📋 soc2 × ai-system

SOC 2 for ai system, automated.

Service Organization Control 2 (Trust Services Criteria). Applies to ai system by default.

$ npx great-cto init 🧠 ai-system archetype →
What SOC 2 requires

Concretely, line by line.

How GreatCTO wires it

Detection → overlay → reviewer.

In your ai system project, GreatCTO detects the archetype and overlays the ai-system reviewer agent. SOC 2 gates auto-attach. The reviewer reads the regulation text, your code, your tests, and emits a verdict per requirement — with a diff if anything's missing.

DETECT

Archetype + scope

Stack signals + manifests + README keywords identify ai-system as the project type. SOC 2 is in the default gate set for this archetype.

OVERLAY

enterprise-saas-reviewer wires TSC mapping + evidence capture

The reviewer agent prompt encodes each requirement above as a check. When a PR touches relevant code paths, the reviewer fires with the specific check that matters.

EVIDENCE

Audit trail per gate

Each gate decision is logged to .great_cto/gates.log with timestamp, reviewer, verdict, and rationale. Auditors get a tidy CSV; no scrambling at audit time.

MEMORY

Lessons across audits

When an auditor flags something in one project, the lesson promotes to ~/.great_cto/decisions.md after the 3rd similar finding. Next project's first run includes the lesson in Step 0.

Caveats

What GreatCTO does not do.

It does not certify you. SOC 2 compliance requires human accountability — a CISO sign-off, a DPO review, in some cases an external auditor. GreatCTO ships the evidence; you still own the attestation.

It does not substitute legal review. The reviewer agent encodes commonly accepted readings of the regulation, not your specific jurisdictional interpretation. For high-stakes cases, lawyer involvement is still load-bearing.

It does not eliminate gaps in the requirements list. The list above is the surface area we cover programmatically. SOC 2 has more (Annex II's, sub-clauses, jurisdictional carve-outs). Override the reviewer prompt in agents/ai-system-reviewer.md for your specifics.

Receipts

Don't take my word for it.

01 · ARCHITECTURE

Live state machine

Every box on the diagram is a clickable link to the agent's source on GitHub.
02 · PROOF

One real compliance run

Voice-AI pack rollout: TCPA + STIR/SHAKEN + state recording consent gates auto-wired. Timeline, costs, artifacts.
03 · AGENTS

All 34 agents on GitHub

The ai-system-reviewer prompt is auditable. Read it, override it, fork it.
Install

Wire SOC 2 gates in one command.

$ npx great-cto init

Free, MIT, runs locally. The reviewer agent ships with the npm package — no SaaS portal, no compliance vendor lock-in.