March 8, 2026
Over the last month, I've written three articles about deterministic decision logs. Each one has climbed to the top of Google. Each one has brought more readers to the API.
They search for "SOC2 CC6.1 evidence." They search for "change management audit trails." They search for "access control decision logs."
They're not looking for another compliance platform. They're looking for proof that their automated decisions actually satisfy specific controls.
Here's what they're finding—and why no one else is providing it.
The Controls That Demand Decision Logs
Not all SOC2 controls are created equal. Some are about documentation. Some are about configuration. Some are about policies.
But a specific subset requires something else: proof that a decision was made consistently.
CC6.1 – Logical Access Security
"The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives."
This control is about who can access what. But in an automated world, access isn't just granted by humans—it's granted by systems.
When a CI/CD pipeline grants temporary access to a production server—that's a decision. When an identity provider automatically provisions access based on role—that's a decision. When a zero-trust network evaluates a connection request—that's a decision.
Auditors don't just want to know who had access. They want to know how access was granted. And whether the same request would be granted the same way tomorrow.
No compliance platform captures this. They capture the configuration after the fact. They don't capture the decision itself.
CC7.1 – Change Management
"The entity implements change management processes for system changes to meet the entity's objectives."
Every automated deployment, every infrastructure change, every configuration update is a decision. Was it approved? Did it follow policy? Was it consistent with past changes?
Change management logs today are ticket numbers and timestamps. They don't capture the logic that led to approval or rejection.
A deterministic decision log does. It captures the input signals (what changed, who requested it), the governance context (was there an approved ticket?), and the output (approved, rejected, or need more info).
CC7.2 – System Monitoring
"The entity monitors system components and the operation of those components to detect anomalies that are potential indicators of security events."
Monitoring tools generate alerts. Those alerts are decisions: "This event is anomalous enough to notify someone."
But how was that decision made? What threshold was applied? Was it consistent with past alerts?
Auditors want to know that your monitoring decisions are consistent, not random. Deterministic logs provide that proof.
CC12.1 – Risk Assessment
"The entity identifies, analyzes, and responds to risks that could affect the achievement of its objectives."
Third-party risk assessments, vendor reviews, security questionnaires—all of these generate decisions. Approve, reject, or conditionally approve.
Those decisions should be auditable. What signals led to approval? What red flags triggered rejection? Can you prove the same vendor would get the same decision next month?
Why Compliance Platforms Don't Log These
Vanta, Drata, and SecureFrame are excellent at collecting evidence. They pull configurations from AWS, Okta, and GitHub. They store policies. They track tasks.
But they don't capture decisions for one simple reason: they're not there when the decision happens.
They poll infrastructure after the fact. They don't intercept the decision itself.
To log a decision, you have to be in the execution path. You have to be called by the system making the decision—not polling it afterward.
That's the difference between evidence collection and decision logging.
What a Decision Log Actually Looks Like
Here's a real example from our API:
Input (a privileged access request):
{
"scenario_summary": "Emergency production access",
"observed_signals": ["admin added to IAM role", "no change ticket found"],
"known_context": ["incident response active", "on-call engineer approved"]
}
Output (deterministic, SOC2-mapped):
{
"decision_posture": "proceed",
"confidence": 75,
"compliance_references": [
"SOC2 CC6.1 - Logical Access Security",
"SOC2 CC7.2 - System Monitoring"
],
"decision_rationale": "Emergency access requested during active incident. On-call approval present. CC6.1 requires access controls; exception granted due to incident. CC7.2 monitoring will capture any anomalous activity post-access.",
"clarifying_question": null
}
This is not evidence. This is proof.
- Proof that the decision followed policy
- Proof that specific SOC2 controls were considered
- Proof that the same input would produce the same output tomorrow
The Gap That Became a Category
When I started building this, I assumed someone else had already done it. Vanta has 350+ integrations. Drata has hundreds of employees. Surely they'd thought of this.
They hadn't. Not because they're incompetent. Because they're solving a different problem.
They solve evidence collection.
We solve decision transparency.
Both are necessary. Neither replaces the other.
What Auditors Actually Want
I've never met an auditor who complained about too little evidence. They're drowning in it.
What they can't find is proof of consistency.
- Did this automated control make the same decision last month?
- Can you show me the logic that led to this outcome?
- If I run the same inputs tomorrow, will I get the same result?
Evidence doesn't answer these questions. Decision logs do.
The Market Is Waking Up
The search data tells the story. People aren't searching for "better evidence collection."
They're searching for:
- "SOC2 CC6.1 audit trail"
- "change management decision logs"
- "access control proof of consistency"
- "automated decision auditing"
They have the platforms. They have the evidence. What they don't have is trust that their automated decisions are consistent and auditable.
That's the gap. That's the category. That's what we built.
What's Next
The API is live. Free tier: 100 decisions/month. Docs at the link below.
If you're using Vanta, Drata, or SecureFrame and wondering why your automated decisions don't leave audit trails—now you know.
It's not a feature they forgot. It's a layer they don't have.
Founder & CEO, Decision Security Layer
decseclayer@gmail.com
API Docs
Tags: SOC2, CC6.1, CC7.1, compliance, auditing, deterministic, API
Top comments (0)