TL;DR
Marturia receipts give engineering teams cryptographically verifiable logs of every AI agent decision. Map each receipt to the relevant SOC 2 control by embedding a control_id tag; auditors then run the open-source verifier against your Merkle root instead of trusting your internal logs.

SOC 2 Trust Services Criteria Affected by AI Agents

AI agents introduce new monitoring and change-management surfaces. The controls below are the ones most directly supported by signed, hash-chained receipts.

CC4.1 – Monitoring of Controls

Evidence Marturia supplies
Every decision carries an Ed25519 signature, previous-hash pointer, and tenant-specific Merkle root. The receipt itself is the control activity log.

What the auditor sees
They receive a JSON array of receipts for the audit window and run:

pip install marturia-verify
marturia-verify --root 0xabc123... --receipts audit-window.json

The tool confirms signature validity, hash chain integrity, and Merkle inclusion in one command.

CC4.2 – Monitoring of Third-Party Controls

When an agent calls an external model or API, the receipt records the exact prompt hash, model version, and response hash. The auditor can re-execute the verifier against the third-party attestation if one exists.

CC7.2 – System Operations

Receipts contain the agent identity, policy version, and decision timestamp. Operations teams query by control_id: "CC7.2" to demonstrate that every production decision followed the approved policy.

CC8.1 – Change Management

A receipt tagged control_id: "CC8.1" is emitted on every model or prompt update. The hash chain proves the change occurred after the change ticket was approved and before the new version handled live traffic.

A1.2 – Availability

Receipts are anchored to a public witness network. If the primary logging service is down, the witness cosignature still proves the decision was made at a specific time, satisfying the “recoverability of processing” requirement.

Live Audit Walkthrough

Auditor: “Show me that CC4.1 monitoring operated effectively for the last 90 days.”

You:
1. Export receipts from the Marturia dashboard with filter control_id=CC4.1 AND ts >= 2026-02-01.
2. Hand over the resulting cc41-evidence.json plus the tenant public key.
3. Auditor runs the one-line verifier command above.
4. Exit code 0 + printed Merkle proof = pass. No further log review required.

Cryptographic Advantage

Traditional evidence requires the auditor to trust your log-shipping pipeline and access controls. With Marturia they only need to trust two things: the Ed25519 signature scheme and the published witness set. Both are public and open-source (marturia-verify on PyPI). Your internal systems can be compromised without invalidating the receipts already anchored.

Integration Tips

Tag receipts at emission time so audit queries become trivial:

{
  "decision_id": "dec_01jxyz",
  "agent": "pricing-v3",
  "control_id": "CC4.1",
  "payload_hash": "sha256:...",
  "ts": "2026-05-12T14:03:00Z"
}

Store the control_id in the top-level object; the Marturia API then supports direct filtering:

GET /receipts?control_id=CC7.2&from=2026-02-01

How the Pieces Fit Together

CC4.1 / CC4.2
Monitoring

Marturia Receipts
Ed25519 + hash chain

CC7.2 System Ops

CC8.1 Change Mgmt

A1.2 Availability

marturia-verify
open-source

Auditor Report
No trust in tenant logs

Related Marturia resources
- /docs/api.html
- /learn/lesson_08_compliance_landscape.html
- /docs/quickstart.html