What Auditors Still Ask for After Drata Automation: Missing SOC 2 Evidence
Even with Drata, auditors still ask for manual SOC 2 evidence like application screenshots, change management approvals, and access control workflows. This article explains the specific artifacts Drata cannot automate and how AI tools fill the gap.
Even with powerful platforms like Drata, auditors still ask for screenshots, application-specific evidence, and manual documentation during SOC 2 audits. While Drata successfully automates infrastructure monitoring via APIs, it cannot "see" inside your custom application's user interface or verify manual operational workflows. This creates a gap where teams must still spend hours collecting screenshots and formatting evidence to prove controls like Logical Access (CC6.1) and Change Management (CC7.2) are functioning as designed.
What Evidence Does Drata Miss for SOC 2?
Answer: Drata misses evidence that resides in the application layer (your product's UI) and manual processes that do not have public APIs.
Drata connects to AWS, GitHub, Okta, and Google Workspace to monitor configurations. However, auditors require evidence that goes beyond configuration settings. They need "Information Produced by the Entity" (IPE) that proves the controls are effective in practice.
Specifically, auditors will ask for manual evidence in three key areas:
- Application Access Controls: Proof that role-based access control (RBAC) works in your actual product (e.g., a screenshot showing a "Viewer" cannot see the "Delete" button).
- Internal Tooling: Evidence from custom admin panels or back-office tools that Drata cannot integrate with.
- Process Enforcement: Visual proof of workflows, such as onboarding tickets that require manual approvals outside of an Identity Provider (IdP).
Why Do Auditors Still Request Screenshots with Drata?
Auditors request screenshots to verify Completeness and Accuracy (C&A). While an API check in Drata might confirm that "MFA is enabled" in the settings, an auditor often needs to see the user experience to confirm enforcement.
The "Black Box" Problem
Drata sees the configuration (the switch is "On"), but the auditor needs to verify the implementation (the login screen actually prompts for a code).
- API Evidence (Drata): Shows the database is encrypted.
- Screenshot Evidence (Auditor Request): Shows that a user without the decryption key sees garbled text or is denied access.
Because Drata cannot log into your application and click buttons like a human, auditors demand screenshots to bridge the gap between "configured" and "functioning."
Which SOC 2 Controls Still Require Manual Evidence?
The following table breaks down the specific SOC 2 controls where Drata automation typically stops and manual screenshot requests begin.
| SOC 2 Control | Control Objective | What Drata Automates | What Auditors Ask For (Manual) |
|---|---|---|---|
| CC6.1 | Logical Access | IdP (Okta/Google) settings | Screenshots of application-level roles and permissions (e.g., Admin vs. User view). |
| CC7.2 | Change Management | PR merge checks (GitHub) | Evidence of design reviews or manual QA sign-offs in tickets if not strictly enforced via code. |
| CC6.8 | Software Safety | Dependabot alerts | Screenshots of manual testing results or UAT (User Acceptance Testing) sign-offs. |
| CC8.1 | Change Management | Vulnerability scan cadence | Screenshots of remediation tickets or false-positive dismissals in tools without API links. |
| CC5.2 | Communication | Policy acknowledgement | Evidence of slack messages or emails communicating specific incidents or changes. |
Where Traditional SOC 2 Automation Stops
It is critical to understand the boundary between Infrastructure Automation (Drata/Vanta) and Evidence Automation (Screenata).
1. The API Boundary
Drata can only automate what it can connect to via API. If your evidence exists in a custom React admin dashboard, a legacy on-premise tool, or a SaaS platform with a limited API, Drata cannot fetch it.
- Result: You must manually take screenshots.
2. The Context Boundary
Drata monitors binary states (Pass/Fail). It cannot capture context.
- Drata: "User 'jdoe' is an admin." (Pass/Fail)
- Auditor: "Show me why 'jdoe' was granted admin access. Where is the ticket? Who approved it? Show me the screenshot of the approval comment."
- Result: You must manually find and screenshot the Jira ticket or Slack conversation.
3. The Visual Boundary
Drata reads JSON data. Auditors read documents.
- Drata: Checks a flag
mfa_enabled: true. - Auditor: Wants to see the login flow to confirm the MFA prompt appears before access is granted.
- Result: You must record a video or take a sequence of screenshots.
How to Automate the Evidence Drata Misses
To stop auditors from asking for manual screenshots, you need to automate the collection of application-level evidence. This is done using AI agents that perform "computer use"—interacting with UIs just like a human auditor would.
Step-by-Step: Automating a "Manual" Request
Here is how you can use a tool like Screenata to satisfy an auditor's request for "Application RBAC Evidence" (CC6.1) without manual work.
- Auditor Request: "Please provide screenshots showing that a 'Support' user cannot access the 'Billing' settings."
- Automated Action: You trigger a Screenata workflow.
- AI Execution: The AI agent logs into your app as the 'Support' user, navigates to
/settings/billing, and captures the "403 Forbidden" or "Access Denied" screen. - Evidence Generation: The system generates a PDF titled
CC6.1_RBAC_Test_Billing_Access.pdfwith timestamps, URL bar visibility, and user metadata. - Upload: This PDF is automatically attached to the relevant control in Drata.
By treating the UI interaction as a testable workflow, you convert "manual requests" into "automated artifacts."
Example: Automating Change Management Approvals (CC7.2)
The Scenario: You use GitHub for code, but your deployment process involves a manual "Go/No-Go" meeting in Slack or a specific Jira status transition that Drata's standard integration doesn't capture fully for "Design Review."
The Manual Way:
- Auditor selects a sample of 25 changes.
- You search Jira for 25 tickets.
- You screenshot the "Comments" section of each ticket to prove a design discussion happened.
- Time taken: ~4 hours.
The Automated Way:
- You define a workflow in Screenata: "Go to Jira ticket > Capture 'Design Review' section."
- The AI agent iterates through the list of 25 ticket URLs.
- It captures the screenshots, highlights the approval comment, and compiles a single "Change Management Evidence Pack" PDF.
- Time taken: ~5 minutes.
Frequently Asked Questions
Does Drata take screenshots?
No. Drata generally does not take screenshots of application UIs. It collects JSON metadata from APIs (e.g., AWS config, GitHub settings). Any evidence requiring visual proof of a UI state must be collected manually or with a dedicated evidence automation tool like Screenata.
Why doesn't Drata automate application controls?
Drata focuses on infrastructure and policy compliance. Automating application controls requires interacting with custom user interfaces, which varies for every company. This requires computer vision and agentic AI, which is a specialized capability distinct from API monitoring.
Can I upload AI-generated screenshots to Drata?
Yes. Auditors accept AI-generated screenshots provided they are relevant, reliable, and complete. Tools like Screenata generate PDFs that include metadata (timestamps, URLs, tester ID) specifically designed to meet AICPA standards for audit evidence. These PDFs can be uploaded directly to Drata's "Evidence Library."
What happens if I don't provide the screenshots?
If you rely solely on Drata's API checks for controls that require visual verification (like custom RBAC), the auditor may mark the control as a "Exception" or "Deviation" if they cannot verify its effectiveness. This can lead to a qualified opinion in your SOC 2 report.
Key Takeaways
- ✅ Drata is not enough: It handles 80% of SOC 2 (infrastructure), but the remaining 20% (application/process) often requires manual screenshots.
- ✅ Auditors need visual proof: APIs prove configuration; screenshots prove implementation and user experience.
- ✅ Manual controls persist: Logical Access (CC6.1) and Change Management (CC7.2) are the most common areas where auditors demand manual evidence.
- ✅ Automation is possible: AI agents can capture these "missing" screenshots automatically, generating audit-ready PDFs that you can upload to Drata.
Learn More About SOC 2 Evidence Automation
For a complete guide to automating the entire evidence lifecycle, see our guide on automating SOC 2 evidence collection, including how to handle application-level controls and integrate them with your compliance stack.
Ready to Automate Your Compliance?
Join 50+ companies automating their compliance evidence with Screenata.