DisclosureIndependent directory. Not a CPA firm. Nothing here is legal, audit, or tax advice. Methodology.

AI controls in SOC 2 audits: what auditors want (2026)

By Editorial team · Published · Last updated

Auditors in 2026 are extending SOC 2 with AI-specific evidence requests: model registry, prompt audit trails, red-team test suites, vendor DPAs with zero-data-retention. The AICPA has no authoritative AI standard yet — here is the practitioner overlay.

AI controls in SOC 2 audits sit in a regulatory gap in 2026: the AICPA has published no authoritative AI-specific SOC 2 standard, yet auditors are now demanding AI-specific evidence in real engagements. The closest official document is AICPA's March 6, 2026 'Guidelines for Responsible Use of Artificial Intelligence in Forensic and Valuation Services' — explicitly labeled 'neither authoritative guidance nor standards.' What auditors actually use is the 2017 Trust Services Criteria plus a 2024 AI overlay assembled by practitioners. This guide documents what is in that overlay.

Ten evidence categories auditors are asking for

How AI controls map to existing SOC 2 Trust Services Criteria

OWASP Top 10 for LLMs (2025 release)

Released November 18, 2024 by the OWASP Foundation. Auditors are increasingly aligning SOC 2 control testing for AI systems against these ten risks:

  1. LLM01 — Prompt Injection (the top risk; cited in nearly every 2026 SOC 2 audit evidence request).
  2. LLM02 — Sensitive Information Disclosure.
  3. LLM03 — Supply Chain (model and dependency provenance).
  4. LLM04 — Data and Model Poisoning.
  5. LLM05 — Improper Output Handling.
  6. LLM06 — Excessive Agency (over-privileged AI agents).
  7. LLM07 — System Prompt Leakage.
  8. LLM08 — Vector and Embedding Weaknesses.
  9. LLM09 — Misinformation (hallucinations producing false outputs).
  10. LLM10 — Unbounded Consumption (cost and resource exhaustion).

OWASP Top 10 for Agentic AI (December 2025)

Released December 9, 2025 at the London Agentic Security Summit. Shaped by 100+ security researchers, national cybersecurity agencies, and standards bodies. Increasingly referenced by auditors evaluating SOC 2 scope for agent-based systems:

ISO 42001 and how it relates

ISO/IEC 42001 (published December 2023) is the international AI management system standard. Its Annex A contains 38 controls across 9 domains: AI policies (A.2), internal organization (A.3), resources (A.4), impact assessments (A.5), AI lifecycle (A.6), data (A.7), interested parties (A.8), use (A.9), third-party relationships (A.10). Practitioner mapping puts the SOC 2 overlap at roughly 40 to 50 percent — ISO 42001 adds AI-specific governance and lifecycle controls not in SOC 2.

From Vanta's own documentation: 'ISO 42001 clearly adds new AI-specific governance and lifecycle controls and transparency requirements that aren't covered by ISO 27001 or SOC 2.' For a SOC 2 + AI program, the most rigorous answer is SOC 2 (with AI overlay) plus ISO 42001 — not SOC 2 alone.

NIST AI Risk Management Framework

Published by NIST in January 2023. Voluntary, not regulatory. Four functions: GOVERN, MAP, MEASURE, MANAGE. Practitioner mapping to SOC 2:

What the AICPA's June 1, 2026 peer review tightening means for AI-heavy SOC 2 engagements

On May 14, 2026, the AICPA Peer Review Board announced enhanced oversight beginning June 1, 2026 for firms with high-volume SOC 2 practices. Per the Journal of Accountancy: SOC 2 engagements that are not tailored to each client's specific risks may be classified as 'nonconforming.' For AI-driven SaaS, this is a meaningful signal: cookie-cutter SOC 2 reports that paste the same TSC mapping across every AI client will face peer-review scrutiny. Tailoring matters more, not less, when AI controls vary by deployment model.

Practical preparation checklist

  1. Build a model registry. Even a structured spreadsheet works for first-cycle. Capture name, version, training data reference, evaluation metrics, approver, deployment date.
  2. Enable prompt and response logging. 90 days hot, 12 months cold. Tamper-evident storage (append-only S3 with object lock, or equivalent).
  3. Document a red-team test suite. OWASP LLM01 (Prompt Injection) is the priority. Add ASI01–ASI04 if you operate agents.
  4. Negotiate vendor DPAs with zero-data-retention clauses. OpenAI, Anthropic, AWS Bedrock, Azure OpenAI all offer this on enterprise contracts.
  5. Define human-in-the-loop checkpoints. Per-decision evidence is what auditors want — reviewer identity, timestamp, model output, human decision delta.
  6. Train your team. Annual AI literacy curriculum, role-tailored. Completion tracking in your LMS.
  7. Build incident response for AI-specific events. Hallucination escalation, prompt injection detection, model drift threshold breach.
  8. Engage an auditor with documented AI experience. As of 2026, few CPA firms have published methodology for AI SOC 2 — ask for client references and redacted sample reports.