A System and Organization Controls (SOC) report tells you the building has locks. It tells you nothing about what the artificial intelligence inside the building actually did. That gap is where the next wave of risk lives.
Procurement still treats a SOC 2 report as proof that an artificial intelligence vendor is safe. It is not. SOC 2 attests to infrastructure controls, not model behaviour, and the two have almost nothing to do with each other. Here is what your contracts should actually demand instead.
Originally published on mickai.co.uk. This is a cross-post; the canonical version, with the full body, footnotes and references, lives on the mickai.co.uk article page.
Top comments (0)