Can AI Replace Me Yet? Deep-Dive Topic: Getting SOC2 Certified

This year I started a consulting business specialising in cybersecurity and privacy services for early stage companies.

Everyday I wonder if this was a shortsighted thing to do in the new world of AI. This thought has been consuming me so I want to break it down to first principles and try get my teeth around it.

Across a series of blog posts I am going to take a deep dive into common areas of focus for my company to examine how efficiently AI can replace them, and I’m going to bring you along for the ride!

The Deep-Dive Focus Area: A B2B SaaS Company Gaining Their First SOC2 Certification

All B2B SaaS companies that serve an enterprise audience will consider becoming SOC2 certified at some stage. Having a cybersecurity certification that is audited once a year by an independent third party demonstrates to your customers that you have a robust security program in place with standardised security controls that are tested and maintained. It shortens sales cycles and can save your team hours in negotiating deals.

Gaining your first SOC2 certification is a heavy lift if your organisation has not undergone any cybersecurity audits before. It entails a number of steps and can take anywhere between 4 - 12 months depending on the size of your company. The time investment also depends greatly on if you plan to Achieve a Type 1 Report (point in time report) or a Type 2 report (a report coving a period of 3 - 12 months).

What does Gaining a SOC2 Report Entail?

There are five major steps that all companies will need to go through before they can gain a SOC2 report. If your company has a compliance program manager, or similar, they will take you through these steps as part of a months long, company-wide program:

1. Define the scope of the audit - Determine which Trust Services Criteria (Security is mandatory, plus optionally Availability, Confidentiality, Processing Integrity, or Privacy) will be included in the scope of the audit. Decide what departments, systems and data sets should be audited.

2. Implement controls - Document and actually implement security policies covering access controls, encryption, incident response, vendor management, change management, and risk assessment.

3. Select an auditor - Choose a qualified CPA firm that will review your controls and gather evidence to assess their compliance with the AICPA SOC2 framework.

4. Run an observation period - Operate your controls consistently for 3-12 months while collecting evidence like logs, tickets, and training records.

5. Complete the audit and receive report - The auditor reviews your controls, tests their effectiveness, interviews staff, and examines evidence. If successful, you get your SOC2 Type 2 report to share with customers.

If your company doesn't have a compliance program manager, or similar, they will likely split these steps among a number of people within the company to manage, but the steps remain the same for companies of all sizes. You might also rely on external consultants for support in some areas, such as understanding the SOC2 requirements; designing what controls should be in place; or perhaps bringing in support to run certain controls such as IT inventory management.

So, Can AI Replace Me?

There is no doubt that AI is making it easier for smaller and larger companies to gain SOC2 compliance. There are continuous compliance platforms using AI features, such as Vanta and Secureframe, that provide an excellent control framework to get your controls ready in a matter of weeks.

AI in Automated Platforms

Being totally honest, these platforms cover off Step 1 “Define the scope of the audit” by allowing you to connect integrations that continuously pull in evidence from of your cloud environment and match this evidence against the SOC2 framework requirements. They use AI to review the evidence and help you to meet the SOC2 standard by proposing remediations to improve controls that are managed through dev tools like Terraform, Github, and AWS CLI by providing personalised code snippets to tweak your set up. Platforms like this also save you a huge amount of time in step 2 (”Implement Controls”), step 4 (”Run an observation period”) and step 5 (”Complete the audit”) by gathering all of your evidence in one place and making it really easy to see where you have gone wrong and how to fix it.

AI Models to Help Design Controls

Although adoption of automated compliance tools have grown, some companies won't want to use them as it means integrating your most sensitive dev tools to an external tool. This might be off-limits for some companies.

If this is the case you can still use AI to save you significant time when preparing for SOC2. Using an AI model you can feed details about your company and specifics about how your engineering team operates, what tools they use, where they store code, what the development lifecycle looks like into an AI model, and alongside the SOC2 framework it will be able to tell you what controls you should have in place.

Using Claude, and a pretty basic prompt, I was able to get a list of 80 controls that I should implement in order to achieve SOC2 compliance in my hypothetical health-tech company:

My company is a B2B Saas Company based in San Francisco. We have 150 employees who are based mostly in San Francisco and Dublin and attend our offices in those locations on a hybrid basis. We also have 20% fully remote staff that are based in various US and European countries where we do not have an office location. Our company provides one SaaS solution to enterprise insurance customers. It is an AI based health tech platform that allows customers to understand how much their end users should be charged for their insurance premiums. Our engineering team is made up of 105 people and they use the following tools: Github for source code hosting and management, AWS for cloud storage and hosting, Datadog for monitoring and alerting, MongoDB for database management, databricks for data analysis, using React framework on the frontend and php on the backend. Can you provide me with a list of controls that I should implement in my company in order to achieve SOC2 Type 2c ompliance.

The output was great, there is no denying it. The suggested controls are comprehensive enough that if they were implemented would allow me to achieve SOC2 compliance. They are also specific to my organisation and are well designed, incorporating best practices. Some examples for Logical Access Controls include:

1. Implement multi-factor authentication (MFA) for all employees accessing production systems, AWS, GitHub, Datadog, MongoDB, and Databricks.
2. Enforce role-based access control (RBAC) with least privilege principle.
3. Maintain documented access provisioning and deprovisioning procedures.
4. Conduct quarterly access reviews for all systems.
5. Implement single sign-on (SSO) across your technology stack.
6. Enforce strong password policies (complexity, rotation, history).
7. Maintain an access control matrix documenting who has access to what systems and data.

This output from Claude would go a very long way to helping me understand what is involved in building out all necessary controls. 9 years ago when I first started working with SOC2, designing controls like this would have taken at least 3 months of work from an internal compliance program manager, or would have cost thousands for an external consultant. Now it takes less then 10 minutes using AI.

This sounds amazing, and this is amazing, there is no denying that, but putting these controls into practice is the one part of SOC2 compliance where I do not think AI has added much benefit.

To take an example of a suggested control: “Implement automated vulnerability scanning for dependencies (React, PHP libraries)”. This sounds quite straightforward, I can even use Vanta, an automated compliance platform, to help me out with this. However, a prerequisite to using Vanta, is to identify the resources in AWS and the repos in Github that I want to pull into Vanta. When you think about the logistics of getting a project like this moving in a fast-paced, product focused engineering team you can immediately see the benefit of a change management project lead.

AI can create a Github ticket asking the platform team to add 100 tags to AWS resources so that Vanta can read them, but how do you convince the Platform Engineering Manger that this is a valuable use of their team’s time? You will need someone well versed in the benefits of SOC2 and understand how to implement controls without slowing down development to navigate that conversation, and this is true when implementing any control in your company.

My Conclusion

I personally am really curious to see how the world of audit is effected by AI over the coming months and years. By its very nature the practice of audit exists to provide reassurance that what a company is representing to the world is actually true. Audit thrives in minutiae and verifiability, which are not things that AI is known to be perfect at yet so the integration of these two worlds is going to be very interesting to be part of.

Coming back to the question of "Can AI Replace me Yet?" I think the real question is "do you think your customers would trust that an AI-led audit is delivering accurate, reliable, repeatable results in the same way a mature compliance team would?"

I reframe the question this way because a SOC2 report or an ISO27001 certification has never been an impenetrable seal of approvable of your compliance program. Instead, they are an attestation that a competent third-party reviewed your controls and deemed them to conform to a certain standard, that's it. A lot of companies effected by very serious cybersecurity breaches are SOC2 compliant.

A SOC2 report does allows your enterprise customer to know that you meet a certain baseline, but many customers will look for additional supporting evidence that the controls tested as part of the SOC2 or ISO27001 audit are healthy and operational. They will want to see the presence of a competent security and compliance team. They will seek evidence that you can commit to a reliable uptime SLA, and they will want to put in place contracts with provisions that enforce compliance with certain data privacy laws.

AI can, and should, help you build out a secure, reliable, and compliant company and product, but a customer wanting to reaffirm that what you say in your marketing material is actually how you operate is a truly human problem and can only be solved with a human response. For this reason I do not think that relying on global audit standards and third-party audit firms to provide an accepted standard of baseline reassurance will be eroded by AI. However, I do think that the acceptable standards will change significantly.

The adoption of AI has changed how data is used, secured and shared. It has created fundamental questions around how Intellectual Property, Privacy and Copyright law should be interpreted and applied and enterprise companies will seek additional reassurances that your company is keeping up with these changes in order to protect their data.

Recently a new AI audit standard, AIUC-1, was developed. This is an audit standard specifically built to reassure enterprise companies that they can rely on a third-parties AI agent led product. It lists large corporations such as Microsoft, Google, Anthropic, Cisco, Meta, and BP among its technical contributors & consortium members. The AIUC-1 standard comes alongside other AI standards such as ISO42001, and the NIST AI Risk Management Framework.

This tells me that the world of audit is not going to be replaced by AI. Enterprise customers have looked to get reassurance on their SaaS and risk outsourcing since SaaS became commonplace and this is not going to change with the addition of AI, if anything AI has brought an increased scrutiny to the use and security of data, and it is now more important than ever that SaaS companies can answer their prospects and customers questions about how they process and protect data.

Chat GPT’s Response

This series wouldn’t be complete without understanding AI’s point of view too. I asked Chat GPT for their response to how well it could replace the role of a SOC2 project manager, and it said:

“AI can run the project plan, generate documentation, and even help with control narratives. But SOC 2 readiness isn’t a spreadsheet problem — it’s a people problem. And until AI can chase your DevOps lead for screenshots without causing a mutiny, your job is safe.”

This blog post is part of a series. Join me for future deep-dive topics on “Can AI Replace Me Yet?” including:

• Building a cross control compliance framework

• Rolling out a contract management tool

• …..and more to come!

Want to find out if I can help with your next privacy or cybersecurity project? Reach out at hello@closeitoutconsulting.com