SOC 2
SOC 2 (AICPA System and Organization Controls 2) · American Institute of Certified Public Accountants (AICPA)
SOC 2 is an attestation report on a service organisation's controls against five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality and Privacy. It is the most-requested trust report in US B2B SaaS. As AI use has grown, SOC 2 auditors increasingly expect a documented AI usage policy and vendor governance for AI subprocessors.
Who it applies to
Any SaaS or service company that handles customer data and wants to prove its controls to enterprise buyers. Auditors now routinely look at how you govern AI.
Key points
Type I vs Type II
Type I tests control design at a point in time; Type II tests operating effectiveness over a period (usually 3 to 12 months) and is what enterprise buyers want.
AI shows up in Security & Confidentiality
Auditors check that staff can't leak confidential data into ungoverned AI tools and that AI vendors are assessed like any other subprocessor.
Policy + evidence
An AI usage policy plus proof staff acknowledged it is the kind of evidence that satisfies the relevant criteria.
What a small team should do
If you sell to other businesses, SOC 2 is usually the gate. Adding an AI usage policy, a vendor/tool register and attestation records closes the most common AI-related gaps auditors now raise.
FAQ
- Does SOC 2 cover AI?
- SOC 2 has no separate AI criterion, but auditors evaluate AI under Security and Confidentiality. They expect an AI usage policy and that AI vendors are governed like other subprocessors.
- What's the difference between SOC 2 Type I and Type II?
- Type I assesses whether controls are designed correctly at a point in time; Type II assesses whether they actually operated effectively over a period, and is the report enterprise buyers prefer.