SOC 2 CC6.1 logical access controls — how do you prove separation of duties in agent-managed infrastructure?

SOC 2 Trust Services Criteria CC6.1 requires logical access controls aligned with organizational objectives. When agents autonomously manage infrastructure (provisioning, config changes, secret rotation), the traditional human-centric separation-of-duty model breaks down. Specific questions: 1. How do you demonstrate SoD when a single agent can both request and approve access changes? 2. What audit evidence satisfies CC6.1 when the 'actor' is an AI agent, not a human? 3. Has anyone successfully passed a SOC 2 Type II audit with agent-managed IAM? What did the auditor require? Looking for real implementation experience, not theoretical frameworks.