Free Self-Assessment · No signup required

Where do you stand on SOC 2 + AI controls?

Twelve questions, ~60 seconds. The result tells you what an AICPA peer-reviewed auditor running a SOC 2 + AI engagement would flag — and the AI-specific controls your existing SOC 2 program is probably missing.

Mapped to Common Criteria CC1–CC9 · PI1.1–1.5 · C1.1–1.2 · AICPA AI guidance

Question 1 of 12 AI Governance

0/100

—

Score by category

What's missing

The specific controls that pulled your score down — these are exactly what a SOC 2 auditor or an enterprise customer's vendor security review will ask for when AI is in scope.

Get the detailed PDF report

Same score, but with: every gap mapped to its specific Trust Service Criteria sub-point, suggested control wording for your auditor's matrix, and a 14-day remediation order. Sent to your inbox in <5 minutes — single transactional email, no spam.

Faster paths to readiness

Reference

AI Controls Library

Free

32 SOC 2 Common Criteria mapped to AI-specific implementation. Use it to brief your auditor or to fill the AI sections of SIG / CAIQ vendor questionnaires.

View the library →

Done-for-you

Managed AI Controls Mapping

€199 · one-time

We map your AI system to your existing SOC 2 control matrix, flag the AI-specific gaps, and deliver a structured addendum your CPA firm or procurement team can ingest directly.

Order the mapping →

↺ Retake the assessment

How the score works

Each question is weighted by the audit consequence of getting it wrong. Failing a question on per-inference logging (CC7.1) costs more than failing one on model card disclosure — because the former blocks an unqualified Type II opinion, while the latter is remediable in the management-response window.

AI Governance — CC1.1, CC2.2, CC3.1, CC9.2. The control environment, communication, risk assessment, and vendor management — all extended explicitly to AI.
Access & Change Control — CC6.1, CC6.7, CC8.1. Logical access to model artefacts, training-data segregation, change management for model and prompt updates.
Monitoring & Operations — CC7.1, CC7.2, CC7.4. Per-inference logging, AI-specific anomaly detection, incident response that covers AI scenarios.
Processing Integrity & Confidentiality — PI1.1, PI1.2, C1.1, CC2.2. Output quality criteria, regression testing, sensitive-data handling, model-card disclosure.

The thresholds reflect emerging AICPA AI assurance guidance plus what we have observed large enterprise procurement teams flag in vendor SOC 2 reviews where AI is in scope. They are calibrated to what the auditor checks, not what a marketing page claims.

Not an auditor's opinion. This calculator is a triage tool. It surfaces the gaps an experienced SOC 2 reviewer would flag in 30 seconds, but it does not substitute for a formal Type I or Type II engagement performed by a licensed CPA firm. If you are pursuing SOC 2 with AI in scope, you need both — this for prep and your CPA for the report.