AI Compliance in 2026: SOC 2, GDPR, and What Auditors Actually Check

SOC 2 was written for SaaS companies that store customer data in databases. GDPR was written for websites that collect email addresses for newsletters. Neither was designed for companies that train neural networks on personal data and can't explain exactly what the model learned.

But here we are. Auditors are applying 2010s frameworks to 2026 AI systems. And if you're selling AI to enterprises, you need to pass.

Here's what auditors actually check—and where AI companies most often fail.

SOC 2 Type II for AI Companies

SOC 2 evaluates five trust criteria: security, availability, processing integrity, confidentiality, and privacy. For AI companies, the pain points are processing integrity and privacy.

Processing integrity (the AI-specific problem):

SOC 2 requires that systems process data completely, accurately, and on time. For traditional software, this means "the database update succeeded." For AI, it means "the model's output is correct and unbiased."

Auditors now ask:

  • Can you explain why the model made a specific decision?

Most AI companies have weak answers. Model monitoring is immature. Explainability is hard. And "we tested it before deployment" isn't sufficient when models drift in production.

Where companies fail:

  • No output logging. If your model generates recommendations that affect customer decisions, you need to log those outputs for review. Many AI systems don't retain generation logs.

GDPR for AI Systems

GDPR gives individuals rights over their data: access, rectification, erasure, and portability. AI breaks every one of these.

The right to erasure ("right to be forgotten"):

Under GDPR, a user can request deletion of their personal data. But if that data trained a neural network, you can't delete it. The model's weights contain distributed representations of the training data. There's no "remove user #4821's influence" button.

What auditors expect:

  • Evidence that you've notified users of this limitation

Most companies fail here. They either pretend they can delete training data influence (they can't) or ignore erasure requests entirely (illegal).

The right to explanation:

GDPR Article 22 grants individuals the right not to be subject to solely automated decisions with legal or significant effects. If your AI makes hiring, lending, or insurance decisions, affected individuals can demand an explanation.

Neural networks are famously unexplainable. "The model weighted 4,372 features and output 0.73" isn't an explanation a human understands.

What passes audit:

  • Alternative channels for individuals to contest decisions

The EU AI Act: What's Different

Unlike SOC 2 and GDPR, the EU AI Act was actually written for AI. It classifies systems by risk level:

  • Minimal risk: Spam filters, video game AI

High-risk systems face strict requirements: conformity assessments, risk management systems, data governance, human oversight, and registration in an EU database.

The compliance gap: Most US AI companies haven't looked at the AI Act yet. But if you serve EU customers, it applies to you. Fines reach 7% of global annual revenue.

What Auditors Do

I spoke with three SOC 2 auditors who've recently evaluated AI companies. Here's their playbook:

Phase 1: Documentation review

They check for model cards, data sheets, bias testing reports, and incident response plans. Most AI startups have none of these.

Phase 2: Infrastructure inspection

They verify that training environments are segregated from production, that access controls exist for model weights, and that logging is comprehensive.

Phase 3: Sampling

They randomly select model outputs and ask you to trace the decision path. If you can't, it's a finding.

Phase 4: Third-party validation

For high-risk applications, auditors may require external red-teaming or bias audits. This costs $50,000–$200,000.

The Bottom Line

Compliance for AI companies isn't about checking boxes. It's about building systems that are auditable by design. Document everything. Log everything. Test for bias before deployment and monitor for drift after. The companies that treat compliance as a product feature, not a hurdle, will win enterprise deals.

Related reads:

The Catch

It doesn't work everywhere. Agentic AI shines in structured workflows but struggles with ambiguous tasks requiring human judgment.

The setup is real work. Connecting agents to existing systems takes engineering time most teams underestimate.

Monitoring is harder. When something breaks, tracing the failure path across multiple agent steps isn't straightforward yet.