description: SOC2 measures whether you have a process, not whether the process works. Here's what real security looks like and why the audit doesn't capture it.
SOC2 has done more to harm security than help it.
Not the concept. The theater around it.
I've watched companies pass SOC2 with MFA "enforced" through a policy document nobody enforces. Access reviews where managers approve 200 entitlements in three minutes. Encryption "in transit and at rest" that stops at the load balancer.
The auditor signs off. The Type II report goes in the sales deck. Everyone moves on.
Meanwhile the shared admin credential is still in a Slack DM from 2021.
The actual problem with the framework
SOC2 measures whether you have a process, not whether the process works.
You can document a terrible control consistently and pass. You can run an excellent informal practice and fail.
The framework has no opinion on outcomes — only on documentation. That distinction matters enormously when you're trying to decide how much weight to give a vendor's compliance report.
What real security looks like
Real security looks like:
Blast radius limits on IAM — not policies that exist, but policies that are scoped, reviewed, and enforced at the boundary
Short-lived credentials everywhere — assume-role with time bounds, not long-lived keys sitting in CI secrets
Peer-reviewed infrastructure changes — the same code review culture you apply to application code
Alerting on identity anomalies — not just "did login succeed" but "is this login pattern normal for this principal at this time"
On-call engineers who can actually contain an incident at 3am — not runbooks that assume the reader has six hours and a working Slack
None of that is uniquely a SOC2 control. Most of it isn't measured by the audit at all.
The diagnostic question
If your security program would collapse the day after the auditor leaves, you don't have a security program. You have a report.
Compliance is the floor. We keep treating it like the ceiling.
Four questions worth pressure-testing
When did someone last actually test the incident response runbook end-to-end — live, with a timer?
How long does it take to rotate every secret in production if one leaks today?
How many engineers have production IAM permissions they haven't used in 90 days?
Can you enumerate every service account and what it can do?
If any of those answers are "unclear" — the SOC2 Type II report won't change that. The report just means you documented the gap consistently.
What controls look good on paper but fail in practice in your environment? Genuinely curious what patterns others are seeing.
Top comments (0)