Auditors in 2026 are extending SOC 2 with AI-specific evidence requests: model registry, prompt audit trails, red-team test suites, vendor DPAs with zero-data-retention. The AICPA has no authoritative AI standard yet — here is the practitioner overlay.
AI controls in SOC 2 audits sit in a regulatory gap in 2026: the AICPA has published no authoritative AI-specific SOC 2 standard, yet auditors are now demanding AI-specific evidence in real engagements. The closest official document is AICPA's March 6, 2026 'Guidelines for Responsible Use of Artificial Intelligence in Forensic and Valuation Services' — explicitly labeled 'neither authoritative guidance nor standards.' What auditors actually use is the 2017 Trust Services Criteria plus a 2024 AI overlay assembled by practitioners. This guide documents what is in that overlay.
Ten evidence categories auditors are asking for
How AI controls map to existing SOC 2 Trust Services Criteria
OWASP Top 10 for LLMs (2025 release)
Released November 18, 2024 by the OWASP Foundation. Auditors are increasingly aligning SOC 2 control testing for AI systems against these ten risks:
LLM01 — Prompt Injection (the top risk; cited in nearly every 2026 SOC 2 audit evidence request).
LLM02 — Sensitive Information Disclosure.
LLM03 — Supply Chain (model and dependency provenance).
LLM04 — Data and Model Poisoning.
LLM05 — Improper Output Handling.
LLM06 — Excessive Agency (over-privileged AI agents).
LLM10 — Unbounded Consumption (cost and resource exhaustion).
OWASP Top 10 for Agentic AI (December 2025)
Released December 9, 2025 at the London Agentic Security Summit. Shaped by 100+ security researchers, national cybersecurity agencies, and standards bodies. Increasingly referenced by auditors evaluating SOC 2 scope for agent-based systems:
ISO/IEC 42001 (published December 2023) is the international AI management system standard. Its Annex A contains 38 controls across 9 domains: AI policies (A.2), internal organization (A.3), resources (A.4), impact assessments (A.5), AI lifecycle (A.6), data (A.7), interested parties (A.8), use (A.9), third-party relationships (A.10). Practitioner mapping puts the SOC 2 overlap at roughly 40 to 50 percent — ISO 42001 adds AI-specific governance and lifecycle controls not in SOC 2.
From Vanta's own documentation: 'ISO 42001 clearly adds new AI-specific governance and lifecycle controls and transparency requirements that aren't covered by ISO 27001 or SOC 2.' For a SOC 2 + AI program, the most rigorous answer is SOC 2 (with AI overlay) plus ISO 42001 — not SOC 2 alone.
NIST AI Risk Management Framework
Published by NIST in January 2023. Voluntary, not regulatory. Four functions: GOVERN, MAP, MEASURE, MANAGE. Practitioner mapping to SOC 2:
NIST AI RMF GOVERN ↔ SOC 2 CC1/CC2/CC3 (governance, communication, risk identification).
NIST AI RMF MAP ↔ SOC 2 CC3 (context and risk identification).
NIST AI RMF MANAGE ↔ SOC 2 CC9 (risk treatment and response).
What the AICPA's June 1, 2026 peer review tightening means for AI-heavy SOC 2 engagements
On May 14, 2026, the AICPA Peer Review Board announced enhanced oversight beginning June 1, 2026 for firms with high-volume SOC 2 practices. Per the Journal of Accountancy: SOC 2 engagements that are not tailored to each client's specific risks may be classified as 'nonconforming.' For AI-driven SaaS, this is a meaningful signal: cookie-cutter SOC 2 reports that paste the same TSC mapping across every AI client will face peer-review scrutiny. Tailoring matters more, not less, when AI controls vary by deployment model.
Practical preparation checklist
Build a model registry. Even a structured spreadsheet works for first-cycle. Capture name, version, training data reference, evaluation metrics, approver, deployment date.
Enable prompt and response logging. 90 days hot, 12 months cold. Tamper-evident storage (append-only S3 with object lock, or equivalent).
Document a red-team test suite. OWASP LLM01 (Prompt Injection) is the priority. Add ASI01–ASI04 if you operate agents.
Negotiate vendor DPAs with zero-data-retention clauses. OpenAI, Anthropic, AWS Bedrock, Azure OpenAI all offer this on enterprise contracts.
Define human-in-the-loop checkpoints. Per-decision evidence is what auditors want — reviewer identity, timestamp, model output, human decision delta.
Train your team. Annual AI literacy curriculum, role-tailored. Completion tracking in your LMS.
Build incident response for AI-specific events. Hallucination escalation, prompt injection detection, model drift threshold breach.
Engage an auditor with documented AI experience. As of 2026, few CPA firms have published methodology for AI SOC 2 — ask for client references and redacted sample reports.