See also (wiki): wiki/vendor-security-questionnaires.md, wiki/ai-vendor-contracts.md
Executive Summary
- SOC 2 Type II remains the de facto trust document for AI vendor procurement, but the AICPA has not added AI-specific criteria to its Trust Services Criteria. The framework still audits controls around data, not model behavior.
- Every major AI vendor now holds SOC 2 Type II — OpenAI (Jan–Jun 2025, Security/Availability/Confidentiality/Privacy), Anthropic (Claude APIs, ZDR endpoints, audit logging), Microsoft (Azure including Azure OpenAI), Google Cloud (Vertex AI), Salesforce (Einstein/Agentforce). Scope varies; consumer-tier products are generally excluded.
- The SOC 2 report answers “is the data secure?” It does not answer “is the model accurate, fair, grounded, or safe?” Those questions require ISO/IEC 42001 or a SOC 2+ examination that adds Annex A’s 38 AI-specific controls.
- Auditors in 2026 are flagging nine recurring gaps inside AI SOC 2 engagements — from model versions that aren’t in change management, to shadow AI usage bypassing vendor review, to undisclosed subprocessor chains routing data through downstream model providers.
- The practical implication for procurement: a SOC 2 Type II report is necessary but insufficient due diligence for any AI deployment touching regulated data. Read Section 4, check the scope, and ask for the ISO 42001 certificate.
What SOC 2 Type II Covers for an AI System
SOC 2 applies the same five Trust Services Criteria to an AI vendor that it applies to any cloud provider: Security, Availability, Processing Integrity, Confidentiality, Privacy. Most AI vendor reports cover four of these — Security, Availability, Confidentiality, Privacy — and omit Processing Integrity, the criterion most relevant to output correctness.
Within the Common Criteria, auditors in 2025–2026 are tightening expectations on five control families for AI systems:
| Criterion | AI-Specific Expectation |
|---|---|
| CC6 (Logical Access) | LLM access gated through SSO, API keys rotated, training data stores restricted, OAuth grants audited to detect shadow AI use |
| CC7.1 (System Operations) | DLP and network monitoring capture data exfiltrated to third-party AI services |
| CC8.1 (Change Management) | Every production model has a unique version ID traceable to its training data, configuration, and deployment approval; bias/accuracy testing documented pre-deployment |
| CC9.1 (Risk Mitigation) | Approved AI tool list maintained; unauthorized tool usage treated as a control failure |
| CC9.2 (Supply Chain) | Subprocessor list discloses downstream AI model providers; DPAs and BAAs in place |
Vendors that elect Processing Integrity add controls for output validation — RAG grounding, hallucination sampling, human review for high-stakes outputs, monitoring of accuracy drift.
What SOC 2 Does Not Cover
Per Linford & Co’s April 2026 guidance: “Auditors cannot provide reasonable assurance on the output of AI but can provide reasonable assurance on the controls around the AI.” A SOC 2 Type II report is silent on:
- Algorithmic fairness and bias. Auditors examine whether testing occurred, not whether results were fair.
- Hallucination rates. Auditors examine sampling procedures, not absolute accuracy.
- Training data provenance. Confidentiality and PII handling are covered; copyright, consent, and licensing of training corpora are not.
- Model safety and alignment. Entirely outside scope.
- Ethical use. Outside scope.
The AICPA’s Trust Services Criteria was last formally revised in November 2022, before the generative AI wave. The AICPA has issued nonauthoritative guidance acknowledging AI, but no AI-specific criteria have been codified into TSC 2017 (2022 rev.) or the SOC 2 Description Criteria.
Vendor SOC 2 Status as of April 2026
| Vendor | Scope | Period | TSC Covered | AI-Specific Gaps Worth Asking About |
|---|---|---|---|---|
| OpenAI | API Platform, ChatGPT Enterprise/Edu/Team | Jan 1 – Jun 30, 2025 | Security, Availability, Confidentiality, Privacy | Processing Integrity not included; ChatGPT Plus/Free excluded |
| Anthropic | Claude APIs, web apps, audit logging, ZDR endpoints | Trailing 12-month | Security, Availability, Confidentiality | Detailed Type II under NDA; Processing Integrity not covered |
| Microsoft Azure (incl. Azure OpenAI) | Full Azure platform | Rolling 12-month, semi-annual reissue | Security, Availability, Confidentiality, Processing Integrity | Azure OpenAI inherits Azure controls; application-layer AI controls not separately attested |
| Microsoft 365 Copilot | Pending separate attestation (as of early 2025) | TBD | TBD | Relies on M365 underlying SOC 2 coverage; confirm current status on Service Trust Portal |
| Google Cloud (Vertex AI, Gemini for Workspace) | Platform-wide | Trailing 12-month | Security, Availability, Confidentiality, Privacy | Type II under NDA via Compliance Reports Manager |
| Salesforce (Einstein, Agentforce) | Per cloud (Sales, Service, Marketing, Data Cloud) | Trailing 12-month | Security, Availability, Confidentiality, Processing Integrity | Separate reports per cloud; confirm which cloud hosts your data |
Consumer-tier products (ChatGPT Plus, Claude Pro individual, Gemini consumer) are generally out of scope. A vendor holding SOC 2 Type II on its enterprise tier says nothing about its consumer product — a distinction that matters when employees paste client data into a personal account.
Credibility note: these scoping summaries come from vendor trust portals and Big 4/national SOC 2 firms (Schellman, Baker Tilly, LBMC, Linford). Vendor trust portals are authoritative for their own scope but self-published. Always request the actual Type II report under NDA rather than relying on the portal summary.
The SOC 2+ with ISO 42001 Pattern
The emerging auditor-recommended path for AI-first vendors is a combined examination: SOC 2 Type II plus ISO/IEC 42001. Schellman, Baker Tilly, A-LIGN, and Coalfire now offer this as a single engagement.
ISO 42001 contributes 38 AI-specific controls in Annex A addressing:
- AI system impact assessments
- Data for AI systems (provenance, quality, bias testing)
- Responsible use policies
- Lifecycle management (development, deployment, retirement)
- Third-party AI supply chain
In a SOC 2+ report, ISO 42001 controls sit in Section 4 alongside the standard SOC 2 criteria. This is what a buyer evaluating an AI vendor for regulated workloads should ask for. OpenAI, Anthropic, and the major cloud providers all hold or are pursuing ISO 42001 as of April 2026.
Nine Gaps Auditors Are Flagging in 2026 AI SOC 2 Engagements
- Model deployments bypassing change management (CC8.1)
- No unique model version IDs traceable to training data and configuration
- No documented bias/accuracy testing pre-deployment
- Shadow AI usage — no DLP, no approved tool list, no OAuth audit
- Prompt data retention policies undefined or contradicted by vendor defaults
- Subprocessor list omits downstream AI model providers
- No hallucination monitoring or output validation sampling
- Training data lineage undocumented
- RAG grounding controls absent for high-stakes outputs
Key Data Points
| Data Point | Source | Date |
|---|---|---|
| AICPA TSC last formal revision | AICPA via EY | Nov 2022 |
| OpenAI SOC 2 Type II coverage window | OpenAI Trust Portal | Jan 1 – Jun 30, 2025 |
| OpenAI additional certifications | OpenAI Trust Portal | ISO 27001/27017/27018/27701/42001, PCI DSS v4.0.1, FedRAMP 20x (Apr 2026) |
| Anthropic SOC 2 Type II scope | Anthropic Trust Center | Claude APIs, web apps, audit logging, ZDR (Apr 2026) |
| Azure SOC 2 reissue cadence | Microsoft Service Trust Portal | Semi-annual, rolling 12-month |
| ISO 42001 Annex A AI-specific controls | ISO/IEC 42001:2023 | 38 controls |
| TSC criteria explicitly addressing AI | AICPA | 0 |
What This Means for Your Organization
Treat a SOC 2 Type II report as the floor of AI vendor due diligence, not the ceiling. The report tells you the vendor’s infrastructure is secure and their change management is disciplined. It does not tell you whether the model will hallucinate a client’s name into a contract clause, whether the training data included your competitor’s proprietary documents, or whether outputs will reproduce biased decisions at scale. Those are different questions — and SOC 2 was not designed to answer them.
Before a deployment touching regulated data (PHI, PII, material non-public information, privileged legal work), three documents should be on the table: the current SOC 2 Type II report (not the portal summary — the actual report under NDA, so you can read Section 4 and Section 5), the ISO 42001 certificate or gap analysis, and the DPA with its current subprocessor list. If the vendor cannot produce all three, the deployment is premature regardless of the tool’s capability.
If a specific vendor evaluation or contract review is on your near-term calendar and you want a second read on scope, gaps, or the ISO 42001 add-on — I’d welcome the conversation. brandon@brandonsneider.com.
Sources
- AICPA Trust Services Criteria (via EY summary, Nov 2022) — https://www.ey.com/en_us/technical/accountinglink/to-the-point-aicpa-revises-guidance-on-applying-its-trust-services-criteria-and-soc-2-description-criteria. Credibility: HIGH (authoritative framework).
- Schellman, “How to Incorporate AI Controls into Your SOC 2 Examination” (2025) — https://www.schellman.com/blog/soc-examinations/how-to-incorporate-ai-into-your-soc-2-examination. Credibility: HIGH (licensed SOC 2 auditor).
- Baker Tilly, “Evolving SOC 2 reports for AI controls” (2025–2026) — https://www.bakertilly.com/insights/ai-controls-for-soc-2-reports. Credibility: HIGH (top-10 accounting firm).
- LBMC, “Generative AI Risk Management with SOC 2” (2025) — https://www.lbmc.com/blog/generative-ai-soc-2/. Credibility: MEDIUM-HIGH (national SOC 2 firm).
- Linford & Co, “Shadow AI and SOC 2: How It Creates Audit Gaps” (2026) — https://linfordco.com/blog/shadow-ai-soc-2/. Credibility: MEDIUM-HIGH (boutique SOC 2 firm).
- OpenAI Trust Portal — https://trust.openai.com/ (accessed Apr 13, 2026). Credibility: HIGH for vendor self-attestation, but vendor-published.
- Anthropic Trust Center — https://trust.anthropic.com/resources (accessed Apr 13, 2026). Credibility: HIGH for vendor self-attestation, vendor-published.
- Microsoft Service Trust Portal — https://servicetrust.microsoft.com/ (accessed Apr 13, 2026). Credibility: HIGH, vendor-published.
- ISO/IEC 42001:2023 — AI management system standard, 38 Annex A controls. Credibility: HIGH (international standard).
Brandon Sneider | brandon@brandonsneider.com April 2026