Skip to content
shadowiq
Regulation · SOC 2 Trust Services Criteria + AI

SOC 2 for the AI era. With evidence auditors can actually verify.

SOC 2 wasn't written for generative AI. But CC7 (change management), CC8 (risk assessment), and P-criteria all apply. ShadowIQ gives you the AI-specific evidence your auditor will ask about.

Get a SOC 2 (with AI) readiness planPlatform overview
What this is

Summary

SOC 2 Type II with AI controls uses the AICPA Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) extended with AI-specific evidence. ShadowIQ provides pre-mapped controls and signed evidence for each criterion, accepted by Big-4 and boutique audit firms.

How it fits · explainer

The crosswalk: article → control → signed evidence.

SOC 2 (WITH AI) · ARTICLEREQUIREMENTSHADOWIQ CONTROLSIGNED EVIDENCECC6.1Logical access controlsSSO, SCIM, RBAC, signed admin logSigned admin eventsCC7.1Change managementPolicy-as-code via GitOpsSigned policy diffsCC7.2Monitoring controlsDrift + anomaly alertsSigned detection eventsCC8.1Risk assessmentContinuous eval engineSigned eval runsCC9.1Risk mitigationGateway enforcement policiesSigned decision logCROSSWALK · 5 SHOWN · FULL MAP IN /DOCS/COMPLIANCE · SIGNED ED25519
Where it hurts

You've heard this one before.

  • Existing SOC 2 scope didn't anticipate LLM-backed features.
  • CC7.1 change management evidence missing for prompt changes.
  • CC8.1 risk assessment has no AI-specific procedure.
  • Auditor asking for things your team can't produce in the timeframe.
What we do about it

Three moves.

  1. 1
    Scope expansion, done.

    A drop-in scope expansion template that adds AI systems, LLM routing, and policy-as-code to your existing SOC 2 scope.

  2. 2
    CC-criteria evidence.

    Every AI-relevant control criterion has signed evidence: CC6 (logical access), CC7 (change management), CC8 (risk assessment), CC9 (risk mitigation).

  3. 3
    Drata + Vanta integration.

    Evidence flows into your existing SOC 2 tool. Auditors pull from one place. Zero duplicate work.

Outcomes

Numbers, not adjectives.

Type II
annual readiness
Drata + Vanta
integration · first class
Schellman · A-LIGN
audit partners pre-briefed
Full crosswalk

SOC 2 (with AI) article → ShadowIQ control → signed evidence.

Article
Requirement
ShadowIQ control
Signed evidence
CC6.1
Logical access controls
SSO, SCIM, RBAC, signed admin log
Signed admin events
CC7.1
Change management
Policy-as-code via GitOps
Signed policy diffs
CC7.2
Monitoring controls
Drift + anomaly alerts
Signed detection events
CC8.1
Risk assessment
Continuous eval engine
Signed eval runs
CC9.1
Risk mitigation
Gateway enforcement policies
Signed decision log
Frequently asked

Asked, answered, sourced.

Schellman, A-LIGN, Prescient, Coalfire, and KPMG. Each has consumed our evidence in at least one customer audit. We pre-brief the audit partner on OSCAL export and the verifier workspace.

Yes. Type I readiness is typically 4-6 weeks; Type II observation window runs 3-6 months with automated evidence collection.

We integrate natively. Your existing Drata/Vanta policies stay in place; ShadowIQ fills the AI-specific evidence gaps and flows attestations into the same auditor view.

Related

Keep going.

Regulation
ISO 42001
Use case
Audit readiness
Ready to see the signet in motion?

Your 30-minute demo. A signed audit trail by the end of it.

We'll wire ShadowIQ into one live workload, block a prompt injection in real time, and hand you a cryptographic receipt — before the meeting ends.

Schedule a 30-minute walkthroughReview pricing