CC2.1 — Internal control responsibilities communicated to personnel
Status: Implemented Owner: Agent #38 (Senior Compliance Lead, SOC 2 + ISO 27001) Last reviewed: 2026-05-28 Next review: 2026-08-28
Trust Services Criteria reference
The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. The CC2.1 subclause focuses on communication to internal personnel — every employee, contractor, and AI agent should know what their internal-control responsibilities are, how to discharge them, and how to escalate.
How ZeroAuth meets this control
The single source of truth for internal-control responsibilities is CLAUDE.md at the repository root. This file is required reading at the start of every session — for human engineers and AI agents alike — and contains: the list of load-bearing capabilities, the enforced non-goals (no raw biometric over the wire, no biometric raw logging, no admin action without an audit row, no cross-tenant data exposure, no verifier without a published circuit ADR), the language-rules block, the standing instructions (10 rules covering API contract reading, test-before-implementation, plan mode, sub-agent invocation, dependency-via-ADR, threat-model updates, deploy discipline, secrets handling, and "when you get stuck"). Every change to the file is in the commit history; LAST_UPDATED: 2026-05-28 is the most recent revision.
docs/plan/bfsi-v1/06-ways-of-working.md is the operational companion. It restates the constraints from 00-README.md (the 10 standing constraints) with operational mechanics: branch policy, commit-time gates, sub-agent rules, plan-mode triggers, Definition of Ready, Definition of Done at three scopes (per commit, per sprint, per release), daily / weekly / monthly cadences, escalation matrix, documentation hygiene, and "when the plan is wrong". The two documents together — CLAUDE.md and 06-ways-of-working.md — answer "what am I responsible for?" for any contributor.
Per-role specifics land in docs/plan/bfsi-v1/03-team.md (KPI block per role) and docs/plan/bfsi-v1/agents/agent-<NN>-*.md (Mon-Fri tickets). An agent picking up a ticket sees their reports-to, mandate, and ticket-level Done-when condition without needing to ask. The ticket trail is committed to the repo and so survives session turnover.
Threat-model awareness is communicated via docs/threat_model.md — an explicit instruction at the top of the file ("Every new endpoint, every new dependency that handles secrets or PII, every new circuit change, every new audit-log write path must extend this document and add a matching A-NN entry. The security-reviewer and cryptographer-reviewer subagents read this file at session start.") makes it impossible to claim ignorance. The threat model is a living document — see the update commit 573ff5d ("track audit findings and update threat model for Phase 0 closures") for the demonstrated pattern.
The audit-findings document at docs/security/audit-findings.md is the running tally of open and closed control gaps; it carries an owner per open finding and a target sprint. The compliance roadmap at docs/compliance/compliance-roadmap-v1.md lays out the 12-month forward path with named owners per deliverable. Both documents are linked from CLAUDE.md's "Source of truth pointers" — discoverable in three clicks from a cold start.
Communication is reinforced by the daily 09:30 IST engineering standup (per 06-ways-of-working.md "Daily cadence") and the all-hands Friday 18:00 status post. Both are recurring forcing functions; the Friday cadence in particular is read by all 50 agents plus the founder.
Evidence references
CLAUDE.md(repository root) — engineering constitution; required reading.docs/plan/bfsi-v1/06-ways-of-working.md— operational mechanics; commit gates, escalation, cadence.docs/plan/bfsi-v1/00-README.md— phase map + 10 standing constraints.docs/plan/bfsi-v1/03-team.md— KPI block per role.docs/plan/bfsi-v1/agents/— 50 per-role daily ticket files.docs/threat_model.md— attack catalogue; opening note instructs threat-model-update obligation.docs/security/audit-findings.md— open + closed findings with owners.docs/compliance/compliance-roadmap-v1.md— 12-month roadmap with deliverable owners.- Commit
573ff5d— demonstration of "threat model updated on closure" rhythm. - Commit
5e3b79d— plan tree (the communication scaffold) landed.
Open gaps + remediation roadmap
- Signed acknowledgment of CLAUDE.md + CODE_OF_CONDUCT.md — formal annual sign-off lacking; target week 13 alongside the §17 DPO filing.
- Internal communications calendar — central record of who-said-what-when. Today this is split across
git log, Friday status post archive, and the regulator-log; needs consolidation by week 22 (2026-10-12). - Onboarding checklist for new agents — currently implicit ("read CLAUDE.md, read your agent file, read 06-ways-of-working.md"); a structured checklist lands week 14 (2026-08-24).
Test or audit query
Auditor opens CLAUDE.md and docs/plan/bfsi-v1/06-ways-of-working.md; both files must reference the other. Then git log --since=14.days.ago --oneline -- CLAUDE.md docs/plan/bfsi-v1/06-ways-of-working.md should return at least one update in the prior 14 days (proves the documents are living, not stale).