SOC 2 and ISO/IEC 42001: The Future of AI Governance Audits

Written By Zoe Lowes

Artificial intelligence is rapidly becoming part of everyday business operations. From customer support automation to internal productivity tools and AI-powered analytics, organizations are integrating AI faster than governance frameworks can keep up. At the same time, customers, regulators, and enterprise organizations are asking new questions:

  • How is AI being used?

  • What data is being processed by AI systems?

  • Are AI outputs monitored and reviewed?

  • How are risks like bias, hallucinations, and unauthorized data exposure managed?

This is where the conversation around SOC 2 and ISO/IEC 42001 is beginning to evolve. While SOC 2 remains one of the most recognized frameworks for demonstrating security and operational trust, ISO/IEC 42001 introduces something new: a formal management system standard specifically focused on artificial intelligence governance. Together, they represent what the future of assurance may look like for organizations using AI.

SOC 2 Was Built for Trust

SOC 2 has long helped organizations demonstrate that they have effective controls around areas such as:

  • Security

  • Availability

  • Confidentiality

  • Processing integrity

  • Privacy

For SaaS companies and technology providers, SOC 2 is often the baseline expectation for doing business with larger customers. The framework evaluates whether controls are designed appropriately and operating effectively over time. It focuses heavily on operational discipline, evidence collection, access management, change management, vendor oversight, monitoring, and incident response.

But SOC 2 was not specifically designed for AI systems.

That does not mean AI is excluded from a SOC 2 audit. In fact, organizations increasingly need to consider how AI usage impacts their existing control environment. Questions auditors are beginning to ask include:

  • Are employees using generative AI tools with sensitive information?

  • Has AI usage been formally approved and risk assessed?

  • Are outputs reviewed before being relied upon?

  • Are third-party AI providers included in vendor management processes?

  • Is there governance around AI-related decision making?

As AI adoption grows, these questions are becoming harder to ignore.

ISO/IEC 42001 Introduces AI Governance

Unlike SOC 2, ISO/IEC 42001 was created specifically for artificial intelligence management systems. The standard focuses on establishing governance processes around the responsible development, implementation, and use of AI. This includes areas such as:

  • AI risk management

  • Transparency and accountability

  • Human oversight

  • Data governance

  • Monitoring and continuous improvement

  • Ethical considerations

  • AI lifecycle management

Rather than focusing only on technical controls, ISO/IEC 42001 looks at how organizations govern AI as part of a broader management system. In many ways, it mirrors the structure organizations already recognize from ISO/IEC 27001, but applies those principles directly to AI governance. For organizations building or heavily relying on AI systems, ISO/IEC 42001 helps demonstrate that AI usage is not happening without oversight.

Why SOC 2 Alone May No Longer Be Enough

Historically, many customers simply asked whether a company had a SOC 2 report. Now the conversation is changing. Organizations using AI may still pass a SOC 2 audit while lacking formal governance around:

  • AI model usage

  • Training data oversight

  • Bias monitoring

  • Human review processes

  • AI-specific risk assessments

  • AI transparency policies

This creates a growing assurance gap. Customers increasingly want confidence not only that systems are secure, but that AI technologies are being managed responsibly. SOC 2 can support parts of that conversation, particularly around security and operational controls. But ISO/IEC 42001 expands the discussion into governance, accountability, and AI risk management.

The Future Is a Combined Approach

Rather than replacing SOC 2, ISO/IEC 42001 is more likely to complement it. SOC 2 continues to provide strong assurance around operational controls and information security practices. ISO/IEC 42001 adds a structured framework for AI governance and oversight. Together, they can help organizations demonstrate:

  • Strong security controls

  • Mature operational processes

  • Responsible AI governance

  • Ongoing AI risk management

  • Accountability around AI usage

For organizations developing AI products, integrating generative AI into workflows, or processing sensitive information through AI systems, this combined approach may become increasingly valuable. Especially as enterprise customers begin asking more detailed questions about AI governance during procurement and vendor risk assessments.

AI Governance Is Becoming a Business Requirement

AI adoption is moving faster than many organizations anticipated. In many cases, employees are already using AI tools before formal governance processes are established. That creates risk, but it also creates urgency. The organizations that will be best positioned moving forward are not necessarily the ones using the most AI. They are the ones building governance, accountability, and oversight alongside adoption. SOC 2 helped define trust in the cloud era. ISO/IEC 42001 helps to define trust in the AI era.

MHM - Leading the Future of AI Assurance in Canada 

As AI governance expectations continue to evolve, organizations will increasingly look for partners who can assess both operational security and responsible AI oversight together rather than through separate assurance processes.

At MHM, we are uniquely positioned to support that journey. In addition to delivering SOC 2 examinations, MHM is proud to be the first firm accredited in Canada to certify organizations against ISO/IEC 42001, the international standard for AI management systems.

This allows organizations to approach information security, operational trust, and AI governance through a more integrated assurance model, one that aligns security controls with responsible AI oversight, risk management, and accountability.

As the market continues to mature, organizations that can demonstrate both strong security practices and governed AI adoption will be better positioned to meet customer expectations, procurement requirements, and regulatory scrutiny in the AI era.

Zoe Lowes
Next

ISO/IEC 27001: Why Most Security Programs Quietly Fail, and How Mature Organizations Structure Them Differently