About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Article
SOC Agentic Governance Engine (SAGE): Reinventing audit evidence collection with Agentic AI
SAGE uses agentic AI to automate audit evidence collection, reduce manual effort, and accelerate compliance readiness.
On this page
Security Operations Centers (SOCs) are often measured by how well they detect and respond to threats. Yet one of their biggest and most time-consuming challenges come from compliance audits. Frameworks such as SOC 2, ISO 27001, and PCI-DSS require ongoing evidence collection across many tools, systems, and workflows.
Manually gathering this evidence can take one to two weeks per audit, consume valuable analyst time, and increase the risk of mistakes. For managed security service providers (MSSPs), who often handle dozens of audits at a time, the challenge is even greater.
SOC Agentic Governance Engine (SAGE) addresses this problem. By combining agentic AI with integrations into platforms such as IBM QRadar, Resilient, and ServiceNow, SAGE automates evidence collection, interpretation, and reporting. What once took weeks can now be completed in hours.
Component technologies
SAGE is powered by a combination of the following technologies:
IBM QRadar SIEM: A market-leading Security Information and Event Management platform that provides real-time visibility into enterprise security data. It collects, normalizes, and correlates logs and network flows to detect anomalies, prioritize threats, and support compliance reporting. With 700+ integrations and 1,500+ pre-built use cases, QRadar enables SOC teams to investigate and respond to threats faster while maintaining regulatory compliance.
IBM watsonx Orchestrate: An AI-powered orchestration platform that allows users to design and automate workflows using intelligent agents. It brings reasoning and coordination to automation by enabling agents to interpret natural language, break tasks into steps, and execute them across multiple systems. With built-in LLMs and AI agent orchestration, watsonx Orchestrate provides the foundation for SAGE’s Supervisor Agent and sub-agent collaboration.
Langflow: An open-source framework for visually building and deploying LLM-powered workflows. It allows developers to chain components such as prompts, APIs, and memory stores into agent flows. In SAGE, Langflow is used to build the API Extractor Agent using JSON configurations and MCP servers to interpret natural language queries and map them to relevant QRadar API endpoints.
Challenges in the current audit processes
Before SAGE, SOCs and MSSPs faced several recurring pain points:
- Volume and complexity: 40–100+ checklist items per audit across multiple frameworks
- Tool fragmentation: Evidence spread across SIEMs, SOARs, ticketing platforms, and EDRs.
- Manual burden: Analysts writing queries, logging in to systems, taking screenshots, and formatting evidence by hand.
- Error risk: Inconsistent results, missed records, and human oversight leading to audit gaps.
- Scalability limits: Difficulty handling multiple audits at once without heavy resource use.
These challenges often lead to what many analysts call audit fatigue.
Benefits of SAGE
By adding agentic AI, SAGE delivers clear improvements:
| Area | Before SAGE | After SAGE |
|---|---|---|
| Audit Prep Time | 1–2 weeks | 1–2 hours |
| Analyst Effort | Multiple staff needed | Minimal oversight |
| Data Quality | Manual, inconsistent | Structured, validated |
| Stress Level | High (audit fatigue) | Low (AI-driven) |
| Compliance Risk | Delays, gaps in data | Complete and timely |
| Scalability | Limited per team | Parallel audits at scale |
For MSSPs, this means that they can support more clients with consistent, high-quality evidence. For enterprises, it means faster audit readiness and lower compliance risk.
Workflow
SAGE’s workflow is managed by a Supervisor Agent that coordinates specialized sub-agents to handle audit evidence collection.
Kick Off Audit Process: The user starts the process by selecting the prompt Kick Off Audit Process.
File Upload Agent:
- Provides a file upload option in the chat.
- Reads the uploaded excel audit checklist.
- Displays the file contents in the chat.
- Forwards the extracted data to the API Extractor Agent.
API Extractor Agent:
- Built with Langflow and exported as an MCP server.
- Interprets checklist requirements that are written in plain language.
- Uses QRadar API documentation to find the right API endpoints.
- Sends endpoint details back to the Supervisor Agent.
AQL Query Agent:
- Runs when a checklist item requires log source or event data.
- Executes Ariel Query Language (AQL) queries via QRadar APIs.
- Retrieves logs related to audit requirements.
QRadar API Executor Agent:
- Executes API endpoints that are identified by the API Extractor Agent.
- Displays responses directly in the chat.
Supervisor Agent:
- Coordinates tasks across all sub-agents.
- Collects results from the AQL Query Agent and API Executor Agent.
- Combines outputs into a structured response.
- Presents an audit-ready summary with evidence, metadata, and compliance mappings.
Potential agent extensions for SAGE
SAGE source code
All supporting code for SAGE, including the Supervisor Agent, sub-agents, orchestration instructions, and Langflow MCP server configurations, is available in the GitHub repository.
This ensures that:
- Anyone can access the implementation details.
- Analysts can reuse the flows in their own environments.
- MSSPs and enterprises can adapt the framework quickly.
- Community contributions can add new features and improvements.
By keeping the repository open, SAGE becomes a collaborative and evolving project that the wider security community can benefit from.
Demo video
The following video walks you through the SAGE workflow:
Summary
SAGE changes the way audits are handled in SOCs and MSSPs. It turns evidence collection into an intelligent, agent-driven workflow that removes repetitive tasks, reduces errors, and speeds up compliance readiness.
The approach is not limited to cybersecurity. The same method can be applied in healthcare, banking, insurance, and other industries where structured audit evidence is important. Anywhere data can be accessed through APIs or queries, SAGE can deliver automation at scale.