One-click compliance reporting

Maintain a continuously updated identity graph with evidence built in: who has access, when it was granted, who approved it, when it was last reviewed, and what the activity looked like. Auditor-ready reports should generate on demand, scoped to a control or a framework, without manual stitching. The cost of audit prep is usually a function of how fragmented the underlying telemetry is.

SOC 2, ISO 27001, PCI DSS, HIPAA, and GDPR all require evidence of least privilege, periodic access reviews, segregation of duties, credential rotation, and audit trails. Newer frameworks like NIS2 and DORA extend this to non-human identities and third-party integrations. AI governance expectations under the EU AI Act now cover AI agent access controls. Coverage gaps for NHIs are the most common finding.

Continuous discovery, complete audit trails per identity, evidence of approvals and reviews, segregation of duties enforcement, credential rotation tracking, and on-demand report generation mapped to specific control frameworks. NHI and AI agent coverage equal to human identity coverage. Read-only auditor access to the evidence layer without exposing the operational workflows. Exportable evidence in formats auditors actually accept.

Time to revoke on leaver events, percentage of identities with attributed ownership, access review completion rates, mean age of stale credentials, count of identities exceeding the privilege baseline, and number of toxic combinations detected. For NHIs and AI agents, add coverage rate against the discovered footprint. Trend metrics matter more than point-in-time numbers for showing programme maturity to auditors and the board.

Map controls from each framework to the underlying identity events that satisfy them. Continuous telemetry feeds evidence into pre-built report templates aligned to SOC 2, ISO 27001, and similar frameworks. Generate evidence on demand rather than rebuilding it before each audit. The work shifts from collecting evidence to validating control design, which is what auditors actually want to discuss.

Run the audit framework against the platform output a quarter before the auditor arrives. Identify gaps in coverage, ownership attribution, and review cadence early. Document policy decisions, exceptions, and compensating controls. Pre-build the evidence packages the auditor will request. Most audit pain comes from late discovery of gaps. Continuous monitoring removes the surprise.

Every agent invocation logged with the requesting user, the agent identity, the tools called, the resources accessed, and the authorisation decision. Provenance from the originating human through the agent to the downstream system. Tamper-evident storage with retention aligned to the regulatory window. Mapping from agent activity to specific compliance controls. Most existing logging stacks capture agent traffic as anonymous service account activity, which fails the audit standard.