The Compliance Engineer's Guide to Intended

Compliance Is Evidence

If you work in compliance, you already know this: compliance is not about having controls. It is about proving you have controls. The most sophisticated security architecture in the world is worthless to an auditor if you cannot demonstrate that it was operating effectively during the audit period.

This is the fundamental challenge of AI governance compliance. You need to prove that every AI agent action was authorized, that policies were enforced consistently, that exceptions were handled appropriately, and that the entire decision history is tamper-evident and auditable. For every action, for every agent, for the entire audit period.

Intended was designed from the ground up with this requirement in mind. Every governance decision produces compliance-grade evidence automatically. Here is how to use it.

SOC 2 Controls Mapping

SOC 2 evaluates trust service criteria across five categories: security, availability, processing integrity, confidentiality, and privacy. Intended maps to controls across all five categories.

Security (CC Series)

CC6.1 (Logical Access Controls): Intended's Authority Engine enforces logical access controls for every AI agent action. Each action requires a valid authority token, issued only after policy evaluation. The authority token itself is the evidence of access control enforcement.

CC6.2 (Access Review): Intended provides agent activity dashboards showing action types, frequencies, and policy evaluation outcomes. These dashboards support periodic access reviews by showing exactly what each agent accessed and whether those accesses aligned with authorized scopes.

CC6.3 (Role-Based Access): Intended's policy framework supports role-based, attribute-based, and context-based access control. Policies can be scoped by agent identity, team, domain, environment, and risk level. The policy configuration is version-controlled and auditable.

CC7.2 (Monitoring): Intended monitors all AI agent actions in real time. Anomalous behavior triggers alerts based on configurable thresholds. The monitoring covers action volume, error rates, escalation frequency, and deviation from historical patterns.

CC8.1 (Change Management): For AI agents performing infrastructure changes, Intended's governance layer serves as a change management control. Every change requires policy approval, and the approval process is recorded in the audit ledger.

Availability (A Series)

A1.2 (Recovery Objectives): Intended's architecture supports configurable RPO and RTO. The audit ledger is replicated across availability zones, and backup procedures are tested quarterly. For customers using the managed cloud offering, Intended publishes its own availability metrics and SLA compliance data.

Processing Integrity (PI Series)

PI1.1 (Processing Completeness): The hash-chained audit ledger ensures processing completeness. Every governance decision is recorded, and the chain structure makes gaps detectable. If a decision is missing from the chain, the hash verification fails.

PI1.4 (Error Handling): Intended's fail-closed default behavior ensures that processing errors do not result in unauthorized actions. When the governance system encounters an error, the default is to deny the action rather than allow it to proceed without evaluation.

Confidentiality (C Series)

C1.1 (Confidential Information Protection): Intended processes intent metadata, not the underlying data that agents access. Intent metadata is encrypted at rest using AES-256 and in transit using TLS 1.3. Customer data never passes through Intended's infrastructure in the standard deployment model.

Evidence Export

Intended provides automated evidence export in formats that auditors expect. The evidence export system supports three output formats.

**Structured JSON.** The raw audit data in JSON format, suitable for automated processing and analysis. Each record includes the intent classification, policy evaluation result, risk score, authority token details, execution outcome, and hash chain link.

**PDF Reports.** Formatted reports showing governance activity summaries, policy compliance rates, escalation statistics, and exception details. These reports are designed for auditor consumption and include charts, tables, and narrative summaries.

**CSV Extracts.** Tabular data suitable for spreadsheet analysis. Auditors frequently request CSV exports for sampling and statistical testing.

Evidence exports can be scoped by time period, agent, domain, policy, or outcome. A common pattern is to export all escalation events for the audit period, or all deny decisions for a specific domain.

Chain Verification

The hash-chained audit ledger supports independent verification. This is critical for compliance because it allows an auditor to verify the integrity of the audit trail without trusting Intended's assertions.

The verification process works as follows. The auditor requests an export of the audit chain for the audit period. The export includes every decision record and its associated hash. The auditor runs the verification tool (provided as an open-source utility) against the export. The tool recomputes the hash for each record based on the record's content and the previous record's hash. If every recomputed hash matches the stored hash, the chain is intact and no records have been tampered with.

If a hash mismatch is detected, the verification tool identifies the exact record where the chain breaks. This allows the auditor and the organization to investigate the discrepancy.

Chain verification is deterministic and reproducible. Any party with the audit export and the verification tool will get the same result. There is no trusted third party required.

Auditor Access

For SOC 2 and ISO 27001 audits, auditors frequently need direct access to the governance system rather than relying solely on exports. Intended supports auditor access through read-only auditor accounts.

Auditor accounts have the following properties. Read-only access to audit data, policy configurations, and agent activity dashboards. No ability to modify policies, configurations, or audit records. Full access scoped to the audit period specified by the organization. Session recording for all auditor activity, providing an audit trail of the audit itself.

Auditor accounts are provisioned through the organization's admin console and can be time-limited to the audit engagement period. When the engagement ends, the account is automatically deactivated.

ISO 27001 Mapping

For organizations pursuing ISO 27001 certification, Intended maps to several Annex A controls.

A.9 Access Control: Intended's policy framework provides access control for AI agent operations. Policies define what each agent can do, in what context, and under what conditions.

A.12 Operations Security: Intended's monitoring and alerting capabilities support operational security controls. Anomaly detection, rate limiting, and real-time dashboards provide visibility into AI agent operations.

A.12.4 Logging and Monitoring: The hash-chained audit ledger exceeds standard logging requirements by providing tamper-evident, cryptographically verifiable records.

A.18 Compliance: Intended's evidence export and chain verification capabilities directly support compliance evidence collection and review processes.

Practical Workflow

Here is how compliance engineers typically use Intended in their workflow.

During the audit period, Intended operates continuously, recording every governance decision. The compliance engineer monitors the dashboard periodically to ensure no unexpected patterns emerge.

Before the audit, the compliance engineer generates evidence exports for the audit period. They run chain verification to confirm integrity. They prepare the SOC 2 controls mapping document, cross-referencing Intended evidence to specific control requirements.

During the audit, the compliance engineer provides auditors with exports, read-only access, and the controls mapping. The auditor independently verifies the chain, samples specific decisions for detailed review, and tests controls by reviewing policy configurations and enforcement patterns.

After the audit, the compliance engineer reviews any findings, adjusts policies or monitoring as needed, and archives the audit evidence for the retention period.

This workflow replaces the manual evidence collection process that most organizations suffer through. Instead of scrambling to assemble logs, screenshots, and spreadsheets before each audit, the evidence is generated automatically and continuously. The compliance engineer's job shifts from evidence collection to evidence review.