Glossary · Compliance

SOC 2 for AI

SOC 2 is an audit framework for vendors handling customer data, including AI services. Definition, Type 1 vs Type 2, and what SMBs should demand.

By Kadin Nestler · May 28, 2026 · Updated May 28, 2026
On this page

SOC 2 Type 1 vs Type 2

Type 1 confirms the vendor's controls are designed appropriately as of a specific date. It is a snapshot — useful for showing the policies exist. Type 2 confirms those controls actually operated effectively over a 6-12 month period. It is the version enterprise buyers care about. A vendor with Type 1 only has documentation; a vendor with Type 2 has documented execution.

What SOC 2 covers

  • Security — controls protecting against unauthorized access.
  • Availability — system uptime and disaster recovery.
  • Processing integrity — data is processed accurately and completely.
  • Confidentiality — sensitive data is restricted to authorized users.
  • Privacy — personal information is handled per the vendor's privacy notice.

Why SOC 2 matters for AI vendors specifically

AI vendors handle disproportionately sensitive data — customer queries, support tickets, sometimes regulated information. They also often introduce new processing risks: data flowing to LLM providers, prompts being logged, model outputs becoming part of audit trails. SOC 2 forces explicit documentation and audit of those flows. Anthropic, OpenAI, Google, and the major orchestration platforms (LangChain, LlamaIndex Cloud, Vectara) all hold SOC 2 Type 2.

What an SMB should demand

  • Request the SOC 2 report under NDA before signing.
  • Confirm Type 2 with an observation window covering recent months.
  • Check the auditor — major firms (Schellman, KPMG, PwC, EY) carry more weight.
  • Read the exceptions noted in the report — they show where controls have failed.
  • Verify the AI vendor's underlying providers (Anthropic, OpenAI) also hold SOC 2.
  • For regulated data, layer SOC 2 + BAA (HIPAA) or SOC 2 + DPA (GDPR/CCPA).

What it means for your business

SOC 2 is table stakes for enterprise sales. For SMBs, it is shorthand for "this vendor has done the work to handle data responsibly." Vendors that cannot produce a SOC 2 report under NDA are either too small or too undisciplined for sensitive workloads.

  • HIPAA-Compliant AI — HIPAA-compliant AI handles protected health information under a Business Associate Agreement and meets the HIPAA Security Rule. Definition and vendor checklist.
  • AI Data Privacy — AI data privacy covers how personal data is collected, processed, retained, and shared by AI systems. Definition, key laws, and a vendor checklist.
  • AI Governance — AI governance is the policy and process layer for managing AI risk in an organization. Definition, frameworks, and what SMBs actually need.
  • AI Vendor Selection — AI vendor selection is how SMBs evaluate AI vendors on capability, cost, and risk. A practical 12-question checklist and decision framework.
  • AI Disclosure — AI disclosure is the legal and ethical obligation to tell users they are interacting with AI. Definition, applicable laws, and SMB practical guidance.
← Back to the full glossary