SOC 2
SOC 2 is an audit framework from the AICPA that assesses how a SaaS vendor manages security, availability, processing integrity, confidentiality, and privacy.
What is SOC 2?
SOC 2 (Service Organization Control 2) is an audit framework published by the American Institute of Certified Public Accountants (AICPA). A SOC 2 report attests that an external auditor has examined a service provider's controls against the AICPA's Trust Services Criteria — security, availability, processing integrity, confidentiality, and privacy.
For AI vendors, a SOC 2 report is the most common security attestation enterprise buyers will ask to see during procurement. It is not a certification with a stamp; it is a long-form report (often 40+ pages) that describes the controls in scope, the auditor's testing procedure, and any exceptions found.
SOC 2 Type I vs Type II
Type I assesses whether the controls are designed appropriately at a single point in time. It is a faster, less rigorous attestation — useful as evidence that a vendor takes security seriously, but a procurement team should not treat it as equivalent to Type II.
Type II assesses whether those same controls operated effectively over a period of time, typically 6 to 12 months. This is the version enterprise buyers expect from a mature vendor. The audit report covers the observation window and explicitly lists any exceptions.
If you are evaluating an AI vendor and they tell you "we have SOC 2," ask which type, what the observation window was, and request the report under NDA. Verbal claims are not evidence; the report is.
What SOC 2 does not cover
SOC 2 is not designed for AI-specific risk. It does not assess whether a vendor trains models on customer data, whether outputs feed back into training, or whether sub-processors include third-party model providers in different jurisdictions. It does not address copyright indemnification, model card disclosure, or red-team testing. Treat SOC 2 as table stakes for security and operational maturity, then layer AI-specific diligence on top.