Every enterprise buyer already has SOC 2. The 2017 Trust Services Criteria don't name AI; auditors are inventing the questions anyway. Here's what they ask, what the CSA AI Controls Matrix adds, and the AI addendum you append to your Type II.
01 / Why this question, why now
SOC 2 examinations are scoped against the AICPA's Trust Services Criteria (TSC) 2017. That document predates ChatGPT. It does not name "AI" once. So when an enterprise buyer in 2026 asks "how do you govern employee AI use?" inside a SOC 2 review, the auditor has to choose where the question lives. They map it to the closest existing criteria, normally CC6.1 (logical access controls to system data) and CC7.2 (system monitoring for anomalies and events).
The result: SOC 2 Type II reports increasingly carry an AI controls evidence appendix that didn't exist two years ago. Some auditors call it a "supplemental control narrative." Others fold it into expanded testing under CC6.1. Either way, the customer is being asked to produce something most companies do not have: a continuous, defensible record of which AI tools their workforce uses and how access is governed.
The shortcut some vendors have taken is to write a one-pager: "we have a written AI usage policy." Auditors stopped accepting that in 2026. They want evidence the policy is enforced.
02 / The control surface auditors actually invoke
CC6.1 · Logical and physical access controls. The criterion that asks "the entity implements logical access security software, infrastructure, and architectures over protected information assets." When the protected information asset is "data customers share with us," and the access surface is "any AI tool an employee can paste data into," CC6.1 is the umbrella the question lives under.
CC7.2 · System operations monitoring. The criterion that asks "the entity monitors system components and the operation of those components for anomalies." Auditors apply it to "monitor AI-tool usage for unusual data exposure." A Notion doc doesn't satisfy continuous monitoring. A monthly screenshot doesn't either.
The Cloud Security Alliance AI Controls Matrix. Released to fill the AICPA gap. Roughly two dozen control objectives covering AI inventory, data classification at capture time, third-party AI risk management, and AI-specific incident response. Auditors increasingly cross-reference CSA when expanding SOC 2 scope into AI.
03 / Control mapping
16 controls in the SOC 2 + AI pack today: 2 TSC and 14 CSA. AUTO means Northbeams telemetry alone proves it; ATTEST means a named human signed; scoped-out means out of scope with a written reason.
| Control | Subject | Status | Evidence source |
|---|---|---|---|
| CC6.1 | Logical access to AI tools | AUTO | Per-tool allow / warn / block + audit log |
| CC7.2 | Monitoring of AI system activity | AUTO | Continuous event log, daily re-evaluation |
| CSA AI-01 | AI system inventory | AUTO | Discovery refreshed continuously across 4 surfaces |
| CSA AI-04 | Data classification at capture | AUTO | On-device classifier output (label, never raw text) |
| CSA AI-07 | Sensitive-data exposure prevention | AUTO | Per-prompt sandbox / block decisions |
| CSA AI-09 | Third-party AI risk | ATTEST | Vendor security review record |
| CSA AI-11 | AI incident response | ATTEST | IR runbook + tabletop record |
| CSA AI-15 | Workforce AI literacy training | ATTEST | LMS completion record |
| CSA AI-22 | Model output bias monitoring | SCOPED | Out of scope for deployer-side use |
Full 16-row mapping is in the Evidence Pack itself. The table above is the abbreviated cover.
04 / How it lands at the audit
The Type II report your auditor will issue at the end of the period covers a defined examination period (usually 6 or 12 months). You do not need to start a separate engagement for AI; you need to extend the existing one.
Three things to ask your auditor at the kickoff:
Most Big-4 and mid-market firms in 2026 accept the annex pattern. Smaller firms occasionally ask for the parallel structure; the Evidence Pack supports either layout via the scope statement.
Northbeams catches AI activity on browser, desktop, CLI, and MCP. The on-device classifier labels each prompt at capture (PII, credentials, source code, customer data, contracts). Per-tool policy enforces allow / warn / block. Every action lands on a hash-chained append-only event log.
The SOC 2 + AI Evidence Pack reads from that log, maps to the 16 controls, samples events for the appendix, and ships as a signed PDF you staple to your Type II.
Forward the sample pack to your SOC 2 firm. Ask them what's missing. We iterate the format with auditors who want a real answer to the AI question.