Verdict
Back to Blog
ComplianceMarch 13, 20267 min read

Your SOC 2 Auditor Is Going to Ask About AI Code. Are You Ready?

It's happening. SOC 2 auditors are adding AI coding tools to their inquiry lists. If your developers use Claude Code, Cursor, or Copilot, your auditor will ask about it. And “we don't have a process for that” is a finding.

The questions your auditor will ask

We've talked to compliance leads at health IT companies who've already been through this. Here are the actual questions auditors are asking:

CC6.1 — Logical access controls

Which developers are using AI coding tools?

WITHOUT VERDICT

We don't track that.

WITH VERDICT

Here's a list of every developer with the tool installed, with session counts for the audit period.

CC8.1 — Change management

How do you authorize and document AI-generated changes?

WITHOUT VERDICT

Same as regular code changes — PR review.

WITH VERDICT

Every AI session generates a Change Record with developer identity, prompt, ticket linkage, files modified, and timestamps. Here are all records for the audit period.

CC7.1 — System monitoring

How do you prevent AI tools from accessing or exposing PHI?

WITHOUT VERDICT

We trust our developers to be careful.

WITH VERDICT

PHI detection runs on every file the AI reads. Here's the monitoring report. Three sessions flagged PHI-adjacent files — all were auto-redacted. Here are the specifics.

CC8.1 — Change documentation

Can you show me the change management evidence for this specific AI-generated commit?

WITHOUT VERDICT

Let me dig through git logs... give me a few days.

WITH VERDICT

Here's the Change Record: session d19f7d4e, developer jane@healthtech.com, ticket EHR-1847, 2 files modified, tests passed, PR #42 approved by Alex.

CC6.8 — Software identification

What AI models are being used, and are they approved?

WITHOUT VERDICT

I think mostly Claude? Maybe some Copilot?

WITH VERDICT

Claude Code v2.1.75 with claude-opus-4-6 model. All sessions logged with agent and model identification. No unauthorized AI tools detected.

The finding that's coming

If your team uses AI coding tools and you can't answer these questions, here's what your SOC 2 report will say:

“The entity does not have sufficient controls to authorize, document, and monitor code changes generated by AI coding tools. This represents a gap in the entity's change management process as it relates to CC8.1.”

This isn't hypothetical. Companies are already getting this finding. And once it's in your report, your customers see it. In healthcare, that can kill deals.

The fix takes 10 minutes, not 10 weeks

Some teams try to build internal tooling. That typically takes 6-10 weeks and captures maybe half of what an auditor needs. Other teams ban AI tools entirely — which solves the compliance problem by creating a productivity problem.

With Verdict, the path is:

  1. Day 1: Install the CLI, hook into Claude Code. Takes 10 minutes.
  2. Week 1: Verdict captures every AI session automatically. Review the Change Records to verify coverage.
  3. Week 2: Configure policy rules (ticket required, review required). Enable PR annotations.
  4. Week 3: Connect to your GRC platform. Compliance evidence flows automatically.
  5. Audit day: Pull up any Change Record in seconds. Show the auditor structured, mapped, tamper-resistant evidence.

Don't wait for the finding

The best time to implement AI compliance controls is before your auditor asks. The second best time is now.

Your next SOC 2 audit will include questions about AI coding tools. Whether that conversation goes well depends on what you do in the next few weeks.

Don't wait for the audit finding. We'll help you implement AI compliance controls before your auditor asks. Early access is free for healthcare IT teams.

Get audit-ready now →