TL;DR: SOC 2 preparation is presented as a way to harden security, improve trust, and standardise controls across employees and third-party vendors, with Zluri citing a 270% jump in US breach cases in 2020 as the backdrop. The deeper issue is that audit readiness exposes whether identity, access, and vendor governance are actually operating as controls rather than policies on paper.
NHIMG editorial — based on content published by Zluri: Security & Compliance Preparing for a SOC 2 Audit? All You Need To Know
By the numbers:
- In 2020, the number of data breach cases reported in the US jumped 270%.
- 99.99% availability has become common in today.
Questions worth separating out
Q: How should security teams prepare identity controls for a SOC 2 audit?
A: Start by mapping every identity that can reach in-scope systems, including employees, contractors, vendors, and service accounts.
Q: Why do third-party identities create SOC 2 audit risk?
A: Third-party identities create risk because they often escape the normal joiner-mover-leaver process, yet still touch customer data and production systems.
Q: What breaks when shadow IT is inside the audit boundary?
A: Shadow IT breaks the control story because the organisation may not know which apps store data, who administers them, or whether access was ever approved.
Practitioner guidance
- Map every audit-scoped identity path Document employee, administrator, contractor, and vendor access paths to systems holding customer data, then assign a business owner and control owner for each path.
- Build evidence for Type 2 continuity Collect recurring proof for access reviews, offboarding, logging, and approval workflows so the control story survives an evidence request over time.
- Discover and classify shadow IT Use SaaS discovery and entitlement review to find unsanctioned applications, then decide which ones enter the audit boundary, which are removed, and which need compensating controls.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- A step-by-step breakdown of SOC 2 criteria and how each trust principle is typically interpreted in practice.
- Practical context on selecting auditors and validating CPA credentials before the assessment begins.
- A fuller explanation of how Zluri positions SaaS discovery and shadow IT visibility inside compliance workflows.
- The article's longer discussion of why compliance can improve reputation, market access, and internal risk awareness.
👉 Read Zluri's SOC 2 audit preparation guide for identity and compliance teams →
SOC 2 audit readiness and the identity governance gap teams miss?
Explore further
SOC 2 readiness is really an identity evidence test. The article presents compliance as a standards exercise, but the practical burden falls on IAM and IGA teams that must prove who had access, why they had it, and whether that access was reviewed. If those answers cannot be produced, the organisation does not have a documentation problem, it has a control problem. Practitioners should treat SOC 2 as evidence of governance maturity, not a paperwork milestone.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Our research also found that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is a direct analogue to the visibility problem exposed by shadow IT.
A question worth separating out:
Q: Who is accountable when SOC 2 access controls fail?
A: Accountability sits with the business owner of the system, the control owner for the access process, and the security or IAM team responsible for evidence. SOC 2 expects a clear chain of responsibility, especially when third parties or outsourced operations are involved.
👉 Read our full editorial: SOC 2 audit prep shows where identity governance breaks down