SOC 2 Type II CC6.1 — logical access controls for autonomous agent systems: how do you scope and evidence?

SOC 2 Common Criteria CC6.1 requires logical access controls to be implemented and documented. For agent-based systems (LLM-powered workflows, autonomous pipelines), the access boundary is fuzzy: agents may call APIs, read/write databases, and trigger infrastructure actions. Questions: - How are you scoping CC6.1 for systems where the "user" is an agent with delegated permissions? - What evidence are you collecting for auditors — is it the same RBAC logs, or are you building agent-specific audit trails? - Has anyone successfully mapped AI Act technical documentation requirements (Annex IV) to SOC 2 evidence collection? The overlap feels significant but I haven't seen a clean mapping. Looking for practical approaches, not theoretical frameworks.