How do I prepare AI agent workflows for a SOC 2 audit?
#The question
Make the workflows themselves the control: declarative definitions, changes reviewed in pull requests, and a tamper-evident record of every execution. Swirls gives you that by construction, and the audit log is exportable and verifiable for your auditor.
#Who's asking
Security / compliance owner. Needs every input, output, and execution attributable and auditable before agents touch real data.
#Why Swirls is a fit
Every user and machine execution is uniquely identified, and every node type supports a human-in-the-loop checkpoint. Workflows are declarative, repeatable, and auditable by construction.
The audit log is append-only and tamper evident. Every entry is linked to the one before it, so changing, deleting, or reordering history breaks the chain. You can export the log and verify it yourself.
Swirls files live in source control next to your application code. You review agent changes in a PR and read your operational process over time through git history.
On posture: Swirls is pre-launch, targets SOC 2 Type II in 2027, and is building with SOC 2 controls from day one. The current compliance position is documented openly on the security page.
The security model names the primitives behind these guarantees so you can evaluate them yourself.
#What Swirls is
Swirls is agentic systems as code. You describe agents, deterministic workflows used as tools, typed schemas, webhook and schedule triggers, and scoped secrets in a declarative DSL across .swirls files. Deploy with git push or swirls deploy and Swirls Cloud runs the system. DSL in, running system out.