Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / ARXsec + Paperclip: Secure Document Management for AI Security Agents

Documentation

ARXsec + Paperclip: Secure Document Management for AI Security Agents

arxsec-site / blog/arxsec-paperclip-integration.md

arxsec-site market blog/arxsec-paperclip-integration.md

*April 27, 2026*

---

Security agents don't just query endpoints and write tickets. They produce evidence. Compliance packages, incident reports, policy attestations, data flow diagrams — the paperwork that turns a security program into an auditable record.

Until now, that output lived wherever the agent dumped it: an S3 bucket with overly broad permissions, an email chain, a shared drive that nobody audited. We built native integration with Paperclip the same week it hit our request backlog five times.

This post explains what the integration does, why document governance matters as much as agent governance, and how the two platforms fit together.

---

The Gap Nobody Noticed

ARXsec governs what agents do. Paperclip governs what agents produce. Those are different problems.

An agent that isolates an endpoint does something. An agent that generates a post-incident report and attaches it to a Jira ticket _produces_ something — and that document has its own lifecycle: who can read it, who approved it, where it's stored, how long it's retained, and whether a compliance auditor can verify it's unchanged.

Most security teams handle this with a shared drive and hope.

| Requirement | Without Paperclip | With ARXsec + Paperclip | |-------------|-------------------|-------------------------| | Document retention policy | Manual, ad hoc | Enforced per-document-class | | Access control | Folder permissions, usually too broad | Connector-level ACL via ARXsec policy | | Audit trail | "Who last modified this?" | Immutable event chain for every read, write, share | | Agent approval gates | Not applicable | HITL before any external share | | Compliance evidence | Manually assembled | Auto-attached from ARXsec compliance packages |

Neither platform alone closes the governance story. Combined, they do.

---

What the Integration Does

The ARXsec Paperclip connector has four capabilities:

1. Auto-Attach Compliance Evidence

When ARXsec generates a compliance package — SOC 2 evidence bundle, data flow diagram, vendor security questionnaire — the Paperclip connector automatically stores it in the customer's Paperclip workspace with the correct retention class, access controls, and metadata.

```python

Generate compliance package and store in Paperclip

package = await arx.compliance().generate_soc2_package(agent_id="triage-agent") doc = await arx.paperclip().store_document( content=package.pdf, classification="compliance-evidence", retention_years=7, access_policy="legal+security-leadership" )

doc.url, doc.receipt, doc.retention_class all logged to audit trail

```

2. Document-Level HITL Gates

Before any compliance document leaves ARXsec's control — sent to an auditor, shared with a vendor — the Paperclip connector checks ARXsec policy. If the document is classified as sensitive, an approval gate fires.

```python

Sharing a security assessment externally requires CISO approval

result = await arx.paperclip().share_document( doc_id="assessment-2026-04", recipient="auditor@deloitte.com", policy_check=True # enforces HITL gate if policy P-022 matches )

Fires: "External document share requires CISO approval"

CISO approves via Slack — share proceeds, logged to immutable trail

```

3. Immutable Document Chain

Every document stored through the integration has its own immutable event chain in ARXsec's audit log: created, accessed, modified, shared, deleted. The chain is cryptographically bound — the same Merkle structure used for agent actions.

An auditor can verify: this document existed at this time, no bytes changed between version 1 and version 2, and these four people accessed it.

4. Agent-Produced Document Registry

Documents created by agents — not humans — are automatically tagged with their origin: which agent, which workflow, which policy governed them. The CISO dashboard shows a registry of every agent-produced document alongside the agent that produced it.

This matters for AI governance: regulators increasingly want to know not just what AI did, but what AI produced and who relied on it.

---

How It Works Architecturally

`` ┌─────────────────────────┐ │ Security Agent │ │ (triage, compliance, │ │ reporting workflows) │ └───────────┬─────────────┘ │ ┌───────────▼─────────────┐ │ ARXsec Platform │ │ ├─ Policy Engine │ │ │ (doc classification, │ │ │ HITL gates) │ │ ├─ Audit Trail │ │ │ (immutable chain) │ │ └─ Compliance Engine │ │ (SOC2, HIPAA, etc.) │ └───────────┬─────────────┘ │ ┌───────────▼─────────────┐ │ Paperclip Connector │ │ ├─ Document Store │──▶ Compliance evidence │ ├─ Retention Engine │──▶ 7-year vault │ ├─ Access Control │──▶ Per-role ACL │ └─ Share Gateway │──▶ Auditors / vendors └─────────────────────────┘ ``

ARXsec governs what agents do. Paperclip governs what agents produce. The connector carries ARXsec's policy verdicts and audit events into the document layer so the CISO sees one consistent picture.

---

Why This Matters for CISOs

The Board Question Is Changing

Boards used to ask: "What can our AI agents do?" They're starting to ask: "What are our AI agents producing, and who has it?"

A compliance package generated by an AI agent and sent to an external auditor is a liability if it contains errors, if it leaked beyond its intended audience, or if the agent that produced it wasn't properly governed. Paperclip + ARXsec closes that loop.

Document Governance Is AI Governance

The EU AI Act and emerging SEC guidance both treat AI-produced documents as significant artifacts. An AI system that produces compliance reports, incident summaries, or risk assessments must be governed — and the governance trail must include the document's lifecycle, not just the agent's runtime behavior.

No Integration Work

Configure it in the ARXsec dashboard. Enter the Paperclip workspace URL and API key. Done. Every agent that produces documents automatically uses the integration — no code changes to existing agents.

---

Getting Started

  1. Configure in ARXsec — Dashboard > Connectors > Paperclip > Enter workspace URL + API key
  2. Set document policies — Define which document classes require HITL before external sharing
  3. Enable auto-attach — Turn on compliance package auto-storage per agent or per workflow
  4. Review the document registry — CISO dashboard shows every agent-produced document with full lineage

---

What's Next

  • Version diffing — Compare two versions of an AI-generated document with cryptographic proof that only specific fields changed
  • Auditor portal — Share a read-only compliance package view with external auditors, with access expiry and download logging
  • Policy inheritance — Documents inherit the agent's policy class automatically; a high-risk agent produces high-sensitivity documents

---

*ARXsec is the compliance-native infrastructure platform for enterprise AI agents. 101+ native connectors. Real-time policy enforcement. Human-in-the-loop approval gates. One-click SOC 2 compliance packages.*

*Request Early Access*