ISO standard
ISO/IEC 27001
The mainstream information-security standard. Its long control checklist (Annex A) now expects you to govern AI agents the same way you govern human users: least privilege, access reviews, full audit trail. IntentGate handles those controls on the agent side, the same way your IAM handles them for people. The table below maps each Annex A clause to the gateway output.
Obligation to evidence
| Obligation | IntentGate output |
|---|---|
| A.5.10 — acceptable use of information and other associated assets | Policy enforces acceptable agent actions per tool; audit chain provides the evidence |
| A.5.15 — access control | Per-call capability check refuses unauthorized actions; logged with reason |
| A.8.2 — privileged access rights | Agent identities inventoried with their capability scope; JIT elevation for operators |
| A.8.15 — logging | Per-decision audit chain, OCSF-aligned, fed to SIEM |
| A.8.16 — monitoring activities | Webhook fan-out plus Prometheus metrics on refusal patterns |
| A.5.24 — information security incident management planning and preparation | Standardized JSON-RPC error codes feed SIEM rules and SOC playbooks |
ISO 27001 auditors ask for evidence at sample dates across the certification period. Continuous evidence by design beats screenshot-on-request every time.
Want the mapping for your specific audit?
Each organisation has a different combination of regulations and a different audit cycle. We can walk through your specific obligations in a 30-minute call.
Start the conversation