Nobody starts a project excited about compliance reporting. But if you’re running AI agents in a regulated environment, the question isn’t whether you’ll need compliance reports. It’s whether you’ll have the data to generate them when an auditor asks.
I built five report types into AgenticMail Enterprise because these are the ones that keep coming up in conversations with teams deploying agents into finance, healthcare, and government.
The Five Report Types
SOC 2 Type II is the big one. This report maps agent operations to Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy. It pulls from the action journal to show that controls were operating effectively over a time period, not just at a point in time. The report includes control descriptions, test procedures, and evidence references that auditors actually recognize.
GDPR DSAR (Data Subject Access Request) generates a complete accounting of how a specific data subject’s information was processed by agents. Which agents accessed it, when, for what purpose, what decisions were made, and where the data was transmitted. When someone exercises their right to access under Article 15, you need this fast. The report compiles in seconds because the underlying data is already structured in the action journal.
SOX Audit Trail traces financial data flows through agent operations. If an agent touches anything related to financial reporting, reconciliation, or transaction processing, this report provides the unbroken chain of custody that SOX Section 404 requires. Every transformation, every approval, every access event.
Incident Report is for when things go wrong. It pulls the full timeline from the action journal: what happened, which agent was involved, what actions it took, what the state was before and after, who was notified, and what remediation steps were executed. The report follows a standard incident response format that security teams are familiar with.
Access Review documents who (and what) has access to what. It covers both human users and AI agents, showing their roles, permissions, last access times, and any privilege escalations. This one is useful quarterly for access certification, or on demand when onboarding a new auditor.
Risk Scoring: A Through F
Every report includes a risk score graded A through F. The scoring algorithm looks at multiple factors: how many controls are operating effectively, how many exceptions were found, the severity distribution of any incidents, and the completeness of the audit trail.
An A means all controls passed, no material exceptions, full audit coverage. An F means critical controls are missing or failing. Most organizations land somewhere in the B to C range initially, which gives them a clear roadmap for improvement.
The scores are not just letters. Each one comes with a breakdown showing which specific areas contributed to the grade. If your overall score is a C because access reviews haven’t been completed but everything else is clean, the report tells you exactly that.
Control Effectiveness Analysis
Beyond the letter grade, each report includes a control effectiveness section that evaluates whether the controls you’ve implemented are actually working. This goes deeper than pass/fail. It measures how often a control was tested, how many times it triggered correctly versus incorrectly, and whether there are gaps in coverage.
For example, if your DLP rules are catching 98% of PII in outbound agent communications but missing a specific format of phone number, the control effectiveness analysis flags that gap. It doesn’t just tell you the control exists. It tells you how well it’s performing.
Full HTML Export
Every report exports to a self contained HTML file. No external dependencies, no CDN links, no JavaScript that needs to load. You get a single file you can email to an auditor, archive to a compliance repository, or print to PDF. The styling is clean and professional, with collapsible sections for the detailed evidence so the executive summary stays readable.
I considered PDF generation directly, but HTML gives you the best combination of portability and interactivity. Auditors can search the document, expand sections they care about, and collapse the rest.
Why This Matters for Agent Systems
Traditional compliance tools assume humans are the operators. When an AI agent processes 10,000 emails in a day, makes decisions about routing and response content, and accesses customer data across multiple systems, the compliance surface is enormous. You can’t manually document each action. The system has to generate its own compliance evidence.
That’s the core insight. The same action journal that powers rollback and debugging also powers compliance. Every agent action is already recorded with timestamps, actor identity, and state snapshots. The compliance reports are just structured views of data that already exists.
Source Code
The compliance engine generates all five report types from the action journal data, with risk scoring and HTML export built in.