Agentic Payments & Settlement

SOC 2 Type II and ISO 27001: The Boring Work Behind Autonomous Payments

Agents spend with no human in the loop. That makes the company holding the mandate worth auditing. What SOC 2 Type II and ISO 27001:2022 actually prove.
By
Nevermined Team
Jul 16, 2026
Nevermined — SOC 2 Type II and ISO 27001:2022, the boring work behind autonomous payments
See Nevermined
in Action
Real-time payments, flexible pricing, and outcome-based monetization—all in one platform.
Schedule a demo

An AI agent can enroll a card, hold a spending mandate, and settle a sub-cent API call without a human anywhere in the loop. Every one of those steps runs through infrastructure someone else operates. Which raises the question nobody asks during the demo: who is checking the company in the middle?

As of this month, independent auditors are. Nevermined has completed a SOC 2 Type II audit and is certified against ISO/IEC 27001:2022. Both are live on our Trust Center.

The problem: autonomy moves the trust question upstream

When a person pays for something, the person is the control. They see the price. They click the button. They notice the $10,000 charge and call the bank.

Take the human out of the loop — which is the entire point of an agent — and every one of those checks leaves with them. The agent doesn't get suspicious. It doesn't sanity-check a decimal place. It does exactly what its mandate permits, at machine speed, all night.

So the trust has to live somewhere else. It moves upstream into the infrastructure holding the card, the mandate, and the keys. That's the layer we operate. And "trust us" is not a security model.

What we got: two things, and they're not the same thing

The two get bundled together in press releases, which does both of them a disservice. They answer different questions.

ISO/IEC 27001:2022 is a certification, issued by an accredited body. It's about the system — it asks whether you run a real information security management system: risk assessments, defined ownership, policies that exist and get followed, a loop that catches problems and closes them. It certifies the machine that produces security, not any single control.

SOC 2 Type II isn't a certification at all, strictly speaking. It's an attestation report written by auditors, and it's about evidence — whether the controls you claim to have actually operated, over a window of time, with proof for each one.

One says the process is sound. The other says the process ran. You want both, and for different reasons.

And within SOC 2, the flavor is the whole point.

Type I asks whether your controls are designed correctly on a single day. You can pass it by being organized for an afternoon.

Type II asks whether those controls actually operated across months, and makes you produce the evidence. Not "we have an offboarding policy" — the actual record of every access grant revoked, every time, for the whole window. A control that works in the screenshot and lapses in July fails a Type II.

That's the difference between a policy document and a practice. Type I proves you wrote it down. Type II proves you did it when nobody was looking.

Why this matters more for payments than for most software

If a note-taking app gets breached, you lose data. Bad, recoverable. If a payments company gets breached, you lose data and money — and the money moves faster than your incident response.

The blast radius is what makes payments different. We sit next to card credentials, spending mandates, and API keys that authorize real settlement. Every one of those is a credential that moves funds if it leaks. That's the concentration of risk that makes the audit worth something: the more consequential the thing you hold, the less anyone should take your word for how you hold it.

There's a practical dimension too. Enterprise security reviews are where infrastructure deals go to die — the questionnaire arrives, and if the answer to "SOC 2?" is "we're working on it," you're now nine months from a signature. A completed Type II report turns a quarter of procurement into an attachment.

Why agentic payments raise the bar again

Standard payments assume a human approves the spend. Agentic payments assume nobody does — that's the feature. It also means the usual backstop is gone.

We build guardrails for exactly this: card delegation with spending caps, scoped and revocable mandates, time windows, kill switches. A mandate says spend up to this much, on this, until I say stop. The boundary is the safety.

But a guardrail is only as trustworthy as the company enforcing it. A spending cap is a promise that the infrastructure will refuse the 501st dollar. A revocable delegation is a promise that revoke actually revokes — everywhere, immediately, including the cached path you forgot about. Those promises are software, and software is a claim until someone audits it.

That's the gap the audits close. Not "our agents are safe" — a slogan. Instead: the controls behind those guarantees were tested by people whose job was to find them failing, and the report is available to read.

What's actually behind the badge

A logo in a footer is worth roughly nothing, which is why the Trust Center shows the work rather than the badge. It publishes 67 controls under continuous monitoring across five categories — infrastructure security, organizational security, product security, internal security procedures, and data and privacy — each with its current status, not a status from audit week.

  • Continuous, not annual — controls are monitored on an ongoing basis, so drift surfaces when it happens rather than at the next audit
  • Evidence, not assertions — the SOC 2 Type II report and the ISO 27001:2022 certificate are available under NDA, not summarized by us
  • Public, not on request — the control list is readable before you talk to sales

If you're evaluating who to let hold a mandate on your behalf, that's the page to read. Go be skeptical at it.

The takeaway

None of this is the exciting part of agentic payments. Nobody demos an access review.

But autonomy is a trust transfer. Every guardrail you rely on is a claim someone should have to prove — and the whole point of taking the human out of the loop is that there's no one left to catch it when the claim turns out to be false.

Same protocol. Same guardrails. Now with the receipts.

Read the controls at trustcenter.nevermined.ai, start building at nevermined.app, or book a demo to see the guardrails run.

See Nevermined

in Action

Real-time payments, flexible pricing, and outcome-based monetization—all in one platform.

Schedule a demo
Nevermined Team
Related posts