
Answer the security review
with evidence, not promises.
Missing SOC 2 evidence for your AI features can stall an enterprise deal. AegisPlane logs every AI interaction, access decision, and policy check against the Trust Services Criteria. You export it straight into your audit.
No code changes. Live on your traffic in a day.
One control sits in front of every model your teams already call, checking each request against the standards your auditors recognize.
What is SOC 2?
Enterprise buyers will not take your word on security. SOC 2 is the AICPA framework that reports on your controls against the Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. A Type II report proves those controls worked over time.
- Reports on controls against five Trust Services Criteria.
- Type II assesses control effectiveness over a period, not a moment.
- The security (common) criteria (CC-series) are always in scope.
- Frequently required to close enterprise deals.
What SOC 2 requires
A Type II report samples control activity over time. AegisPlane produces that activity for your AI surface.
Logical access controls
CC6 requires controlled access. Model and provider access is governed by RBAC and OIDC/SAML identity.
System monitoring
CC7 requires monitoring and response. OpenTelemetry metrics and alerts capture the signals.
Change management
Controls are versioned config compiled into signed bundles, an auditable change record.
Evidence over time
Every access, decision, and check is logged continuously, matching the period a Type II covers.
One request, checked in real time
Here is one interaction. AegisPlane classifies the request, checks it against the framework, blocks what it must, and logs the decision as evidence. It happens in milliseconds, on live traffic.
Business value
- Improves enterprise sales readiness.
- Strengthens trust in security governance.
- Supports audit and questionnaire workflows.
How AegisPlane produces SOC 2 evidence for AI
AegisPlane turns AI traffic into a source of SOC 2 evidence in the AI Control Plane (AICP), continuously logging the control activity a Type II audit samples.
Controls as config
Access, logging, and change controls are versioned config compiled into signed bundles, a clear, auditable control state.
Enforced at the gateway
Logical access controls (CC6) are enforced on every request via RBAC and OIDC/SAML identity, evaluated by the OPA policy engine.
Monitored continuously
System monitoring (CC7) is backed by OpenTelemetry metrics and alerting, capturing the operational signals auditors expect.
Logged as evidence
Every access, policy decision, and change is recorded against its Trust Services criterion and exportable across the audit period.
Frequently asked questions
No. A SOC 2 report is issued by a licensed CPA firm after an audit. AegisPlane supplies the continuous control evidence for the AI portion of your environment that such an audit relies on.
Primarily the security common criteria (CC-series) (logical access, monitoring, and change) which are the runtime-observable controls on AI traffic.
Access is governed through OIDC/SAML identity and RBAC enforced at the gateway, and each decision is logged as evidence.
Yes. Logs are continuous and retainable, which suits the period-of-time nature of a Type II audit.
Yes. Many teams pursue both; AegisPlane can produce evidence aligned to each on the same traffic.
Why now
Continuous checks and evidence, not a stale annual assessment
Missing AI evidence stalls enterprise deals. Close the gap before the next review. Every selected framework is checked on live AI traffic and the decision is logged as evidence, so audit prep stops being a fire drill. No code changes.
