What does SOC 2 actually require?
SOC 2 sets out governance, risk-assessment, and documentation requirements for the AI systems in its scope. See the framework brief for the full obligation list.
What is SOC 2?
SOC 2 is an AICPA auditing standard for service organizations, evaluating controls relevant to security, availability, processing integrity, confidentiality, and privacy. While not
Last updated April 26, 2026 · Every fact traceable to a public source
SOC 2 is an AICPA auditing standard for service organizations, evaluating controls relevant to security, availability, processing integrity, confidentiality, and privacy. While not AI-specific, SOC 2 Type II reports are table stakes for B2B SaaS vendors — including AI governance platforms — and are frequently mapped to AI-specific risk frameworks.
Who is in scope of SOC 2?
SOC 2 is active in United States (AICPA). Scope attaches based on jurisdiction and the role a company plays in the AI supply chain. See /frameworks/soc2 for the full scope note and source links.
Which vendors help with SOC 2 compliance?
In our directory, the following vendors reference SOC 2 in their compliance coverage: Credo AI, Arthur, Modulos AI Governance, Scrut Automation, Braintrust, WhyLabs, Drata, Giskard, Vanta, Aporia, Lasso Security, Pillar Security. Each profile links to the public source for the claim.
Related
Keep reading
Editorial independence
This FAQ is editorial. No vendor can pay to be highlighted or ranked in answers, and the written commentary on this page is payment-free. Featured slots in directory listings are always labeled where they appear. Read our methodology for details.