Skip to main content
SOC 2 TRUST SERVICE CRITERIA

SOC 2 AI Security Controls

We test the specific SOC 2 controls that apply to AI systems — prompt injection defenses, credential exposure, access controls, and monitoring gaps.

Scope note: HAIEC assesses AI-relevant SOC 2 controls, not every control in the Trust Services Criteria. SOC 2 certification requires an independent CPA-firm audit — we help you prepare evidence and close AI-specific gaps.

Start Free Readiness AssessmentSOC 2 vs ISO 27001
8 AI-specific controls testedStatic code + live endpoint testingAudit-ready evidence artifacts
15 min
Assessment Time
8
AI Controls Checked
100%
Free — No Card
30+
Evidence Artifacts

Which SOC 2 Controls We Test for AI Systems

SOC 2 has 116+ controls. For AI vendors, a specific subset is critical. We scan your code and endpoints for the 8 controls most commonly failed during AI-related SOC 2 audits.

CC6.1

Logical Access Controls

AI endpoints must enforce authentication. We test MFA bypass and unauthenticated access paths to your AI API.

CC6.3

Role-Based Access

AI admin functions (model config, prompt templates) must be restricted by role. We probe privilege escalation paths.

CC6.6

Secrets & Credential Management

AI API keys, LLM provider tokens, and vector DB credentials must not be hardcoded. We scan your code for 7 credential exposure patterns.

CC7.2

System Monitoring

Anomalous AI outputs (prompt injection, data exfiltration) must be detected. We check for missing monitoring and logging in your AI pipeline.

CC8.1

Change Management

AI model updates, prompt changes, and RAG document additions must follow change control. We flag uncontrolled update paths.

CC9.2

Vendor Risk Management

LLM providers (OpenAI, Anthropic, etc.) are subservice organizations. We detect direct unproxied API calls that lack vendor risk controls.

A1.2

Availability & DoS

AI endpoints must handle adversarial load. We test for missing rate limits, token limits, and context overflow protections.

PI1.2

Processing Integrity

AI outputs feeding downstream processes must be validated. We check for unvalidated AI output used in SQL, HTML, or business logic.

What We Do NOT Cover

We are an AI security tool, not a full GRC platform. These controls require separate processes outside our scope:

Physical security controls (CC6.4, CC6.5)
HR onboarding/offboarding (CC6.2)
Financial processing integrity
Board governance and risk committees
Business continuity planning (non-AI)
Encryption key ceremonies and HSM controls

For full SOC 2 readiness, pair HAIEC's AI-specific controls check with a GRC platform like Vanta, Drata, or Secureframe for the non-AI controls. HAIEC focuses on what those platforms miss: AI attack surface and prompt security.

How the SOC 2 AI Controls Assessment Works

1

Choose Your Path

Quick Discovery (5 min) or Full Audit Prep (15 min) with evidence collection.

2

Connect Your Code

Optional GitHub integration scans your AI code for credential exposure, missing rate limits, and unvalidated AI outputs.

3

Get Your Gap Report

Per-control pass/fail, mapped to SOC 2 criteria with HAIEC rule IDs and evidence snippets.

4

Download Evidence Pack

Auditor-ready artifacts: scan results, trust artifacts, and bridge letter linking our findings to SOC 2 criteria.

SOC 2 Basics for AI Companies

What is SOC 2?

SOC 2 (Service Organization Control 2) is a security framework from the AICPA. It is the most commonly required security certification for US software vendors. Enterprise customers use it to verify you have the controls to protect their data.

  • Required by most US enterprise procurement teams
  • 5 Trust Service Criteria (Security always required)
  • Type I = controls exist at a point in time
  • Type II = controls operated over 6-12 months

Timeline & Cost

Type I Timeline
3–6 months to certification
Type II Timeline
9–18 months total (6-12 month observation period)
Typical Cost
$40K–$150K first year (audit + tools + internal time)
AI-Specific Prep
HAIEC covers your AI controls gap in 15 minutes, free

Common Questions

Does passing HAIEC's assessment mean I'm SOC 2 compliant?

No. SOC 2 compliance requires an audit by an independent CPA firm. HAIEC helps you identify and close AI-specific control gaps before that audit — so you spend less on remediation and fewer surprises during the engagement.

Which SOC 2 criteria apply to AI systems specifically?

CC6.1 (access controls), CC6.6 (secrets management), CC7.2 (system monitoring), and CC8.1 (change management) are the most frequently cited in AI-related audit findings. CC9.2 (vendor risk) also applies if you use third-party LLM APIs like OpenAI or Anthropic.

Do I need SOC 2 or ISO 27001?

If you sell to US enterprises, SOC 2 is almost always required. If you sell to EU enterprises or government, ISO 27001 is more common. Both have ~60-70% control overlap. Many AI companies pursue both. Our assessment helps you see your gap against each.

What evidence does HAIEC generate for auditors?

Our scans produce trust artifacts: scan result records, evidence of tests run, timestamps, and a bridge letter mapping HAIEC rule IDs (R5.1–R5.7 for credential exposure, R1.1–R1.7 for prompt injection, etc.) to the corresponding SOC 2 criteria. These can be uploaded directly to your GRC platform.

Related Frameworks

ISO 27001 & 42001 (EU / global)HIPAA (healthcare AI)GDPR (EU data protection)NIST AI RMF (risk governance)EU AI Act (AI regulation)

Identify Your SOC 2 AI Control Gaps

Free 15-minute readiness assessment. Covers the 8 AI-specific controls most likely to fail a SOC 2 audit.

Start Free Assessment

No credit card required • No signup to start • Instant results