Agent Security 2026: Agent Auditing & Compliance — SOC2, GDPR và PCI cho AI Agents

Agent đưa ra quyết định mà không auditable là liability.

Khi agent xử lý payment, modify database, gửi email — và có gì sai — bạn cần biết chính xác chuyện gì xảy ra. Agent nào. Tool nào. Parameters gì. Context gì dẫn đến quyết định. Ai approved (nếu có human). Agent đã nghĩ gì khi đưa ra quyết định.

Đây là compliance layer. Và nó là phần khó nhất khi deploy agents trong regulated environments.

Ba Compliance Frameworks#

Framework	Yêu cầu	Tại sao Agents khó
SOC 2	Controls security, availability, processing integrity	Agent decisions non-deterministic
GDPR	Right to explanation, data minimization, deletion	Agents ingest data opaque ways
PCI DSS	Cardholder data protection, audit trails	Agents may log payment data inadvertently

Pillar 1: Audit Trails#

Agent Audit Record#

1
@dataclass
2
class AgentAuditRecord:
3
    audit_id: str
4
    agent_id: str
5
    agent_version: str            # Prompt version, steering file hash
6
    session_id: str
7
    user_id: str
8
    timestamp: datetime
9
    raw_input: str                # Original, encrypted
10
    sanitized_input: str          # PII-redacted
11
    tool_calls: list[dict]        # Tool name, params, result
12
    raw_output: str               # Encrypted
13
    sanitized_output: str         # PII-redacted
14
    contains_pii: bool
15
    contains_pci: bool
16
    human_approvals: list[dict]
17
    prev_hash: str                # Hash chain for immutability
18
    hash: str

What to Log#

Event	Log	Retention
Session start	Agent version, user, session ID	90 days
User message	Raw + sanitized	90 days (raw PII: 30)
Tool call	Tool, params, result	90 days
Tool call approval	Approver, timestamp	7 years (regulated)
Guardrail trigger	Guardrail, action	1 year
Session end	Summary, cost	90 days

Pillar 2: Explainability#

1
class ReasoningCapturer:
2
    def capture_thinking(self, thought):
3
        self.reasoning_log.append({"type": "thought", "content": thought})
4

5
    def capture_tool_decision(self, tool, args):
6
        self.reasoning_log.append({"type": "tool_decision", "tool": tool})
7

8
    def get_explainability_report(self):
9
        # Generate human-readable explanation
10
        # Chain of thought + why each tool was called

1
async def generate_explanation(user_id, session_id):
2
    records = await audit.get_session_trail(session_id)
3
    return {
4
        "automated_decision": {"made": True, "logic": "LLM with tool access"},
5
        "decision_sequence": [
6
            {"input": r.sanitized_input, "tools": [t["tool"] for t in r.tool_calls]}
7
            for r in records
8
        ]
9
    }

Pillar 3: PII/PCI Data Handling#

1
class PIIHandler:
2
    # Regex patterns: email, phone, SSN, credit card
3
    # NLP-based: Presidio Analyzer
4

5
    async def process_input(self, text):
6
        # 1. Fast regex detection
7
        # 2. NLP-based detection
8
        # 3. Redact with Presidio Anonymizer
9
        # 4. PCI: never store full PAN, only last 4 digits

Data Retention#

Type	Standard	PII	PCI
Conversation	90 days	30 days	0 days (never store raw)
Tool calls	90 days	90 days	365 days
Audit	365 days	365 days	7 years

Pillar 4: SOC 2 Controls#

SOC 2 Criterion	Agent Control
CC6.1 Logical access	MCP server auth (API key + JWT)
CC6.6 Incident detection	Injection guardrails
CC7.2 Monitoring	Full audit logging
CC8.1 Change management	Prompt versioning (Git PR)
A1.2 Processing integrity	Tool call validation

Pillar 5: PCI Compliance#

1
class PCIComplianceLayer:
2
    async def process_payment(self, params):
3
        # PCI 3.4: Never log full card numbers
4
        params["card_number"] = f"****-****-****-{pan[-4:]}"
5
        # Send full PAN directly to processor, never store
6

7
        # PCI 10.2: Audit trail (no PAN, no CVV, no expiry)
8
        await self.pci_audit_log.append({
9
            "event": "payment_processed",
10
            "card_last_four": pan[-4:],
11
            "amount": params["amount"],
12
        })

Production Checklist#

Tiếp Theo#

Bài	Chủ đề
1	Prompt Injection & Defense
2	Tool Access Control
3	MCP Server Security
4	Agent Auditing & Compliance (bài này)
5	Production Security Patterns — coming next

Series: Agent Security 2026 — Production Patterns. Bài 4: Agent Auditing & Compliance.