Documentation requests for AI agents are starting to land on developers' desks. Security teams need to know what data each agent touches, which external systems it connects to, and how it makes decisions - not out of curiosity, but because SOC2 audits, GDPR assessments, and EU AI Act compliance requirements are beginning to apply directly to AI agent deployments.
Most developers who built agents over the past two years never kept those records. The agent worked, so it shipped. What it actually does with data is implicit in the code, not written down anywhere a compliance reviewer can read.
Heron, a new open-source tool available at theonaai/Heron on GitHub, tries to automate that documentation gap. Rather than asking developers to fill out a questionnaire from memory, it interviews the agent directly: sends 10 standardized questions about data handling, system access, and decision-making, then follows up with more specific questions where it detects uncertainty. The output is a structured compliance report with regulatory flags built in for SOC2, GDPR, and the EU AI Act. No code changes required, no SDK integration - MIT licensed, four operational modes.
What "Interviewing" an Agent Actually Means
Heron operates as an external client: it talks to your agent the same way a user would, but asks security-focused questions. That's both its strength and its main limitation.
The strength: no access to your codebase, no instrumentation, no coordination with the original developer. Point Heron at a running agent and get a report. That's a low barrier for teams that need something done quickly.
The limitation: the agent only reports what it knows about itself. If your agent uses a tool that connects to a third-party API with its own data handling behavior, the interview won't surface that. Heron documents what the agent says, not necessarily everything happening at the infrastructure level. For a first-pass compliance document, that's probably sufficient. For a SOC2 audit requiring verified claims, you'd supplement it with code review and infrastructure logging.
The Compliance Pressure AI Developers Are About to Face
The EU AI Act began phasing in requirements in 2024, with additional obligations continuing through 2025 and 2026. For systems classified as "limited risk" or higher - which covers most customer-facing or decision-making agents - developers must maintain technical documentation covering system design, data inputs, outputs, and human oversight mechanisms.
GDPR has required documentation for automated decision-making for years, but enforcement targeting AI specifically has been inconsistent. That's tightening as regulators issue more specific guidance. SOC2, which many SaaS companies pursue to satisfy enterprise customers, is also increasingly covering AI systems as auditors develop standards for what responsible AI deployment looks like.
Developers who built agents quickly and never documented them will face a document-or-disable situation at some point. A tool that reduces that work from several days to a few hours has real value, even if the output needs human review before going to an auditor.