I don’t think SOC 2 is dying, but I do think it’s behind.
I hear updates are coming for AI, but will it be enough – and soon enough? Heck, we’ve been waiting on zero trust requirements for a while now (yes, I know they say that’s coming too).
We’re in a world where companies are deploying AI systems, embedding large language models into real business workflows, and automating decisions that impact customers and regulated data. At the same time, the SOC 2 framework contains no explicit AI-specific requirements. There’s nothing directly addressing model governance, training data controls, bias monitoring, or AI lifecycle oversight. Some will say that SOC 2 is risk-based, which means it can adapt to new technologies. That’s true in theory, but in practice many organizations don’t fully understand how to apply that flexibility in a meaningful way, so AI risks often get loosely mapped to existing control language instead of being intentionally governed as their own category of risk.
To me, SOC 2 has become institutionalized. It’s deeply embedded in U.S. commercial procurement processes, widely recognized, and expected by investors and enterprise buyers. That institutionalization gives it durability, but it also slows evolution. Frameworks that become part of the system rarely move quickly.
Five to seven years ago, earning a SOC 2 Type II report signaled real investment in governance and operational discipline. It showed that leadership had taken the time to build structure around risk and controls, and in many cases it differentiated companies in enterprise sales. Today, SOC 2 feels more like an entry requirement. It helps you clear the first gate in procurement, but it rarely makes you stand out.
The rise of compliance automation platforms like Drata has only accelerated this shift. These tools connect directly to cloud infrastructure, identity providers, ticketing systems, and source control platforms to automate evidence collection and monitoring. That has real value because it reduces manual lift and improves visibility across technical controls. At the same time, it lowers the perceived barrier to entry, and when readiness becomes subscription-based and dashboard-driven, the market can start to equate automation with assurance.
That dynamic also changes how traditional audit firms are perceived. When much of the evidence is already aggregated before fieldwork begins, the audit itself can feel standardized and procedural, even though independent judgment and attestation still matter a great deal. Professional skepticism and independence are not things you can automate, but the optics of the process have shifted.
At the same time, we’re seeing a broader B2B move toward GRC tools that work for you rather than static PDFs that slow everything down. Instead of sending reports back and forth over email, customers increasingly expect to log in and view certifications, summaries, and sometimes near real-time control status. Platforms like Drata have helped normalize this approach by making compliance data more continuously accessible instead of annually packaged. That model aligns with how modern procurement teams operate because they want faster vendor reviews, less friction, and fewer manual touchpoints.
Even with that shift, continuous visibility does not replace independent assurance. Dashboards are typically self-reported, while a SOC 2 report is independently attested, and experienced buyers understand that difference. What has changed is not the need for assurance, but the expectation around transparency and speed.
The bigger shift, in my view, is that SOC 2 used to signal that controls existed, whereas now buyers want to understand how mature those controls are, how risk is measured, and how leadership improves the program over time. They want insight into governance, not just confirmation of baseline practices.
SOC 2 still matters in the U.S. market and likely will for a long time because it is institutionalized and widely recognized. It just isn’t impressive on its own anymore, and it hasn’t meaningfully evolved to address some of the most significant emerging risks, including AI.
I’m interested to hear whether others are seeing this same change in enterprise procurement and vendor risk conversations.