SOC 2

An independent auditor's attestation that a service organization's controls for security, availability, and confidentiality are designed and operating effectively - the default enterprise trust bar.

SOC 2 (Service Organization Control 2) is an audit framework, defined by the AICPA, in which an independent auditor attests that a company's controls meet the Trust Services Criteria - security, availability, processing integrity, confidentiality, and privacy. A Type I report assesses design at a point in time; a Type II assesses operating effectiveness over a period. It has become the default bar a vendor must clear to sell software to enterprises.

SOC 2 was written for traditional systems, and on its own it does not cover the runtime behavior of AI - which prompts a model saw, what an agent did, whether a policy actually blocked a leak. Closing that gap means pairing the framework's control objectives with enforced AI controls and continuous, queryable evidence, so an auditor's requirement maps to a control that runs rather than a screenshot.

All terms

Govern AI like infrastructure.

Talk to our team about deploying DataStrict across your enterprise stack.