Compliance
AI Agents for Compliance: From Manual Evidence to Autonomous Verification Systems
AI agents now do the SOC 2 evidence work a dashboard leaves behind: running control tests, capturing UI proof, chasing the attestations only a person can answer, and filing signed, audit-ready packs. This guide shows how Vera, an agent who runs continuous compliance, moves you from manual evidence to scheduled verification across SOC 2, ISO 27001, and HIPAA, and where honest escalation keeps a human in the loop.

SOC 2 audits still require UI proof, application evidence, and documentation an auditor can review, and most GRC dashboards leave that work to you. They automate infrastructure checks over API, then mark the application controls and the attestations "manual" and wait. An agent can do that work instead. Screenata gives you Vera, an agent who runs continuous compliance: she runs your control tests, captures timestamped UI proof, DMs your team for the sign-offs a dashboard can only flag, and files signed, traceable packs. Moving from manual evidence to scheduled verification takes audit prep from weeks of screenshotting and chasing down to hours of review.
Why an Agent Does This Work Better Than a Dashboard
Compliance has moved from configuration checking to behavior verification. Systems are UI-driven, human-operated, and workflow-based, so proving a control exists is no longer enough. Auditors expect evidence that controls are exercised, enforced, and reviewed in practice.
That is exactly the work a dashboard cannot do. An API reports states; it cannot log into your product and run a user-level test, and it cannot ask a person whether the access review happened. A human can do both, but not continuously or consistently. An agent does both at machine speed: Vera observes application behavior the way an auditor would, on a schedule, and files the proof with provenance attached.
What Is Vera, and What Does She Do?
Vera is an agent who runs continuous compliance. She scans your infrastructure read-only, scopes your control matrix, drafts policies grounded in what she finds, runs the tests, and files the evidence. Rather than relying only on API snapshots, she interacts with your software the way an auditor would, then signs and traces every artifact she produces.
In practice she acts as the visual and human sensor for your program. She does not just confirm a setting is enabled in a database; she runs the test in the application UI, captures the timestamped result, and, when a control needs a person's confirmation, she chases the right teammate for it. Her evidence mix is the honest breakdown: about 70% is fully API-automated, roughly 9% is automated screenshots (the browser extension plus a vision model scoring each capture against the control), about 9% is guided capture, and around 5% is ingested from your inbox as forwarded emails or Slack file drops. Zero percent comes from a person uploading files into a dashboard.
Why Is Manual Evidence Collection Still a Problem?
Even with an automated dashboard, most teams hit a "20% manual gap." Tools like Drata and Vanta automate roughly 80% of the work through API integrations with AWS, GitHub, and Okta. The remaining 20% is application-level controls and human attestations, and a dashboard leaves them to you.
The hidden cost of the last mile
Security and engineering teams often spend 40 to 80 hours per quarter on:
- Manual UI testing: logging into production and staging to prove "Access Denied" screens appear for non-admin users.
- Screenshot management: capturing, cropping, and redacting PII in images by hand.
- Narrative writing: typing out the steps taken during a test.
- Formatting: assembling images and text into documents that meet the auditor's bar.
- Attestation chasing: reminding managers and owners to sign off on reviews and exceptions.
The work is slow and error-prone, which leads to evidence rejection during the audit window and expensive re-testing. Vera absorbs all of it.
How Does Vera Capture SOC 2 Evidence Automatically?
Vera goes beyond screen recording. She runs the control test, scores the result, and packages it so the evidence is sufficient, reliable, and relevant for an auditor.
She runs the test in the real UI
Through the Screenata browser extension, Vera navigates your application the way an auditor would: she exercises the flow for the control, reaches the state that proves it (an "Access Denied" screen, an "MFA required" prompt, a role restriction), and captures it. This is how she documents controls in internal tools and proprietary software that has no public API.
A vision model scores the capture
Each capture is scored by a vision model against the control objective, so the artifact is checked for relevance rather than dumped into a folder. When the capture does not clearly show what the control needs, Vera flags it for another pass instead of filing weak evidence.
She understands the control's intent
Vera works from the control objective, not a fixed script. For SOC 2 CC6.1 (logical access), she knows the test has to show both an authorized user reaching a protected route and an unauthorized user being denied, so she runs both paths and captures both.
PII is redacted at capture
Emails, keys, and customer names are redacted at the moment of capture, before anything is stored, so sensitive data never lands in an evidence file.
Why an Agent Beats Scripts and RPA
Not all automation is agentic. Traditional scripts and RPA tools rely on fixed coordinates, brittle selectors, and rigid flows. When an interface changes, they fail silently or need re-engineering.
Vera works from intent. She identifies semantic elements such as "Admin Settings" or "Access Denied" rather than screen coordinates, so she adapts to UI changes, conditional logic, and unexpected states without breaking. For compliance that resilience matters: evidence collection has to hold up over months and years, not just through one audit cycle.
Where Infrastructure Automation Stops and Vera Starts
There is a clean boundary between what a dashboard reads over API and the work it hands back. Vera owns that second half, and works alongside your dashboard if you keep one.
| Capability | GRC dashboards (Drata / Vanta) | Vera, the compliance agent |
|---|---|---|
| Primary data source | Cloud APIs (AWS, GitHub, GCP) | Application UI, workflows, codebase, plus the same APIs |
| Control focus | Infrastructure and system configs | Application logic, policies, control mapping, attestations |
| Evidence type | JSON and API metadata | Signed screenshots, PDF packs, policies, readiness scores |
| Human sign-offs | Flagged and left to you | Chased in Slack with reminders and escalation |
| Remediation | Flags the finding | Opens the ticket and re-verifies after a human applies the fix |
| Scope | Infrastructure monitoring | The full program, on a schedule |
For most startups Vera replaces both the dashboard and the consultant. If you already run Drata or Vanta, she works alongside it and covers everything it leaves manual.
How to Automate SOC 2 Control Evidence: Step by Step
Moving from manual evidence to scheduled verification follows four steps.
Step 1: Scope the control test
Vera links the test to a specific control ID, for example CC6.1 for access or CC7.2 for change management, and identifies the flow and the route to exercise.
Step 2: Run the test
Vera (or you, guided by her, on a schedule) runs the steps. For a change-management test that might mean opening a pull request in GitHub, showing the branch-protection rules, and demonstrating that the merge button stays disabled until a peer approves.
Step 3: Capture and sign
During the run, the extension captures timestamped screenshots, a DOM snapshot, and session metadata, redacts PII at capture, and writes the step-by-step narrative. Each artifact is hashed, timestamped (RFC 3161), and signed.
Step 4: File and sync
The output is a structured evidence pack: a formatted PDF and the raw captures with metadata, traced back through the control test to a policy claim. If you run a GRC dashboard, Vera pushes the pack into the matching control's evidence slot.
Do Auditors Accept Vera's Evidence?
Yes. Auditors accept machine-captured evidence when it meets the AICPA bar for reliability and authenticity, and many prefer it because it resists tampering and gives a cleaner trail. Vera's packs carry the provenance auditors look for:
- Timestamps stamped at capture, which blocks backdating.
- A DOM snapshot showing the underlying page, which proves the UI was not faked.
- Tester attribution linking the session to an authenticated user.
- A cryptographic hash and signature so the capture cannot be altered after the fact.
Because each artifact ties back through a control test to a policy claim, an auditor can start from a policy sentence, follow it to the signed evidence, and verify the signature independently with a free CLI. Machine-captured evidence like this is repeatable, complete, and resistant to selective omission, which shifts the auditor's job from validating evidence toward evaluating control design and effectiveness.
The Attestation Work No Dashboard Solves
SOC 2 is the clearest example, but the pattern is general: anywhere an auditor needs proof of execution rather than configuration, someone has to confirm it. Access reviews, approvals, and exception handling all come down to observable behavior and human sign-off.
A large share of the "20% gap" is not a screenshot at all. It is a person answering a question:
- Did the quarterly access review happen, and did the right managers sign off?
- Who approved this production exception, and why?
- Was this vendor reviewed before it was onboarded?
- Did offboarding revoke access in every downstream system?
A dashboard flags these and waits. Vera does the chasing: she DMs the right person, reminds at 24 hours, escalates to you at 48, and files the reply the moment it lands. On access reviews she schedules and orchestrates the review and chases the reviewers, while the final judgment stays with your team. When she finds a gap she cannot resolve on her own, she opens the remediation ticket, drafts the fix, and re-verifies after a human applies it. Honest escalation is the point: she says what she cannot do and asks for your call, which is what makes an auditor trust the output.
Worked Example: Automating CC6.1 (Logical Access)
Control objective. Verify that access to the production environment is restricted to authorized users by role.
Doing it by hand
A developer logs in as a "Viewer," attempts the "Delete Database" action, screenshots the error, pastes it into a document, and writes a caption. Roughly 30 minutes per environment, and easy to forget a step.
Doing it with Vera
Vera runs the test on a schedule. She logs in as the Viewer, attempts the restricted action, captures the "403 Forbidden" response with a DOM snapshot, scores it against the control, signs the pack, and files it against CC6.1.
- Hands-on time: a couple of minutes of review.
- Output: a signed, audit-ready pack with a claim-to-evidence chain.
Manual vs. Agent-Run Evidence Collection
| Metric | Manual process | Vera |
|---|---|---|
| Collection time | 60+ minutes per control | Minutes of review per control |
| Consistency | Prone to missed captures | Uniform, every control packaged the same way |
| Privacy | Manual redaction, often forgotten | PII redacted at capture |
| Format | Folders of loose images | Signed PDF and ZIP packs |
| Traceability | Relies on file names | Claim to test to signed artifact |
| Attestations | You chase them | Vera chases them in Slack |
Working With Your Existing GRC Stack
Vera fits inside the tools you already run and feeds your source of truth.
- Drata and Vanta: she pushes signed evidence packs into the custom-evidence or manual-upload slot for each control.
- Jira and GitHub: she can start a capture when a Jira ticket for a user access review is closed, and she reviews pull requests for compliance-relevant changes.
- Slack and Teams: she posts a daily briefing, notifies you when a pack is ready for review, and chases attestations with reminders and escalation.
A Week in Vera's Compliance Cadence
Continuous compliance is a schedule, not a scramble before the audit.
- At 6:30 AM Vera posts a Slack briefing: current readiness, which controls need attention, and anything she escalated overnight.
- Mid-week a CC6.2 offboarding control comes due. She DMs the IT lead to confirm access was revoked, captures the disabled-account state, and files both.
- When a CC6.1 control needs fresh proof, she runs the RBAC test, captures the denial, signs the pack, and syncs it into your dashboard.
- By week's end she runs a full cloud and repo scan, catches a new bucket without encryption, and opens the remediation ticket for a human to apply.
Recording tests throughout the year keeps the program audit-ready instead of red the week before.
Collect Once, Map Across SOC 2, ISO 27001, and HIPAA
Vera is framework-agnostic. One captured test or one scan can satisfy several standards through a shared control catalog: a single MFA scan covers SOC 2 CC6.1 and HIPAA safeguards at once, and one RBAC capture maps to SOC 2, ISO 27001 Annex A, and CMMC practices. You collect once and satisfy many, which is where the cross-framework savings come from.
What This Costs
A dashboard alone still needs a vCISO or consultant (roughly $2K to $5K a month) to write policies, decide what to fix, and run the program the dashboard only monitors. With the audit, a traditional first year lands around $85K. Vera replaces both the platform and the consultant: Screenata is $499 a month for SOC 2 Type II, with Type I from $299, bringing a typical first year to around $18K. You get 20+ native integrations, 489+ checks, and 27+ agent tools across Slack, email, the CLI and a Claude Code MCP, and GitHub pull-request reviews.
Frequently Asked Questions
What is SOC 2 evidence automation?
It is using software to collect, validate, and document the proof an audit needs: infrastructure logs, configuration states, application UI proof, and the attestations behind manual controls. Vera does all four and signs the output.
How is Vera different from a screen recorder?
A screen recorder only captures video. Vera understands the control objective, runs the test, scores the capture with a vision model, redacts PII, signs the artifact, and traces it back to a policy claim, then files it as an audit-ready pack.
Does this work for ISO 27001 and HIPAA too?
Yes. The control IDs differ, but the need for UI proof and attestations is the same. Vera maps one captured test to SOC 2, ISO 27001 Annex A, HIPAA safeguards, and CMMC practices, so you collect once and satisfy several frameworks.
Does Vera replace a dashboard like Vanta or Drata?
For most startups, yes. She scans the same infrastructure, captures the application evidence, chases attestations, and writes policies grounded in your real systems, replacing both the dashboard and the consultant. If you already run Vanta or Drata, she works alongside it and covers everything it leaves manual.
How does Vera handle PII?
She redacts sensitive strings such as emails, keys, and customer names at the moment of capture, before the screenshot is stored, so PII never lands in an evidence file.
Does Vera fix problems on her own?
No. When she finds a gap she opens the remediation ticket, drafts the fix, and re-verifies after a human applies it. She escalates judgment calls rather than acting on them unattended, which is what keeps auditors comfortable with the output.
From Assisted Evidence to Scheduled Verification
Today an agent absorbs the manual evidence work a person used to do by hand. The next step is scheduled verification, where Vera runs controls on a set cadence without anyone kicking them off, and beyond that, change-driven collection, where a capture runs when a system change or risk signal appears.
That trajectory turns compliance from a periodic scramble into a continuously verified program. Teams that adopt it early spend less time prepping for audits and more time improving their security posture, with a signed, re-derivable trail behind every claim.
Key Takeaways
- A dashboard flags the work; Vera does it. She runs the control tests, captures signed UI proof, chases the attestations in Slack, and files traceable packs, alongside your dashboard or in place of it.
- The 20% gap is real work. Application controls like CC6.1 and CC7.2, plus the periodic attestations, are the slowest part of a SOC 2 audit, and much of it is a human sign-off, not a screenshot.
- An agent beats scripts and RPA. Working from control intent instead of fixed coordinates keeps evidence collection resilient over months and years.
- Signed, re-derivable evidence beats loose screenshots. Verifiable provenance and a claim-to-evidence chain cut auditor follow-ups and shorten the window.
- Honest escalation is the trust mechanism. Vera says what she cannot do, opens tickets for humans to apply, and keeps judgment calls with your team.
- Vera replaces both the platform and the consultant, bringing a typical first year to around $18K versus roughly $85K for the traditional stack.
Deep Dive: AI Agents for Compliance Automation
Explore how agent-run verification is changing audit preparation:
- The Future of AI-Driven Compliance: From Workflow Recording to Self-Auditing Systems - Evolution toward continuous compliance
- Will AI Agents Eventually Handle Full Compliance Testing? - The path and its limits
- How AI Agents Capture Screenshots Automatically for Audits - How the capture works
- What Computer-Use-Level Verification Means for Audit Reliability - Reliability and accuracy
- Can AI Achieve Real-Time Compliance Assurance Across Multiple Standards? - Multi-framework continuous compliance
- AI Agents vs RPA: Which is Better for Compliance Automation? - Technology comparison
- 10 Compliance Automation Trends That Actually Changed in 2025 and Will Matter in 2026
- AI Agents in Compliance: How Screenata is Redefining Evidence Collection in 2026
- What is Compliance Evidence Automation and How Does It Work?
- How Screenata Fits Into the Next Generation of Audit Automation
- What makes Screenata a category-defining compliance automation platform
- What Makes Screenata a Category-Defining AI Compliance Officer
- How AI-Generated Evidence Will Shape Auditor Workflows
- How to Automate ISO 42001 AI Governance Evidence
- How to Automate ISO 42001 and NIST AI RMF Evidence Collection
Connect and see
See your SOC 2 with your real systems.
Connect GitHub and cloud read-only. Vera shows your control matrix, policy gaps, and prioritized next actions before you commit to anything.