SOC 2's Trust Services Criteria predate LLMs by more than a decade. The controls were written for a different shape of system — but they apply, with careful translation, to AI workflows. The work is mostly translation, not invention.
This post is a sketch. The full mapping (CC1–CC9, plus the relevant Privacy and Confidentiality criteria) is the kind of artifact I help clients build during a Build engagement. The short version:
- CC6 (Logical access) — your AI orchestration layer is access-controlled like every other production system. Federated where possible. RBAC mapped to clinical/admin roles. Logged.
- CC7 (System operations) — you have monitoring, drift detection, incident response, and change management on prompts and skill files specifically — not just on code.
- CC8 (Change management) — prompt changes go through PR review with a clinical or domain reviewer named on changes that affect output behavior.
- A1 / Confidentiality — the BAA chain. PHI minimization at the prompt level. Encryption at rest and in transit, including for the inference path.
If your team is in the lead-up to a SOC 2 audit and the AI surface is making you nervous, book a call. The translation is doable. The right time to start is before the auditor's first meeting, not after.