Claude Code and SOC 2: What Auditors Actually Ask

Your SOC 2 auditor is going to ask about Claude Code. Not if. When. If you’re using it in your development process — especially if it touches production systems — the auditor needs to understand your controls.

SOC 2 doesn’t have a specific “AI agent” section. But agents touch multiple Trust Service Criteria: Security, Availability, Processing Integrity, and Confidentiality. The auditor maps your agent usage to existing criteria and expects controls that satisfy each one.

Here’s what they actually ask and what they want to see.

”Describe Your AI Agent Access Controls”

Usually the first question. The auditor wants to understand who can deploy agents, what agents can access, and how access is controlled.

What “we use Claude Code” sounds like: “We have an autonomous system with access to our production infrastructure. We don’t know exactly what it can do. Different developers configure it differently.”

What they want to hear: “Each Claude Code agent session launches with a specific IAM role scoped to the task. Sessions are attributed to the launching developer. We use temporary credentials that expire after one hour. The policy engine prevents operations outside defined scope.”

Artifacts they’ll request: access control matrix showing which roles/agents can access which systems, policy definitions (the actual configuration), evidence of policy enforcement (denied operations, not just allowed ones).

”How Do You Log AI Agent Activity?”

SOC 2 Control CC7.2 requires monitoring system components for anomalies. An AI agent modifying your infrastructure is exactly the kind of component that needs monitoring.

What they expect to see: Structured logs capturing every agent operation with timestamps, session identifiers, the developer who initiated the session, the operation performed, the target resource, and the result. They’ll pick random entries and ask you to trace them back to a specific developer and task.

What fails: API usage logs from Anthropic (shows token consumption, not actions), application logs without session correlation, logs the dev team can modify or delete, missing time periods where agents were active but no logs exist.

What passes: Immutable, structured audit logs in write-once storage; every entry tied to a session ID, developer, and project; retention matching your compliance requirement (usually 1 year minimum); ability to produce a complete timeline for any session within minutes.

”What Is Your Change Management Process for Agent-Initiated Changes?”

SOC 2 Control CC8.1 covers change management. When Claude Code modifies production code or infrastructure, that’s a change. The auditor needs to see that changes go through your defined process regardless of whether a human or agent initiated them.

This is where most teams fail. Their change management process assumes human actors: developer writes code, submits PR, reviewer approves, CI/CD deploys. Claude Code can bypass all of these if it has direct push access and production credentials.

What they want: Agent-initiated changes go through the same approval process as human-initiated changes. Code changes submitted as pull requests, not pushed directly. Infrastructure changes require authorized approval. Emergency changes have a defined exception process.

Evidence they’ll request: Pull requests created by Claude Code agents (showing review and approval), approval records for infrastructure operations, denied change requests (showing controls work in both directions).

”How Do You Handle Incidents Involving AI Agents?”

SOC 2 Control CC7.3 requires incident response procedures. The auditor will ask: if a Claude Code agent causes an incident, how do you detect, respond, and prevent recurrence?

Your incident response plan should cover:

Detection: Real-time monitoring of agent operations, automated alerts for anomalous behavior.

Containment: Per-session kill mechanisms, credential revocation, ability to halt all agent operations.

Investigation: Session-level audit trails with ability to replay the agent’s decision-making process.

Prevention: Policy updates, scope restrictions, additional approval gates for the operation type that caused the incident.

The auditor will ask for evidence of at least one incident or near-miss handled through this process. If you’ve had no incidents, they’ll ask about testing: do you run tabletop exercises? Test your kill switch? Verify policy denials work?

”How Do You Ensure Data Confidentiality with AI Agents?”

If Claude Code processes sensitive data, the auditor scrutinizes data handling controls under CC6.1 and CC6.5.

This is a real concern: Claude Code reads files and sends their content to Anthropic’s API for processing. If those files contain customer PII, financial data, or health records, that data leaves your environment.

Controls the auditor wants:

• Data classification identifying sensitive files/directories
• Agent policies preventing access to classified data
• Network controls restricting where agent sessions can send data
• For highly sensitive environments: VPC-deployed models keeping all data internal

”Show Me Your Vendor Risk Assessment for Anthropic”

Anthropic is a vendor. SOC 2 requires vendor risk assessment under CC9.2. Many teams have thorough assessments for their database provider and payment processor, and none for their AI provider.

They’ll ask: Have you reviewed Anthropic’s SOC 2 report? Do you have a data processing agreement? What happens to your data after API processing? What’s your contingency plan if the API is unavailable?

Preparing for the Audit

Checklist if your SOC 2 audit is coming:

1. Document your agent access control model. Write down which roles launch agents, what each can access, how policies are enforced. Include the actual policy files.

2. Verify your audit trail. Pull logs for 90 days. Can you trace any random agent session from launch to completion?

3. Review your change management. Are agent-initiated code changes going through pull requests? Infrastructure changes through approval gates?

4. Update your incident response plan. Add agent-specific sections. Run at least one tabletop exercise.

5. Complete a vendor risk assessment for Anthropic. Review their SOC 2, document your data handling controls.

6. Test your controls. Try to violate a policy — does the agent get denied? Try to kill a session — does it stop immediately?

The teams that pass SOC 2 with Claude Code aren’t doing anything exotic. They’re applying the same governance principles they use for human access — identity, authorization, logging, monitoring, incident response — to their agent operations. The principles are the same. The tools are different.

What they’re not doing is running Claude Code with admin credentials and no logging, hoping the auditor doesn’t ask. The auditor will ask.