-500)$40K-$100K$60K-$150K$30K-$80KEnterprise (500+)$80K-$200K$120K-$300K$60K-$150K

Includes: auditor fees, tooling, personnel time, remediation costs.

Hidden costs to budget:

Compliance automation platform: $10K-$50K/year
Additional security tooling: $5K-$30K/year
Personnel time (internal): 200-800 hours
Policy/procedure writing (if outsourced): $5K-$20K

### Common Audit Findings (Avoid These)

Access not revoked within 24 hours of termination — #1 finding
Missing or incomplete risk assessment — annual requirement
No evidence of management review — need meeting minutes
Incomplete vendor management — missing SOC reports from critical vendors
Inconsistent change management — emergency changes without retroactive approval
Security training gaps — new hires not trained within 30 days
Logging gaps — not all in-scope systems sending to central logging

### AI Agent SOC 2 Considerations (2026)

When deploying AI agents in SOC 2 environments:

Data boundaries: Agents must not access data outside their defined scope
Audit trail: All agent actions must be logged and attributable
Access controls: Agent service accounts need same rigor as human accounts
Model governance: Document which models process customer data
Prompt injection defense: Part of CC7 (system operations) controls
Output validation: Processing integrity controls for agent outputs

### Industry-Specific Requirements

IndustryExtra CriteriaKey ControlsFintechAll 5 TSC typicalSOX mapping, encryption everywhere, PCI if paymentsHealthcarePrivacy, ConfidentialityHIPAA crosswalk, BAAs, PHI handlingSaaSAvailability, ConfidentialityMulti-tenant isolation, SLA complianceLegalConfidentiality, PrivacyPrivilege protection, matter isolationConstructionSecurity, AvailabilityField data protection, offline capabilityE-commerceAll 5 TSC typicalPCI DSS alignment, transaction integrity

### 7 SOC 2 Mistakes That Cost Companies 6+ Months

Starting with Type II — Get Type I first, prove controls work, then observe
Scoping too broadly — Only include systems that touch customer data
Choosing the wrong auditor — Pick one who knows your industry
Manual evidence collection — Automate from day 1 or drown in spreadsheets
Treating it as a project, not a program — SOC 2 is continuous
Ignoring subservice organizations — Your cloud provider's SOC 2 matters
No executive sponsor — Compliance without budget authority = failure

### Get the Full Implementation Package

This skill gives you the framework. For industry-specific compliance playbooks with regulatory crosswalks, cost models, and vendor selection guides:

🔗 AfrexAI Context Packs — $47 per industry vertical

Available packs: Fintech, Healthcare, Legal, Construction, E-commerce, SaaS, Real Estate, Recruitment, Manufacturing, Professional Services

🔗 AI Revenue Leak Calculator — Find where compliance gaps cost you money

🔗 Agent Setup Wizard — Deploy compliance monitoring agents in minutes

Bundle pricing:

Pick 3 packs: $97
All 10 packs: $197
Everything bundle: $247
## Trust
- Source: tencent
- Verification: Indexed source record
- Publisher: 1kalin
- Version: 1.0.0
## Source health
- Status: healthy
- Source download looks usable.
- Yavira can redirect you to the upstream package for this source.
- Health scope: source
- Reason: direct_download_ok
- Checked at: 2026-04-23T16:43:11.935Z
- Expires at: 2026-04-30T16:43:11.935Z
- Recommended action: Download for OpenClaw
## Links
- [Detail page](https://openagent3.xyz/skills/afrexai-soc2-compliance)
- [Send to Agent page](https://openagent3.xyz/skills/afrexai-soc2-compliance/agent)
- [JSON manifest](https://openagent3.xyz/skills/afrexai-soc2-compliance/agent.json)
- [Markdown brief](https://openagent3.xyz/skills/afrexai-soc2-compliance/agent.md)
- [Download page](https://openagent3.xyz/downloads/afrexai-soc2-compliance)