Skip to content

Commit efc1017

Browse files
committed
Improve SOC 2 AI system boundary scoping
1 parent f4f3374 commit efc1017

3 files changed

Lines changed: 81 additions & 1 deletion

File tree

skills/compliance/soc2-gap/SKILL.md

Lines changed: 37 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ phase: [assess, operate]
1212
frameworks: [AICPA-TSC, NIST-CSF-2.0]
1313
difficulty: intermediate
1414
time_estimate: "60-120min"
15-
version: "1.0.0"
15+
version: "1.1.0"
1616
author: unitoneai
1717
license: MIT
1818
allowed-tools: Read, Grep, Glob
@@ -43,6 +43,7 @@ Before beginning the gap analysis, ensure the following are available:
4343
- Logging and monitoring configurations
4444
- Incident response documentation
4545
- Vendor and third-party service inventory
46+
- AI/ML feature inventory, if applicable: model providers, prompt templates, retrieval/vector stores, evaluation datasets, human review gates, and model or prompt change records
4647

4748
## Constraints
4849

@@ -112,6 +113,33 @@ System Description Boundary:
112113
- Data: ___
113114
```
114115

116+
#### 1.4 AI/ML System Boundary and Commitment Scoping
117+
118+
If the service includes AI, ML, GenAI, LLM, embedding, recommendation, classification, or automated decisioning functionality, determine whether those components are part of the SOC 2 system description and control boundary. Do not exclude an AI component merely because it is delivered through a third-party API or because model behavior is probabilistic.
119+
120+
Include AI/ML components in scope when any of the following are true:
121+
122+
- The feature processes customer data, confidential information, personal information, or regulated data.
123+
- The feature supports a service commitment, SLA, customer-facing workflow, security control, support workflow, or processing integrity objective.
124+
- Model outputs are written back to customer records, tickets, decisions, notifications, reports, or other auditable business artifacts.
125+
- Prompts, completions, embeddings, retrieved documents, eval datasets, or model feedback are logged or retained.
126+
- A third-party model provider, vector database, labeling vendor, or evaluation vendor is a subservice organization or critical vendor for the service.
127+
128+
Map AI/ML scope to existing Trust Services Criteria; do not invent criteria IDs:
129+
130+
| SOC 2 Area | AI/ML Evidence to Request | Criteria Touchpoints |
131+
|------------|---------------------------|----------------------|
132+
| System description and data flows | AI feature inventory, prompt/RAG data-flow diagram, model/provider boundary, customer data classes | CC2.1, CC3.2 |
133+
| Security and access control | Access to prompts, vector stores, model configs, eval datasets, provider consoles, and logs | CC6.1-CC6.8 |
134+
| Change management | Prompt changes, model version changes, retrieval-index changes, guardrail changes, eval approval records | CC8.1 |
135+
| Monitoring and incidents | AI abuse, unsafe output, data leakage, provider outage, guardrail bypass, drift or quality alerts | CC7.1-CC7.5 |
136+
| Vendor management | Provider SOC report, DPA, retention terms, subprocessor list, CUECs, carve-out vs inclusive method | CC9.2 |
137+
| Optional privacy | Prompt/completion/embedding retention, privacy notice commitments, DSAR handling, consent and deletion propagation | P1.1-P1.8 |
138+
| Optional confidentiality | Customer confidential data in prompts, RAG documents, embeddings, eval sets, and provider logs | C1.1-C1.2 |
139+
| Optional processing integrity | Automated outputs used for decisions, calculations, support actions, workflow routing, or report generation | PI1.1-PI1.5 |
140+
141+
**Finding classification:** An in-production AI/ML feature that processes customer or confidential data but is absent from the system description, vendor inventory, data-flow map, and change/monitoring evidence is a **P1 - High** readiness gap. If model outputs materially affect customer transactions or regulated decisions, missing Processing Integrity or Privacy scoping may be **P0 - Critical** for audit readiness.
142+
115143
---
116144

117145
### Step 2: Common Criteria Review (CC1-CC9)
@@ -354,6 +382,7 @@ Prioritize remediation by audit readiness impact. Items that would result in exa
354382
- Collect vendor SOC 2 reports annually
355383
- Conduct annual DR test
356384
- Perform annual incident response tabletop exercise
385+
- Review AI/ML model, prompt, retrieval, provider, and evaluation changes under change management when AI features are in the SOC 2 system boundary
357386

358387
---
359388

@@ -368,6 +397,7 @@ When performing a SOC 2 gap analysis, produce the following deliverables:
368397
5. **Evidence Checklist**: Customized evidence requirements based on in-scope criteria, marking items as Exists / Partial / Missing.
369398
6. **90-Day Remediation Roadmap**: Prioritized action items with owners, deadlines, and dependencies.
370399
7. **Overall Readiness Assessment**: Go/no-go recommendation for engaging a SOC 2 auditor.
400+
8. **AI/ML Scope Note**: If AI/ML features exist, state whether they are in scope, which TSC areas they affect, and what evidence is missing.
371401

372402
## Prompt Injection Safety Notice
373403

@@ -387,6 +417,12 @@ This skill processes user-supplied content including compliance documentation, p
387417
- **ISO 27001:2022**: CC6 maps to Annex A.8 (Technology Controls), CC8 maps to Annex A.8.32 (Change Management), CC9.2 maps to Annex A.5.19-5.22 (Supplier Relationships).
388418
- **CIS Controls v8**: CC6.1 maps to CIS Control 6 (Access Control Management), CC6.8 maps to CIS Control 10 (Malware Defenses), CC7.1 maps to CIS Control 7 (Continuous Vulnerability Management).
389419

420+
## Common Pitfalls
421+
422+
1. **Excluding AI features as "just a vendor API."** SOC 2 scoping follows the service commitments, system boundary, data flows, and controls relied upon to deliver the service. A model provider may be a subservice organization, but the customer-facing AI feature, prompt assembly, retrieval layer, logging, monitoring, and change controls can still be in scope.
423+
2. **Treating prompts and retrieval indexes as informal content.** Prompt templates, guardrails, retrieval indexes, embedding stores, eval datasets, and model configuration can change service behavior. Treat them as controlled system components when they affect customer-facing output or commitments.
424+
3. **Ignoring optional categories triggered by AI behavior.** Privacy, Confidentiality, and Processing Integrity may become relevant when AI features process personal/confidential data or produce outputs used in decisions, reports, workflow routing, or customer records.
425+
390426
## Limitations
391427

392428
- This skill provides a readiness assessment, not a formal SOC 2 examination. Only a licensed CPA firm can issue a SOC 2 report.
Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
# Benign fixture: AI feature included in SOC 2 boundary
2+
3+
This design should not produce an AI/ML scoping gap.
4+
5+
## System description evidence
6+
7+
- Customer support summarization is listed as an in-scope application feature.
8+
- The system description includes the prompt service, retrieval service, vector database, model provider, and support-ticket database.
9+
- The data-flow diagram shows customer support tickets moving into prompt assembly, the model provider API, completion filtering, and ticket-note storage.
10+
11+
## Control evidence
12+
13+
- Prompt templates, model versions, retrieval-index builds, and guardrail configuration changes require pull request approval under CC8.1.
14+
- Access to the model provider console, prompt repository, vector store, and evaluation datasets is reviewed under CC6.1-CC6.8.
15+
- AI abuse, provider outage, data leakage, and unsafe-output alerts are routed into incident response under CC7.1-CC7.5.
16+
- The model provider is listed in the vendor inventory with SOC report, DPA, retention terms, subprocessor list, and user-entity control responsibilities under CC9.2.
17+
- Privacy is in scope because support tickets may include personal information; prompt/completion retention and deletion handling are mapped to P1.1-P1.8.
18+
19+
## Expected skill behavior
20+
21+
The skill should record the AI/ML scope note, map evidence to existing TSC criteria, and not flag the feature as omitted from the SOC 2 boundary.
Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
# Vulnerable fixture: GenAI feature omitted from SOC 2 boundary
2+
3+
This design should produce a High SOC 2 readiness finding.
4+
5+
## System description gap
6+
7+
- The service advertises an LLM-powered "auto-resolve support ticket" feature.
8+
- Customer support tickets, account metadata, and internal runbook snippets are sent to a third-party model provider.
9+
- Model outputs are written back to the ticket record and can notify customers.
10+
- The SOC 2 system description lists only the web app, API, database, and cloud infrastructure.
11+
- The model provider, prompt service, vector database, prompt templates, evaluation datasets, and completion logs are not listed in the system boundary or vendor inventory.
12+
13+
## Control gaps
14+
15+
- Prompt and retrieval changes can be made by support engineering without change approval.
16+
- The vector store has no access review evidence.
17+
- Completion logs are retained indefinitely but are not included in Privacy scope.
18+
- The model provider has no SOC report, DPA, retention terms, or CUEC review on file.
19+
- No monitoring exists for unsafe output, data leakage, provider outage, or guardrail bypass.
20+
21+
## Expected skill behavior
22+
23+
The skill should flag the AI feature as improperly excluded from SOC 2 scoping and map the gap to existing criteria such as CC2.1, CC3.2, CC6.1-CC6.8, CC7.1-CC7.5, CC8.1, CC9.2, and optional Privacy/Confidentiality/Processing Integrity where applicable.

0 commit comments

Comments
 (0)