SOC 2 Compliance Guide

This guide helps compliance officers configure Lucid to meet the requirements of SOC 2 (Service Organization Control 2) for AI systems, addressing the Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Overview

SOC 2 is a framework developed by the American Institute of CPAs (AICPA) for managing customer data based on five Trust Services Criteria. Organizations that provide services involving customer data often need SOC 2 compliance to demonstrate their security controls to customers and partners.

Lucid helps organizations meet SOC 2 requirements through:

• Logical access security via injection defense and access controls
• System monitoring through comprehensive observability
• Change management via model integrity verification
• Data protection through PII detection and credential scanning
• Processing integrity through toxicity and bias detection

SOC 2 Trust Services Criteria and Lucid Auditors

Common Criteria (CC) - Security

Control	Requirement	Recommended Auditor
CC6.1	Logical access security	PII Compliance Auditor (access control, PII protection)
CC6.6	Boundary protection	Guardrails Auditor
CC7.2	System monitoring	Observability Auditor
CC8.1	Change management	Model Security Auditor (model integrity), Watermark Auditor

Additional Trust Services Criteria

Criteria	Requirement	Recommended Auditor
PI1.1-3	Processing Integrity	Guardrails Auditor, Eval Auditor
C1.1	Confidentiality	PII Compliance Auditor, Secrets Auditor (credential detection)
P1.1	Privacy	PII Compliance Auditor

Deploying for SOC 2 Compliance

Quick Start

Deploy an AI environment with the SOC 2 compliance profile:

lucid apply --app open-webui --model llama-3.1-8b --profile soc2

This enables the following auditors: - PII Compliance Auditor - PII detection and access control - Secrets Auditor - Credential scanning - Observability Auditor - System monitoring and audit logging - Guardrails Auditor - Boundary protection and output quality - Model Security Auditor - Change management and model integrity - Eval Auditor - Processing integrity

Custom Configuration

For organizations requiring specific SOC 2 controls, create a YAML configuration:

# soc2-environment.yaml
apiVersion: lucid.io/v1alpha1
kind: LucidEnvironment
metadata:
  name: soc2-compliant-ai
spec:
  infrastructure:
    provider: aws
    region: us-east-1
  agents:
    - name: soc2-agent
      model:
        id: meta-llama/Llama-3.1-8B
      gpu:
        type: A10G
        memory: 24GB
      auditChain:
        preRequest:
          - auditorId: lucid-guardrails-auditor
            name: Boundary Protection (CC6.6)
            env:
              INJECTION_BLOCK_ON_DETECTION: "true"
              INJECTION_THRESHOLD: "0.8"
              TOXICITY_THRESHOLD: "0.7"
              TOXICITY_BLOCK_ON_DETECTION: "true"
          - auditorId: lucid-pii-compliance-auditor
            name: Access Security (CC6.1)
            env:
              PII_DETECTION_ENABLED: "true"
              PII_REDACT_ON_DETECTION: "true"
              ACCESS_CONTROL_ENABLED: "true"
          - auditorId: lucid-policy-auditor
            name: Credential Protection (CC6.1)
            env:
              CREDENTIAL_DETECTION_ENABLED: "true"
              CREDENTIAL_BLOCK_ON_DETECTION: "true"
        postResponse:
          - auditorId: lucid-observability-auditor
            name: System Monitoring (CC7.2)
            env:
              LOG_RETENTION_DAYS: "365"
              LOG_ALL_EVENTS: "true"
              ANOMALY_DETECTION_ENABLED: "true"
          - auditorId: lucid-eval-auditor
            name: Change Management (CC8.1)
            env:
              MODEL_INTEGRITY_CHECK: "true"
              SAFETY_BENCHMARKS_ENABLED: "true"

Deploy with:

lucid apply -f soc2-environment.yaml

Control-by-Control Guidance

CC6.1 - Logical Access Security

Requirement: The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events.

Lucid Implementation:

1. PII Compliance Auditor - Comprehensive access security
2. Detects and protects PII in data flows

3. Enforces access control policies

4. Secrets Auditor - Credential protection

5. Identifies exposed credentials that could enable unauthorized access

env:
  ACCESS_CONTROL_ENABLED: "true"
  PII_DETECTION_ENABLED: "true"
  CREDENTIAL_DETECTION_ENABLED: "true"
  CREDENTIAL_BLOCK_ON_DETECTION: "true"

Evidence for Auditors: The PII Compliance Auditor and Secrets Auditor generate logs of all PII detections, credential blocks, and access control decisions that demonstrate CC6.1 compliance.

CC6.6 - Boundary Protection

Requirement: The entity implements logical access security measures to protect against threats from sources outside its system boundaries.

Lucid Implementation:

1. Guardrails Auditor - Defends against external threats
2. Blocks prompt injection attacks from external users
3. Prevents jailbreak attempts that bypass security boundaries
4. Protects the AI system from malicious inputs

env:
  INJECTION_BLOCK_ON_DETECTION: "true"
  INJECTION_THRESHOLD: "0.8"
  JAILBREAK_DETECTION_ENABLED: "true"

Evidence for Auditors: Each blocked attack is logged with details including the attack pattern detected, timestamp, and source. The AI Passport includes attestation that the Guardrails Auditor was active.

CC7.2 - System Monitoring

Requirement: The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors.

Lucid Implementation:

1. Observability Auditor - Comprehensive system monitoring
2. Records all AI system activities
3. Detects anomalous behavior patterns
4. Provides real-time alerting capabilities

env:
  LOG_ALL_EVENTS: "true"
  ANOMALY_DETECTION_ENABLED: "true"
  ALERT_ON_ANOMALY: "true"
  LOG_RETENTION_DAYS: "365"

Monitoring Dashboards:

# Stream real-time logs
lucid logs soc2-agent --follow

# View anomaly alerts
lucid logs soc2-agent --anomalies

# Check system status
lucid status soc2-agent --detailed

CC8.1 - Change Management

Requirement: The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures.

Lucid Implementation:

1. Model Security Auditor - Model change verification
2. Verifies model integrity after updates

3. Detects unauthorized model changes

4. Eval Auditor - Safety benchmarks

5. Runs safety benchmarks to validate changes

6. Documents model capabilities and limitations

7. Watermark Auditor - Output provenance tracking

8. Tracks changes in AI-generated content
9. Provides audit trail for content attribution

env:
  MODEL_INTEGRITY_CHECK: "true"
  INTEGRITY_CHECK_ON_STARTUP: "true"
  SAFETY_BENCHMARKS_ENABLED: "true"
  DOCUMENT_MODEL_CHANGES: "true"

Change Documentation:

# View model integrity status
lucid status soc2-agent --integrity

# Export change records
lucid passport export --changes --from 2024-01-01 > change_log.json

PI1.1 - Processing Integrity

Requirement: The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing.

Lucid Implementation:

1. Guardrails Auditor - Output quality assurance
2. Detects harmful or inappropriate content
3. Ensures AI outputs meet quality standards

4. Blocks content that fails integrity checks

5. Fairness Auditor - Bias and fairness verification

6. Evaluates model outputs for bias
7. Ensures processing produces fair results

env:
  TOXICITY_THRESHOLD: "0.7"
  TOXICITY_BLOCK_ON_DETECTION: "true"
  BIAS_DETECTION_ENABLED: "true"

CC4.1 - Control Monitoring

Requirement: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether controls are present and functioning.

Lucid Implementation:

1. Red Team Auditor - Red team testing
2. Performs adversarial testing of AI systems
3. Evaluates control effectiveness
4. Documents test results

env:
  RED_TEAM_TESTING_ENABLED: "true"
  CONTROL_EVALUATION_INTERVAL: "weekly"

Evidence for SOC 2 Audits

Type of Evidence Provided

Lucid provides the following evidence for SOC 2 examinations:

1. Control Activity Evidence
2. Logs of all auditor decisions
3. Records of blocked threats

4. PII detection and handling records

5. Monitoring Evidence

6. System activity logs
7. Anomaly detection records

8. Performance metrics

9. Integrity Evidence

10. Model integrity verification results
11. Hardware attestation certificates (TEE)

12. AI Passport cryptographic proofs

13. Change Management Evidence

14. Model update records
15. Safety benchmark results
16. Configuration change logs

Generating Audit Evidence

# Generate comprehensive SOC 2 evidence package
lucid passport export --compliance-report soc2 --format pdf > soc2_evidence.pdf

# Export control activity logs
lucid passport export --from 2024-01-01 --to 2024-03-31 --format json > control_logs.json

# List all AI Passports for the audit period
lucid passport list --from 2024-01-01 --to 2024-03-31

# View specific control evidence
lucid passport show <passport-id> --controls

For Your SOC 2 Auditor

When preparing for a SOC 2 examination, provide your auditor with:

1. AI Passports - Cryptographic proof of control enforcement
2. Observability logs - Complete audit trail of system activities
3. Configuration files - Documentation of control settings
4. Integrity reports - Model verification and safety benchmark results

The AI Passport serves as cryptographic evidence that: - Specific controls were in place during processing - Controls executed in a hardware-secured environment (TEE) - The control configuration was as documented

SOC 2 Type I vs Type II

Type I (Point in Time)

For SOC 2 Type I examinations, Lucid provides: - Current configuration documentation - Evidence that controls are in place - AI Passport showing control enforcement at examination date

Type II (Period of Time)

For SOC 2 Type II examinations, Lucid provides: - Historical logs covering the examination period - Evidence of consistent control operation - AI Passports for the entire audit period - Trend analysis and exception reports

# Export evidence for Type II audit period
lucid passport export \
  --from 2024-01-01 \
  --to 2024-06-30 \
  --compliance-report soc2-type2 \
  --format pdf

Mapping to SOC 2 + AI Addendum

If your organization is pursuing the SOC 2 + AI Addendum (for AI-specific controls), Lucid provides additional coverage:

AI Addendum Area	Lucid Support
AI System Development	Eval Auditor (safety testing)
AI Data Management	PII Compliance Auditor (data classification)
AI System Monitoring	Observability Auditor
AI Output Quality	Guardrails Auditor, Eval Auditor
AI Transparency	Watermark Auditor (provenance)

Best Practices for SOC 2 Compliance

1. Enable all recommended auditors - The SOC 2 profile provides comprehensive coverage
2. Configure appropriate retention - Keep logs for at least 365 days for Type II audits
3. Enable anomaly detection - Proactively identify control failures
4. Document your configuration - Maintain YAML files as control documentation
5. Review logs regularly - Don't wait for the audit to review evidence
6. Test controls periodically - Use red team testing to verify effectiveness
7. Maintain AI Passports - Export and archive for audit evidence

Related Resources

• Auditor Catalog - Detailed SOC 2 control mappings
• Policy as Code - Custom compliance rules
• HIPAA Compliance Guide - Healthcare organizations requiring both
• GDPR Compliance Guide - Organizations serving EU customers