Compliance & Legal

How to collect soc 2 audit evidence with AI

Compliance & Legal3 AI tools7 steps6 friction points

Want an agent to handle this on your live data? See the Starch version →

SOC 2 audit evidence collection is the operational grind that sits between deciding to get certified and actually handing your auditor a complete evidence package. It means gathering access logs, change management records, security policy acknowledgments, background check confirmations, incident response tickets, and vendor risk reviews — from a dozen different systems — in the right format, mapped to the right controls, with timestamps intact. For most early-stage operators, this lands on one person's plate alongside everything else.

The workflow feels AI-tractable because so much of it is structured, repetitive, and text-heavy. Mapping a list of controls to your existing documentation, drafting a request email to your infrastructure team, writing a policy document from a template, summarizing what evidence exists and what's missing — these are pattern-matching and drafting tasks that LLMs do well. It's tempting to assume a good prompt chain can turn a chaotic evidence spreadsheet into an audit-ready package.

ChatGPT, Claude, and Gemini can genuinely accelerate several parts of this workflow. They're useful for drafting control narratives, generating evidence request templates, mapping your tech stack to TSC criteria, reviewing policies for gaps, and building tracker frameworks. What they can't do is reach into your Jira, pull your GitHub access log, or send the evidence request emails themselves. You do all of that manually, then bring the output back to the model.

Skip the manual work → See the Starch version

Compliance & Legal3 AI tools7 steps6 friction points

AI walkthrough

How to do it with AI today

A practical walkthrough using ChatGPT, Claude, and other off-the-shelf LLMs — what they're good at, what you'll have to do by hand.

Tools that work for this

ClaudeChatGPTGemini

Step-by-step

1 Start with a control mapping session in Claude or ChatGPT: paste in the SOC 2 Trust Services Criteria (CC6, CC7, CC8, etc.) and your current tech stack list, then ask the model to map each control to the system that would hold evidence for it. Export this as your master evidence tracker.

2 For each control area, prompt the model to generate a specific evidence request template — who to ask, what artifact to request, what format it should be in, and what time range the auditor will want. Use these templates to draft emails or Slack messages to your engineering, HR, and infosec leads.

3 Paste your existing security policies (access control, incident response, change management) into Claude and ask it to identify gaps against SOC 2 CC-series requirements. The model will flag missing sections and suggest language you can adopt or modify.

4 When evidence artifacts come back — screenshots, exports, policy PDFs — use the model to review and annotate them. Paste the content and ask whether the artifact satisfies the control it's mapped to, or whether something additional is needed.

5 Draft control narratives by pasting the evidence artifact plus the control requirement into the model and asking it to write a 2-3 sentence narrative describing how your organization meets the criterion. These go directly into your auditor-facing documentation.

6 Use the model to build a gap log: a running list of controls where evidence is missing, the person responsible, and a target date. Paste your tracker into ChatGPT and ask it to generate a prioritized action list sorted by audit risk.

7 Before submission, paste your full evidence index into Claude and ask it to do a final completeness check — does every listed control have an artifact, a narrative, and a date range that covers the audit period?

Prompts you can copy

Here is my tech stack: [list]. Map each SOC 2 Trust Services Criteria control category (CC1–CC9, A1, PI1) to the system in my stack most likely to hold evidence for it. Output as a table with control, system, evidence type, and who typically owns it.

Review this access control policy for gaps against SOC 2 CC6 requirements. List each gap, quote the specific CC6 sub-criterion it fails to address, and suggest remediation language I can insert.

Draft an evidence request email to our engineering lead asking for: GitHub access logs for the audit period (Jan 1–Dec 31), a list of users with admin access to production, and records of any access reviews conducted. Keep it under 150 words.

Here is an artifact from our incident response system: [paste]. Write a 3-sentence control narrative explaining how this artifact demonstrates that our organization meets SOC 2 CC7.3 (responding to identified security incidents).

I have 18 SOC 2 controls still missing evidence with 3 weeks until fieldwork starts. Here is the list: [paste]. Prioritize them by audit risk and assign a suggested owner from this team list: [paste].

Reality check

Where this gets hard

The walkthrough above works — until your numbers change, the LLM hallucinates, or you have to re-paste everything next month.

No live connection to your actual systems — every evidence artifact requires a manual export, copy-paste, or screenshot before the model can see it.

Context window limits mean you can't feed the model your full Jira history, GitHub audit log, and HR system export simultaneously — you're chunking and stitching manually.

Nothing persists between sessions. The evidence tracker you built in Tuesday's session doesn't update when a new artifact arrives Friday — you restart the prompt chain from scratch.

The model can't send the evidence request emails or Slack messages it drafts — you copy the output, switch to your email client, and paste it yourself for every single request.

Output structure drifts. The control narrative format you carefully prompted in week one looks different in week three, so you're reformatting before every auditor handoff.

There's no way to track what's been collected, what's pending, and what's overdue without maintaining a separate spreadsheet — the LLM has no memory of what you've already gathered.

Tired of the friction?

Starch runs the whole workflow on live data — no copy-paste, no hallucinated numbers, no re-prompting next month.

See the Starch version →

Starch alternative

The same workflow on Starch

Starch is an agentic operating system — an agent builds and runs the persistent apps and automations your work depends on, connected to your live business data. For SOC 2 evidence collection, that means an agent can build a tracker that actually reaches into your systems, routes requests, and surfaces what's missing — without you re-running prompts manually each week.

Connect Gmail or Outlook from Starch's integration catalog and let the agent draft and send evidence request emails on your behalf — no copying outputs into a separate mail client for each of the 18 controls you need to chase.

Use the Knowledge Management app to centralize policy documents, control narratives, and evidence artifacts in one searchable place — the agent auto-categorizes incoming files and flags documentation that's stale or missing a linked control.

Describe your evidence tracker in plain English — 'build me a SOC 2 evidence log with columns for control ID, owner, artifact status, due date, and auditor notes' — and the agent builds and maintains the app, not a one-time spreadsheet.

Connect Jira or GitHub from Starch's integration catalog so the agent can query change management tickets and access review records live, instead of waiting for your engineering lead to export a CSV and email it to you.

Use the Task Manager app to assign evidence collection tasks by control owner, set due dates, and get overdue alerts — so nothing stalls because someone forgot they were responsible for the CC6.3 artifact.

Set up an automation that runs weekly during audit prep: it checks which controls still have no linked artifact, drafts follow-up messages to the responsible owner, and sends them via Gmail — all without you touching the prompt chain again.

Get closed-beta access →

Toolkit