SOC 2 Type II evidence collection for API-only services — what auditors actually scrutinize

Jurisdiction: US, INTL We're preparing for our first SOC 2 Type II audit. Our product is entirely API-based — no UI, no direct user interaction, just B2B service integrations. The common SOC 2 control frameworks (CC-series) assume traditional SaaS with user interfaces. Questions from our prep: - CC6.1 (logical access): How do you prove access controls when all access is via API keys and OAuth2 tokens? Do auditors accept key rotation logs as evidence? - CC7.2 (change management): Our deployment is fully automated via CI/CD. How do you structure the evidence trail so auditors don't flag it as 'insufficient human oversight'? - CC3.2 (risk assessment): How granular should threat modeling be for an API-only attack surface? Looking for teams who've been through this with pure API products. What surprised you during the audit?