SOC 2 and AI-Generated Code: What Your Next Audit Will Ask About

SOC 2 auditors are now asking questions about AI-generated code that most engineering teams cannot yet answer. The AICPA has not released a dedicated AI module as of 2026, but AI-fluent auditors are increasingly interpreting Trust Services Criteria (TSC) against AI-specific risks — and the distance between what those criteria anticipated in 2017 and what a modern AI coding agent can produce is material.

Veracode’s 2025 GenAI Code Security Report, which tested more than 100 LLMs across 80 curated coding tasks, found that AI-generated code contains 2.74x more vulnerabilities than human-written code and fails security checks in 45% of cases. By mid-2025, AI-generated code was adding more than 10,000 new security findings per month across studied repositories — a 10x increase from December 2024. That trajectory tells auditors one thing: the code flowing through your change management controls has materially different risk properties than the code those controls were originally designed to govern.

What Auditors Are Now Looking For

When auditors open a SOC 2 evidence review for teams with AI coding agents in their workflow, they are looking for documentation your current toolchain may not generate automatically. AI-fluent auditors in 2026 are applying existing TSC principles to AI-specific risks, translating questions like “who changed what and why” into AI-native equivalents. The four areas receiving the most scrutiny:

• Attributability: can you demonstrate which AI session, model version, and authorized user produced a specific code change?

• Least-privilege access: do AI coding agents operate under the same credential scoping and access controls as human developers?

• Continuous logging: is every AI-assisted generation event captured — timestamp, model name, input reference, output, token count — in a tamper-evident log?

• Change management parity: does AI-generated code pass through identical review and approval gates as human-written code, with log evidence to prove it?

Which Trust Services Criteria Are in Scope

Four TSC domains are being actively mapped to AI coding agent activity, based on current SOC 2 Type II compliance practice for AI platforms in 2026:

The audit trail question is where most teams stall. What compliance actually requires for AI-generated code audit trails goes beyond what version control systems log by default: per-PR evidence must capture the agent session identity, the model that produced the code, the human reviewer, and the outcome of every automated gate. Most CI pipelines do not emit this data when the author is an AI agent rather than a human developer.

There is also meaningful overlap between SOC 2 CC8 and the Article 12 logging requirements under the EU AI Act. Teams already building logging infrastructure for EU compliance will find the evidence packages satisfy both frameworks — but only if logging is implemented at the pull request level, not reconstructed at deployment.

What re-entry.ai Does About This

re-entry.ai scores every pull request for risk before it merges, capturing the session attribution, model identity, reviewer decisions, and gate outcomes that SOC 2 auditors now expect to see. The platform generates structured audit evidence at the change level — not reconstructed from logs after the fact — so engineering teams can enter a Type II review period with documentation already in place rather than assembling it under audit pressure. Visit re-entry.ai to see how the platform maps to each TSC domain.

What to Do Now

1. Inventory every AI coding agent in active use across your engineering organization — including tools adopted by individual engineers outside formal procurement.

2. Audit change management logging: confirm that AI-generated PRs are attributed to specific agent sessions and authorized users, not a shared service account with no individual traceability.

3. Verify access scoping: compare AI agent credential permissions against the minimum required for each workflow and produce a documented access review.

4. Update your incident response playbook to explicitly cover AI-generated vulnerability discovery — triage path, remediation SLA, and notification chain.

5. Map your existing CC8, CC6, CC7, and CC9 evidence artifacts against AI-specific gaps before your next audit window opens.

SOC 2 auditors are not waiting for formal AICPA guidance on AI — they are applying existing criteria to the tools already running in your pipeline. Teams that close the evidence gap now will spend significantly less time in remediation. Start the gap assessment at re-entry.ai.