ModelCharter

SOC 2 and AI Tools: What Auditors Are Now Asking

Security audit and business report representing SOC 2 AI compliance requirements

Photo: RDNE Stock project / Pexels

SOC 2 was designed for cloud software companies, but its Trust Services Criteria apply to AI tools too. As AI adoption has accelerated, auditors have started asking questions the original SOC 2 criteria did not anticipate: do you know which AI tools your team uses? Do you have a policy for them? Have you vetted AI vendors the same way you vet any other third-party processor? For most small SaaS companies, AI is now inside the scope of an audit whether you planned for it or not.

The AI questions appearing in SOC 2 engagements

Current auditors are asking variants of: what AI tools are in use in your environment? Do you have an AI usage policy? Have employees been trained on it? How do you evaluate AI tools before approval, especially those that process customer data? Do your AI vendors have their own SOC 2 reports? Is there a process for retiring AI tools that no longer meet your standards? None of these questions have a satisfying answer if you have not documented your AI governance before the audit starts.

Vendor management controls and AI

SOC 2's vendor management requirements apply to AI vendors. If an AI tool processes data that is in scope for your SOC 2 engagement, you need to have evaluated that vendor, confirming their SOC 2 status, their data-handling terms, and (for personal data) a Data Processing Agreement. Keep records of those evaluations as you would for any other vendor. Your AI tool register doubles as the vendor management documentation that satisfies this criterion.

AI policy as SOC 2 evidence

The Common Criteria around logical access and change management both touch on AI indirectly. An AI usage policy that specifies who is authorised to use which tools, what data is permitted, and who approves new tools maps onto the access control and change management criteria auditors already check. Writing your AI policy with those criteria in mind means it does double duty: governance document and audit evidence at the same time.

The fastest path to audit-readiness

Get your policy in writing, get your tool list documented with vendor SOC 2 status noted, and get staff to acknowledge the policy. Those three steps produce the documentation that satisfies most AI-related audit questions without custom controls or lengthy projects. ModelCharter generates the policy and attestation trail. Checking vendor SOC 2 status takes around ten minutes per tool in our tool directory, far less than a full vendor questionnaire from scratch.

Put this into practice

Generate a free AI usage policy for your team, then see which of your tools are safe to use.

Open the generator