Security agents don’t just query endpoints and write tickets. They produce evidence. Compliance packages, incident reports, policy attestations, data flow diagrams — the paperwork that turns a security program into an auditable record. Until now, that output lived wherever the agent dumped it: an S3 bucket with overly broad permissions, an email chain, a shared drive that nobody audited. We built native integration with Paperclip the same week it hit our request backlog five times.
This post explains what the integration does, why document governance matters as much as agent governance, and how the two platforms fit together.
The Gap Nobody Noticed
ARXsec governs what agents do. Paperclip governs what agents produce. Those are different problems.
An agent that isolates an endpoint does something. An agent that generates a post-incident report and attaches it to a Jira ticket produces something — and that document has its own lifecycle: who can read it, who approved it, where it’s stored, how long it’s retained, and whether a compliance auditor can verify it’s unchanged.
Most security teams handle this with a shared drive and hope.
| Requirement | Without Paperclip | With ARXsec + Paperclip |
|---|---|---|
| Document retention policy | Manual, ad hoc | Enforced per-document-class |
| Access control | Folder permissions, usually too broad | Connector-level ACL via ARXsec policy |
| Audit trail | “Who last modified this?” | Immutable event chain for every read, write, share |
| Agent approval gates | Not applicable | HITL before any external share |
| Compliance evidence | Manually assembled | Auto-attached from ARXsec compliance packages |
Neither platform alone closes the governance story. Combined, they do.
What the Integration Does
1. Auto-Attach Compliance Evidence
When ARXsec generates a compliance package — SOC 2 evidence bundle, data flow diagram, vendor security questionnaire — the Paperclip connector automatically stores it in the customer’s Paperclip workspace with the correct retention class, access controls, and metadata.
# Generate compliance package and store in Paperclip
package = await arx.compliance().generate_soc2_package(agent_id="triage-agent")
doc = await arx.paperclip().store_document(
content=package.pdf,
classification="compliance-evidence",
retention_years=7,
access_policy="legal+security-leadership"
)
# doc.url, doc.receipt, doc.retention_class all logged to audit trail2. Document-Level HITL Gates
Before any compliance document leaves ARXsec’s control — sent to an auditor, shared with a vendor — the Paperclip connector checks ARXsec policy. If the document is classified as sensitive, an approval gate fires.
# Sharing a security assessment externally requires CISO approval
result = await arx.paperclip().share_document(
doc_id="assessment-2026-04",
recipient="auditor@deloitte.com",
policy_check=True # enforces HITL gate if policy P-022 matches
)
# Fires: "External document share requires CISO approval"
# CISO approves via Slack — share proceeds, logged to immutable trail3. Immutable Document Chain
Every document stored through the integration has its own immutable event chain in ARXsec’s audit log: created, accessed, modified, shared, deleted. The chain is cryptographically bound — the same Merkle structure used for agent actions.
An auditor can verify: this document existed at this time, no bytes changed between version 1 and version 2, and these four people accessed it.
4. Agent-Produced Document Registry
Documents created by agents — not humans — are automatically tagged with their origin: which agent, which workflow, which policy governed them. The CISO dashboard shows a registry of every agent-produced document alongside the agent that produced it.
Why This Matters for CISOs
The Board Question Is Changing
Boards used to ask: “What can our AI agents do?” They’re starting to ask: “What are our AI agents producing, and who has it?”
A compliance package generated by an AI agent and sent to an external auditor is a liability if it contains errors, if it leaked beyond its intended audience, or if the agent that produced it wasn’t properly governed. Paperclip + ARXsec closes that loop.
Document Governance Is AI Governance
The EU AI Act and emerging SEC guidance both treat AI-produced documents as significant artifacts. An AI system that produces compliance reports, incident summaries, or risk assessments must be governed — and the governance trail must include the document’s lifecycle, not just the agent’s runtime behavior.
No Integration Work
Configure it in the ARXsec dashboard. Enter the Paperclip workspace URL and API key. Done. Every agent that produces documents automatically uses the integration — no code changes to existing agents.
Getting Started
- Configure in ARXsec — Dashboard > Connectors > Paperclip > Enter workspace URL + API key
- Set document policies — Define which document classes require HITL before external sharing
- Enable auto-attach — Turn on compliance package auto-storage per agent or per workflow
- Review the document registry — CISO dashboard shows every agent-produced document with full lineage
What’s Next
- Version diffing — Compare two versions of an AI-generated document with cryptographic proof that only specific fields changed
- Auditor portal — Share a read-only compliance package view with external auditors, with access expiry and download logging
- Policy inheritance — Documents inherit the agent’s policy class automatically; a high-risk agent produces high-sensitivity documents
ARXsec is the compliance-native infrastructure platform for enterprise AI agents. 101+ native connectors. Real-time policy enforcement. Human-in-the-loop approval gates. One-click SOC 2 compliance packages.