Comment by hedora

I don’t think you understand what SOC2 is.

First of all, it is viral, and it is almost never adopted based on its own technical merit.

Second, it has lots of levels. The first level is “we wrote down a plan explaining how we’re going to secure stuff”.

The second level is when you start implementation or maybe tracking or something.

The key thing is that first level: When your SOC2 dept says you have to do something idiotic for SOC2 compliance, it is because someone at your company invented the idiocy, and should be fired. However, you still need to follow their dumb plan because that’s the process.

In this case, the “how do we fire people” process, and “how do we prevent one llm from dropping 96 prod DBs in a single session” very well could have had answers in the plan, the plan could have been implemented, and therefore the company is still soc2 compliant, and this is exactly what a working soc2 process is supposed to look like.