GOVERNANCE
POSTURE
OLERIA

Produce audit-ready SOC 2 Type II evidence for every NHI - continuously

Outcome

Why this is hard without Oleria

SOC 2 Type II requires per-NHI evidence over 6-12 months. Most teams assemble spreadsheets in the weeks before audit — point-in-time snapshots that do not demonstrate operating effectiveness. Oleria accrues evidence continuously so audit becomes a reporting exercise, not a project.

What Oleria delivers

Per-CC6-control evidence per NHI

Evidence supporting CC6.1 through CC6.7 — ownership, scope justification, access restrictions — per NHI.

Audit-period filtering

Windowed export filtered to any audit period, cross-referenced by control and NHI.

Continuous evidence assembly

Windowed export filtered to any audit period, cross-referenced by control and NHI.

Cross-framework reuse

Same per-NHI records support ISO 27001, HIPAA, and PCI without duplicate collection.

AT A GLANCE

Per-CC6 control mapping
Evidence per NHI categorized to CC6.1 through CC6.7 - the control-by-control mapping done for you
Continuous accrual
Every NHI lifecycle event - creation, scope change, review, decommission - captured with full audit trail throughout the period
Audit-window export
Evidence pack filtered to any audit window on demand - the auditor question gets a windowed, structured answer
Cross-framework reuse
The same per-NHI records support ISO 27001, HIPAA, and PCI without duplication

How it works

  1. Connect
    NHI inventory and lifecycle events flow from IdPs, cloud, and SaaS into the graph.
  2. Map
    Every event categorized to the relevant CC6 control continuously.
  3. Accrue
    Evidence builds throughout the audit window with operating-effectiveness records.
  4. Export
    Generate the evidence pack filtered to your audit window with control references.

Frequently Asked Questions

Does this cover NHIs in cloud infrastructure as well as SaaS?

Yes. AWS IAM roles, GCP service accounts, Azure managed identities, and SaaS integration users all feed the same NHI graph. SOC 2 evidence covers the full estate, not just the primary IdP.

What if our audit window has already started mid-period?

Evidence accrues from connection forward. Historical data from IdP and logs may be back-filled where available — onboarding will scope what is possible for your environment.

Which CC6 sub-controls does NHI evidence support?

All CC6 sub-controls apply: CC6.1 through CC6.7. Oleria is explicit about which controls each piece of evidence supports so there is no ambiguity in the audit pack.

We use a SOC 2 program platform. Does Oleria replace that?

No. Program platforms manage audit workflow. Oleria is the NHI-specific evidence source that feeds into them — supplying the per-NHI pack most platforms cannot generate on their own.

What is a non-human identity (NHI)?

A non-human identity authenticates without a human logging in — service accounts, API keys, OAuth apps, and CI/CD credentials. NHIs vastly outnumber humans and are subject to the same CC6 logical access controls.

Data security and governance

Protect sensitive data with full context — not guesswork

Get usage-aware visibility into every access path, every action, and every sensitive resource so you can govern confidently and stay compliant

See your identity & access gaps.

Take the 15-minute Identity Maturity Self-Assessment.

Request a live demo

See Oleria in action.

Request a paid assessment

Evaluate your current identity posture.