US compliance

SOC 2 + ISO 42001

The strongest compliance combination for US companies using AI

Reviewed by the ISO42k editorial team — compliance and AI governance professionals

Bottom line

If you're a US company building or using AI, SOC 2 Type 2 + ISO 42001 is the most strategic compliance combination available. SOC 2 is what your enterprise customers already demand. ISO 42001 fills every AI-specific gap that SOC 2 leaves open. Together, they cover information security and AI governance — without the significant overlap of adding ISO 27001 on top.

SOC 2: A quick primer

SOC 2 is an attestation framework developed by the AICPA (American Institute of Certified Public Accountants). It evaluates how well an organization protects customer data based on five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

	Type 1	Type 2
Evaluates	Control design	Design + operating effectiveness
Timeframe	Point-in-time snapshot	3–12 month observation period
Evidence	Policies & documentation	Logs, reviews, incident records
Cost range	$5K–$30K	$10K–$50K+
Market weight	Starting point	The US enterprise standard

Important distinction: SOC 2 is an attestation (a CPA firm evaluates your controls), not a certification (like ISO 42001, where a registrar certifies your management system). Both are rigorous, but the mechanisms differ.

The AI gap in SOC 2

SOC 2 was designed to be technology-neutral. That's a strength for general security, but it means AI-specific risks fall through the cracks. Here's what SOC 2 covers well — and what it misses entirely:

SOC 2 covers

✓Access control and authentication
✓Change management processes
✓Incident detection and response
✓Data encryption and protection
✓Vendor management basics
✓System monitoring and logging

SOC 2 misses

✗Bias and fairness assessment
✗AI transparency and explainability
✗Human oversight requirements
✗AI lifecycle governance
✗Model drift and degradation monitoring
✗AI impact assessments

The AICPA's Processing Integrity criterion is the closest SOC 2 gets to AI governance — it covers whether processing is complete, valid, and accurate. But it's one of the least commonly included criteria in SOC 2 examinations, and it still doesn't address bias, fairness, or explainability.

Why SOC 2 + ISO 42001 is the power combo

Each framework covers exactly what the other doesn't. Together, they provide comprehensive coverage with minimal overlap:

SOC 2 handles security and trust

It proves to US enterprise buyers that your security controls actually work over time. It's the standard that procurement teams check first.

ISO 42001 handles AI governance

It proves you govern AI responsibly — bias testing, transparency, human oversight, lifecycle management. Everything SOC 2 wasn't designed for.

Together they future-proof your compliance

SOC 2 satisfies current US market demands. ISO 42001 positions you for emerging AI regulation (EU AI Act, US state-level AI laws) and increasingly AI-aware procurement standards.

Shared groundwork reduces effort

Risk management, documentation practices, incident response, and vendor management overlap between the two. Organizations with SOC 2 can focus ISO 42001 effort on the AI-specific controls that are genuinely new.

Stepping stone: SOC 2+

Not ready for full ISO 42001? The SOC 2+ report format lets you layer AI-specific controls into your existing SOC 2 examination. It's a practical middle ground that demonstrates AI governance commitment while you build toward certification.

SOC 2 vs ISO 42001 vs ISO 27001

A side-by-side look at what each framework brings to the table:

	SOC 2 Type 2	ISO 42001	ISO 27001
Focus	Security & trust controls	AI governance	Information security mgmt
Type	Attestation (CPA)	Certification (registrar)	Certification (registrar)
Origin	AICPA (US)	ISO/IEC (global)	ISO/IEC (global)
Primary market	US / North America	Global	Global
AI-specific?	No	Yes — core focus	No
Covers bias/fairness	No	Yes	No
Covers transparency	No	Yes	No
Validity	Annual report	3-year cert + surveillance	3-year cert + surveillance
US enterprise adoption	Very high	Early but accelerating	Moderate

Where does ISO 27001 fit?

This is the question US companies ask most: “We already have SOC 2 Type 2. Do we need ISO 27001 too?”

SOC 2 and ISO 27001 share substantial overlap — the AICPA provides a detailed mapping showing significant control alignment. Both cover access control, change management, incident response, business continuity, risk management, and security policies.

US-only customers?

SOC 2 Type 2 is generally sufficient. It's the standard that US procurement teams recognize. ISO 27001 adds governance maturity but isn't essential for US market access.

International customers?

ISO 27001 adds significant value. It's the globally recognized security standard — SOC 2 has less recognition outside North America.

Pursuing ISO 42001?

ISO 27001 becomes more useful because it shares the same management system structure (Harmonized Structure, Plan-Do-Check-Act). But it's still not required — ISO 42001 is designed as a standalone standard and does not require ISO 27001 as a prerequisite.

The bottom line on ISO 27001

For a US-focused AI company, SOC 2 Type 2 + ISO 42001 is the leaner, more targeted combination. You get security assurance (SOC 2) plus AI governance (ISO 42001) without the overhead of a third framework that largely overlaps with what SOC 2 already covers. Add ISO 27001 later if you expand internationally.

Trust Services Criteria vs AI governance

The AICPA's five Trust Services Criteria are technology-neutral — they weren't designed with AI in mind. Here's how each maps (or doesn't) to AI governance needs:

TSC Category	AI Relevance	Gap vs ISO 42001
Security (required)	High — access control, monitoring apply to AI	Doesn't address AI-specific threat vectors or model security
Availability	Moderate — uptime applies to AI services	Doesn't address model degradation or drift
Processing Integrity	Highest — accuracy, validity directly relevant	Doesn't cover bias, fairness, or explainability
Confidentiality	High — protects training data, model weights	Doesn't address AI-specific data governance
Privacy	High — personal data in training sets	Doesn't address memorization or re-identification risks

Processing Integrity is the most AI-relevant criterion but is one of the least commonly included in SOC 2 examinations. If you use AI, consider adding it to your scope.

Recommended strategy by company profile

US SaaS company with SOC 2, building AI features

Add ISO 42001. You already have the security foundation. Focus effort on the AI-specific controls (Annex A). This is the fastest path to comprehensive AI + security coverage.

AI-native startup, no certifications yet

Start with SOC 2 Type 2 (it's what your first enterprise customer will ask for), then pursue ISO 42001 in parallel or immediately after. Consider SOC 2+ with AI controls as a stepping stone.

Enterprise with SOC 2 + ISO 27001

Add ISO 42001. Your ISO 27001 management system structure gives you a head start on implementation. The three together provide the most complete compliance posture available.

US company expanding internationally

SOC 2 + ISO 42001 first (covers US market + AI governance). Add ISO 27001 when international customers specifically require it. The overlap means the marginal effort is manageable.

What is ISO 42001? →Implementation guide

Last reviewed: March 2026