Progress 0 / 22 questions answered

SOC 2 AI Extension Checklist

Assess your organization's AI systems based on SOC 2 Trust Service Criteria. 22 questions, 5 categories.

Security (AI-Specific)

AI system security controls, access management, and threat protection

Do you have multi-factor authentication (MFA) for access to AI models and training infrastructure?

MFA is critical for protecting AI systems from unauthorized access.

Yes, MFA is required for all AI systems MFA only for production AI models Password-based protection but no MFA No dedicated access protection

Do you regularly conduct penetration testing and security audits on AI systems?

Regular security testing helps identify vulnerabilities.

Quarterly or more frequently Annually Occasionally No security testing

Do you verify the security of third-party AI models and libraries (e.g., open-source models)?

Supply chain security is critical for protecting AI systems.

A formal supply chain security process is in place We manually verify major components Only use known sources No verification

Do you have automated model versioning and rollback mechanisms for security incidents?

A rollback mechanism helps quickly restore the system to a safe state.

Automated rollback in production Manual rollback capability exists Backups exist but no rollback process No versioning/rollback

Do you protect AI systems against adversarial attacks (e.g., model poisoning, evasion)?

Adversarial attack protection is critical for AI system integrity.

Proactive adversarial defense and monitoring Input validation and sanitization are in place Basic security measures No adversarial attack protection

Availability & Performance

AI system uptime, performance monitoring, and capacity management

Do you have SLAs (Service Level Agreements) for AI system uptime?

An SLA ensures the expected service quality.

A formal, documented, and monitored SLA is in place Informal uptime targets exist No SLA

Do you continuously monitor AI model inference time and throughput?

Performance monitoring helps identify bottlenecks.

Real-time monitoring with a dedicated dashboard Daily/weekly monitoring Occasional checking No performance monitoring

Do you conduct load testing on AI systems for capacity planning?

Load testing ensures the AI system can handle the expected load.

Regular load testing with auto-scaling Occasional load testing No load testing

Do you have an AI-specific disaster recovery (DR) plan with regular DR testing?

A DR plan ensures rapid AI system recovery in case of failure.

A comprehensive DR plan with regular testing A DR plan exists but is rarely tested Only backups, no DR plan No DR plan

Processing Integrity (AI Quality)

AI model accuracy, bias detection, data quality, and validation

Do you have automated output validation to ensure AI response quality?

Output validation ensures the expected quality of AI responses.

Automated validation for all outputs Spot-checking and sampling are performed Only based on user feedback No output validation

Do you regularly test AI models for bias and fairness?

Bias testing is critical for fair AI operation.

Automated bias detection before every deployment Annual manual fairness audit Occasional checking No bias testing

Do you have ground truth datasets for AI model accuracy validation?

A ground truth dataset helps measure AI model accuracy.

Regularly updated ground truth dataset and validation process A static ground truth dataset exists Only a training/test split is used No ground truth validation

Do you track AI training data lineage?

Data lineage tracking ensures data quality and compliance.

Comprehensive data lineage documentation Partial tracking No data lineage tracking

How frequently do you update/retrain AI models to maintain processing integrity?

Regular retraining ensures sustained AI model accuracy.

Continuous or monthly retraining Quarterly retraining Annual retraining No regular retraining

Confidentiality & Privacy (AI Data)

AI training data protection, PII handling, and data retention

Is AI training data encrypted at rest and in transit?

Encryption protects sensitive training data.

Full encryption (at rest and in transit) Only in-transit encryption No encryption

Do you have automated PII (Personally Identifiable Information) detection in AI training data?

PII detection protects personal data.

Automated PII detection and redaction Manual PII checking No PII detection

Do you have a documented data retention policy for AI training and inference data?

A data retention policy ensures proper data lifecycle management.

A comprehensive policy with automated deletion processes A policy exists, but deletion is a manual process No retention policy

Is user data from AI inference protected and not re-incorporated into training data?

Strict user data separation protects user privacy.

Strict separation and data isolation Opt-in based training data collection No separation, all data is used for training

Monitoring & Incident Response

AI-specific monitoring, logging, incident management, and response

Are all AI system events (e.g., inference, prediction, training) logged for audit trail purposes?

Comprehensive logging ensures a complete audit trail.

Comprehensive logging in a centralized system Partial logging Minimal logging

Do you have automated anomaly detection for AI system behavior (e.g., unusual inference patterns)?

Anomaly detection helps identify unusual behavioral patterns.

Real-time anomaly detection with alerts A manual review process is in place No anomaly detection

Do you have an AI-specific incident response playbook (e.g., model drift, bias incident)?

An AI-specific incident response playbook helps to handle incidents quickly.

A comprehensive, AI-specific incident response playbook A general IT incident response plan with AI-specific additions No AI-specific incident response plan

Do you conduct post-mortem analyses after AI incidents and implement system improvements?

Post-mortem analysis helps prevent the recurrence of similar incidents.

Post-mortem analysis and action items for every incident Post-mortem analysis for major incidents only No post-mortem process

Your AI Security Assessment

/100

📧 Get your results via email

We will send you the complete report with all answers and recommendations

I accept the Terms of Use.

Want a deeper analysis?

Our experts can help with a detailed AI Red Team audit

Schedule Free Consultation →

Does your SOC 2 report cover your AI risks?

Take our 3-Minute SOC 2 AI Extension Checklist! Customer trust is crucial. The new AI-specific Trust Services Criteria (TSC) expand the SOC 2 scope. This checklist assesses if your AI models, data, and processes meet key security and availability criteria. Complete it in 3 minutes to identify gaps before your next audit!

We’ll email you the results.