Protecting customer cardholder data is crucial to merchants that store, process, or transmit this data or other companies that can impact the security of this valuable information. Standards that help companies protect this data are cumbersome and prescriptive to ensure proper protection of cardholder data which will allow entities to demonstrate proper security controls to customers and banks which build trust. 

Read on to learn about PCI DSS and how it protects valuable customer data. 

What is PCI DSS? 

PCI DSS (Payment Card Industry Data Security Standard) is the only accepted industry enforced and run standard consisting of a set of policies and procedures intended for organizations that handle or effect security of credit, debit, and card branded cash card transactions to ensure the protection of cardholders’ personal information.   

What is PCI SSC? 

The PCI Security Standards Council develops and implements security standards for PCI DSS and other certifications. This group aims to drive education, awareness, and implementation of effective frameworks by its stakeholders. 

What are the principles of PCI DSS? 

There are 12 principal PCI DSS requirements that roll into six principles: 

Build and maintain a secure network and systems 

• Install and maintain network security controls 

• Apply secure configurations to all system components 

Protect account data 

• Protect stored account data 

• Protect cardholder data with strong cryptography during transmission over open, public networks 

Maintain a vulnerability management program 

• Protect all systems and networks from malicious software 

• Develop and maintain secure systems and software 

Implement strong access control measures 

• Restrict access to system components and cardholder data by business need to know 

• Identify users and authenticate access to system components 

• Restrict physical access to cardholder data 

Regularly monitor and test networks 

• Log and monitor all access to system components and cardholder data 

• Test security of systems and networks regularly 

Maintain an information security policy 

• Support information security with organizational policies and programs 

These processes help protect cardholder data from bad actors and ensure that companies with this information have done their best to shield their environment from potential attacks. 

Why is PCI DSS important? 

Earning a PCI DSS Report on Compliance (RoC) certification demonstrates your organization’s commitment to payment card data security and identifies the level of validation you have achieved. Failing to maintain PCI DSS compliance can range in fines from $5,000 to $100,000 per month depending on the size of the company and the scope of noncompliance. Additionally, fines and penalties are even greater for organizations that experience a security incident.   

Who should get a PCI DSS certification? 

PCI DSS was developed for companies that store, process, or transmit sensitive credit card data. PCI DSS can also apply to companies that provide services to organizations that maintain their own Card Data Environments (CDE). If you affect the security of a CDE or your client’s CDE, then you can be brought into scope for a PCI DSS assessment. 

The most common recipients of PCI DSS include:  

• Retailers 

• Ecommerce platforms 

• Payment processors 

• Payment BPO providers (e.g. Call Centers) 

Who needs a Report on Compliance? 

Your organization’s level of complexity and transaction volume will determine the level of validation you will need to comply with according to the Card Brands validation requirements. There are four merchant and to service provider levels: 

• Level 1: Merchants that process over 6 million and Service Providers handling over 300,000 card individual transactions per year. 

• Level 2: Merchants that process between 1 million and 6 million and Service Providers under 300,000 individual transactions per year. 

• Level 3: E-commerce merchants that handle between 20,000 and 1 million transactions per year. 

• Level 4: Merchants that handle fewer than 1 million transactions per year and e-commerce merchants with less than 20,000 transactions per year. 

Merchants should check with their acquirer to confirm their current merchant validation level.  Levels 2, 3, and 4 are eligible to complete a Self-Assessment Questionnaire (SAQ). However, some level 2 payment channels (e.g. e-commerce) may be required to be attested by a QSA or ISA.  Meanwhile, merchants that fall into Level 1 will need to complete a RoC, which is an on-site assessment conducted by a Qualified Security Assessor (QSA) to establish PCI DSS compliance.  Nothing prohibits a lower-level merchant or service provider from achieving a Level 1 RoC and many Service Providers that technically meet level 2 status conduct an annual Level 1 RoC to meet customer validation expectations. 

How long does it take to complete a PCI DSS assessment? 

The preparation phase can take about six to eight months for those undergoing the assessment for the first time, and around three to four months on average for a renewal assessment. The amount of time it takes to complete the assessment ultimately varies depending on the organization’s environment, what its processes are, number of locations, and what its infrastructure looks like (size and scope).   

For large entities, PCI DSS is a continual process. As soon as one audit ends, they’re prepping for the next year, making PCI DSS a continual process for them. Whereas smaller entities may have less of a lift to continually maintain those processes. 

Steps to achieving PCI DSS certification 

Learning the steps to earning PCI DSS certification is an essential part of the process. Being well prepared for this process can set your organization up for success. 

• Understand requirements: Familiarize yourself with the requirements of PCI DSS and consider how they will impact your organization. Are there obvious gaps in your environment? Do you have an information security policy? How many transactions do you process each year? Which level of merchant does that make your organization? Learning about the PCI DSS requirements and how they show up in practice is the first step to compliance. 

• Conduct a risk assessment: Conducting a formal risk assessment will inform your strategy going forward. These assessments identify vulnerabilities and their level of risk to your environment, giving your organization a baseline for your level of security, areas for improvement, and conformity to PCI DSS requirements. 

• Address gaps, implement changes: Implementing changes ahead of a formal assessment will empower your organization to get on the right track for PCI DSS certification 

• Engage with a Qualified Security Assessor: Depending on your level of certification, you may be able to complete a SAQ. If your organization is a Level 1 merchant as defined above, you will need to work with a QSA to complete a formal RoC and earn your PCI Attestation of Compliance (AOC). It’s important to choose a high-quality QSA that won’t just check the box but will set your organization up for success. Check out our list of six qualities to look for in a QSA. 

Getting started with PCI DSS  

If you’re ready to begin your journey to PCI DSS compliance, contact A-LIGN today to get started. The A-LIGN difference is: 

• 2k+ PCI assessments completed 

• 96% customer satisfaction rating 

• 20+ years of experience 

A-LIGN is the leading provider of high-quality, efficient cybersecurity compliance programs. Combining experienced auditors and audit management technology, A-LIGN provides the widest breadth and depth of services including SOC 2, ISO 27001, HITRUST, FedRAMP, and PCI. A-LIGN is the number one issuer of SOC 2 and a leading HITRUST and FedRAMP assessor. 

Many organizations are questioning whether to act now on AI governance or wait for final clarity on enforcement dates, particularly with the EU AI Act. The proposed delays in enforcement have introduced hesitation, as organizations are uncertain about the final requirements and timelines. However, the underlying governance expectations are not going to change. Developing a quality management system (QMS) for high-risk AI is a process that requires slow and steady work. Evidence must be accumulated, roles must mature, and cross-functional routines need to be established. None of these foundational elements can be rushed in the final months before an enforcement deadline. 

Although the consequences may feel distant and abstract, this blog outlines the risks of inaction and the tangible benefits of starting early. 

Understanding the High-Risk AI QMS Standard 

The High-Risk AI QMS Standard, part of the EU AI Act, demands structured, repeatable, and risk-based practices across the entire AI lifecycle. It requires clear documentation of decisions, complete traceability from data to model to deployment, and a controlled workflow. This controlled flow ensures that all reviews, evaluations, approvals, and monitoring activities leave a clear, auditable trail. These are fundamental management responsibilities, not simply technical add-ons. You cannot meet these rigorous expectations with last-minute documentation or a single, frantic compliance sprint. You meet them by building consistent habits, which only form when governance and engineering teams work together long before any regulation takes effect. 

Why waiting is a flawed strategy 

When leaders hear about a proposed regulatory delay, they often assume they have gained time. In reality, the workload remains constant. The only thing that changes is the cost and pressure of completing it. 

Waiting to establish AI governance creates three predictable problems: 

1. Lack of evidence for regulators and customers 

Imagine a financial services firm using a credit decision model across multiple markets. A supervisor requests the model’s evaluation record, but the team can only produce a single performance chart with no version history, no justification for the dataset used, and no record of who approved its deployment. The risk officer is now facing a regulatory issue that cannot be fixed retroactively. This scenario will become common for unprepared organizations. 

2. Lost revenue from procurement failures 

By 2026, large buyers in regulated industries will require their vendors to provide an AI system inventory, documented controls, and a clear governance narrative. A health tech firm, for example, might be disqualified from a bid because it cannot demonstrate that its diagnostic models were developed under a controlled process. A competitor that invested in governance earlier will win those contracts. 

3. Technical teams hitting a maturity wall 

Engineers who have never operated under a controlled development regime need time to adjust. If you introduce process discipline and documentation requirements late, teams will likely push back. This resistance can slow down delivery at the exact moment when compliance pressure is at its peak. These failures are not hypothetical; they follow the same pattern seen in every other regulated domain. Organizations that wait inevitably end up with rushed documentation, repeated rework, and expensive remediation projects. 

Delivering value before enforcement deadlines

Executives often ask about the immediate business case for investing in AI governance. The benefits arrive long before any regulatory deadline. 

• Faster procurement cycles. Complete enterprise procurement questionnaires more efficiently. 
• Higher investor trust. Address board-level questions about AI exposure with confidence. 
• Better regulatory preparation. Be ready for questions from regulators before formal supervision begins. 
• Stronger engineering discipline. Improve system reliability and reduce unplanned incidents. 
• A compelling narrative. Position your company as a prepared and responsible leader, not a reactive follower. 

These benefits are not tied to an enforcement date; they are directly linked to the maturity of your management system. 

How ISO 42001 provides a foundation 

ISO 42001 provides the essential foundation for this work, serving as a blueprint for responsible and scalable AI compliance across organizations. The standard requires organizations to define their context, roles, risks, and controls, ensuring a structured approach to AI governance. It also mandates performance measurement and a commitment to continuous improvement, enabling organizations to build trust and demonstrate ethical AI practices. 

The High-Risk AI QMS Standard builds directly on this structure. Think of ISO 42001 as the scaffolding for your AI management system. The High-Risk AI QMS Standard then defines the specific operating procedures for those systems that carry the most significant risk. Together, they form a comprehensive system of control. Neither can be implemented effectively if introduced late in the game. 

What your organization should do now 

A strong start doesn’t require a massive, complex program. It begins with clarity and ownership. 

Your 90-Day plan 

First, focus on creating a solid foundation. 

• Create a provisional AI system inventory. List all the AI systems currently in use or development. 
• Classify AI systems by risk. Pinpoint two or three systems that are likely to qualify as high-risk under upcoming regulations. 
• Assign ownership. Appoint a single, accountable executive for each of these high-risk systems. 
• Implement change control. Establish a basic process for managing model updates. 
• Create a minimum record set. Start documenting data decisions, evaluation choices, and deployment approvals to ensure traceability. 

This initial work provides the groundwork needed to align with both ISO 42001 and the High-Risk AI QMS Standard. 

Your 12-Month plan 

After the first 90 days, you can expand these initial efforts into a fully functional AI management program. 

• Formalize governance. Develop and approve official policies and governance charters. 
• Build cross-functional workflows. Create integrated processes for risk assessment, model evaluation, and approvals involving all relevant teams. 
• Train your teams. Educate engineering, product, and risk teams on documentation discipline and lifecycle control. 
• Strengthen supplier oversight. Develop processes for managing third-party risks from foundation models, hosted services, and data pipelines. 
• Conduct a mock assessment. Run a full internal audit against ISO 42001 and the High-Risk AI QMS Standard to identify gaps. 
• Mature your processes. Use the findings from your assessment to improve monitoring, incident response, and performance measurement. 

This structured approach creates a living governance environment that can be audited with confidence. 

While ISO 42001 is an ideal first step toward holistic AI compliance, not every organization may feel ready to pursue a full certification. For those seeking more tailored or incremental approaches, there are options to address specific needs: 

• AI Model Audit: For organizations needing focused assurance on a specific AI product, a model audit offers independent validation of its performance, testing, and system-level controls. It is a faster, more targeted attestation that demonstrates due diligence without the complexity of a full certification.   
• HITRUST AI: For organizations in healthcare and other sectors handling sensitive data, HITRUST offers AI-specific assessments and certifications. These add-ons help validate that security controls and processes are tailored to protect data within an AI environment. 

The leadership decision 

Many organizations believe they can delay action on AI governance, but this approach will inevitably lead to rushed audits, lost deals, and unnecessary compliance costs. By starting now, leaders can distribute the workload over a manageable timeline, building competence and confidence instead of scrambling under pressure. Organizations that act early will be ready to meet regulatory standards with evidence that naturally emerges from their daily operations.  

Deadlines may shift, but expectations will not. Success will belong to those who prepare steadily and proactively. 

ISO/IEC 27701 is now a standalone standard, no longer tied to ISO 27001. What does your organization need to know about the change? Read on to learn about key changes to the framework, a new standard for certification bodies, and the timeline for compliance with a reimagined ISO 27701. 

ISO 27701:2025: Privacy management goes independent 

Historically, ISO 27701 has existed as an extension of ISO 27001, previously known as ISO/IEC 27701: 2019. However, the 2025 revision transforms it into a standalone standard, making privacy certification more accessible. New releases include:  

• ISO/IEC 27701:2025 (Edition 2): A complete overhaul of the Privacy Information Management System (PIMS) standard  

• ISO/IEC 27706:2025: Completely new guidance for certification bodies (CB) specific to Privacy Information System (PIMS) standard 

Key changes to ISO 27701 

Beyond the obvious change to an independent, standalone standard, there are a few key changes to the ISO 27701 standard including: 

• Standalone certification: Organizations can now become compliant with ISO 27701 without needing ISO 27001 

• Restructured framework: Clauses 4–10 now mirror ISO management system standards tailored for privacy 

• Annex A consolidation: Controls for PII Controllers and Processors are unified into A.1, A.2, and A.3 

• New Annex B: Implementation Guidance offers practical steps for applying privacy controls 

• Expanded scope: Includes biometric data, health data, IoT, and AI-related privacy risks 

ISO/IEC 27706:2025: Certifying the certification bodies 

The standards that ISO certification bodies must abide by have also changed with ISO 27706:2025 replacing CBs’ current standard, ISO TS 27006-2:2021. Updates include: 

• Full standard status: ISO 27706 is now a formal international standard 

• Aligned with ISO 17021-1: Ensures consistency with global certification practices 

• Annexes A, B, and C: Provide guidance for audit planning, competence requirements, and assessment methodologies 

• Improved trust & transparency: Enhances credibility and global recognition of PIMS certifications 

What does this mean for you? 

Depending on your status as a certification body or organization earning certification, these changes mean different things. 

For organizations 

If you’re an organization seeking ISO 27701 certification and it’s the only standard you need, you can now pursue it independently of ISO 27001, which will reduce costs and complexity. 

If your organization is already ISO 27701 certified, you’ll need to conduct a transition audit sometime over the next three years. This will ensure that your environment is compliant with the changes to the ISO 27701 standard ahead of the 2028 deadline. 

For certification bodies 

ISO 27706 provides a clear framework for reliable PIMS audits that your certification body can reference. CBs will need to undergo a transition audit with their accreditation bodies to ensure they are fully compliant to perform audits against the new standard. CBs should also communicate with your ISO 27701-certified clients about the transition audit process to prevent any lapses in compliance. 

ISO 27701 transition timeline 

Organizations will have time to make changes to their environment ahead of the October 2028 deadline for compliance. Here’s the complete timeline for implementing the new ISO 27701 standard: 

• Publication date: October 14, 2025  

• Transition period: Three years from publication  

• Deadline for transition: October 2028  

• Certification guidance: Official transition rules from accreditation bodies (e.g., IAF, ANAB, UKAS) are expected within 1-3 months post-publication 

Recommendations 

Don’t delay, create a plan now to ensure your organization has enough time to prepare for its transition audit. We recommend that organizations that are ISO 27701 certified take the following actions: 

• Purchase the standard: Within the ISO website, companies should purchase the standard to understand all of the clauses and annex controls that have been developed for the new standard. 

• Conduct a gap analysis: This will allow your team to identify any gaps between your current level of compliance and the new standard. Identifying and rectifying these gaps before your transition audit is key to avoiding penalties or lapses in compliance. 

• Update your PIMS documentation and controls: Make these changes sooner rather than later so your team is fully prepared for your organization’s transition audit. Remaining gaps could become an issue as the deadline for compliance approaches. 

• Perform an internal audit and management review: After implementing the necessary changes, ensure compliance with the new requirements through an internal audit and a management review as scheduled by your organization. 

• Consult your certification body for specific transition procedures: Your CB should be a resource for you during this time of transition. Their auditors can help your organization plan an effective, efficient transition audit process. 

Ready to learn more? Contact A-LIGN today to get started on your compliance journey. 

A-LIGN has secured a place on the 2026 Seminole 100 for the ninth consecutive year – earning a spot on the list every year since its inception in 2017. 

The annual Seminole 100 list honors the fastest-growing businesses owned or led by alumni of Florida State University. Companies are ranked based on their compound annual growth over the last three years. 

“Being recognized on the Seminole 100 for the ninth consecutive year is a testament to our team’s dedication and the trust our clients place in us,” said Scott Price, CEO of A-LIGN. “As a proud Florida State alumnus, this recognition is an honor and reflects A-LIGN’s unwavering commitment to quality and innovation.” 

A-LIGN’s ranking comes as the organization celebrates a banner year with a strategic investment from private equity firm, Hg. This investment underscores A-LIGN’s commitment to providing a superior, tech-enabled audit experience through its proprietary audit management platform, A-SCEND that delivers trusted, high-quality compliance reports. 

“These honorees exemplify the entrepreneurial spirit and resilience that define Florida State University,” said FSU President Richard McCullough. “Their accomplishments not only elevate their companies but also inspire the next generation of Florida State Seminoles to dream big and lead boldly.”   

Honorees will be recognized in a ceremony on February 21 in Tallahassee, where the official ranked list will be unveiled. 

Enterprises today are juggling more compliance frameworks than ever—SOC 2, ISO 27001, HITRUST, PCI DSS, CMMC, and beyond. Each brings its own set of requirements, timelines, and evidence expectations. The result? Teams spend too much time duplicating work, managing spreadsheets, and preparing for overlapping audits that never seem to end.

But it doesn’t have to be that way. Leading organizations are embracing automation, collaboration, and continuous readiness to simplify multi-framework compliance, transforming what was once a pain point into a strategic advantage. Read on to learn insights from Drata’s Chris Weiskirch.

The multi-framework challenge

When each framework is managed separately, audit prep becomes a game of catch-up. Teams gather the same documentation multiple times, track updates manually, and scramble to meet overlapping deadlines. This reactive cycle drains resources and increases risk.

The key to breaking out of this pattern is adopting a unified, proactive approach—one where automation handles repetitive tasks, evidence collection happens continuously, and frameworks are mapped intelligently to reduce redundancy.

The shift toward continuous readiness

Modern compliance platforms are built to handle the complexity of multi-framework programs. Instead of treating each certification as a one-off event, these systems maintain a living compliance environment—automating evidence collection, monitoring control performance, and mapping once to apply across multiple frameworks.

This “map once, audit many” model reduces manual effort while improving accuracy and visibility. It enables compliance teams to focus on higher-value activities like risk management, policy optimization, and strategic scaling rather than endless document wrangling.

Collaboration as the new advantage

Automation alone isn’t enough. Collaboration is the missing link that turns readiness into success. By aligning early with trusted auditors like A-LIGN, teams can ensure their controls, documentation, and testing align with audit expectations well before fieldwork begins.

This partnership model eliminates guesswork, minimizes audit fatigue, and turns what used to be a stressful process into a predictable, repeatable rhythm. Drata’s real-time evidence collection and continuous monitoring give auditors like A-LIGN the context and clarity they need—accelerating the entire engagement.

From readiness to resilience

As organizations mature, compliance stops being an annual event and becomes an always-on function. Continuous readiness builds resilience by keeping evidence fresh, controls operational, and leadership informed—no matter how many frameworks are in play.

When readiness becomes routine, compliance evolves from a defensive exercise into a driver of trust, credibility, and growth. Reach out today if you’re ready to get started on your compliance journey.

About Chris Weiskirch

Chris leads Governance, Risk & Compliance (GRC) at Drata, leveraging his extensive experience in building and scaling enterprise security and compliance programs to help organizations make GRC a measurable, strategic driver of trust and resilience.

About Drata

Replace manual GRC efforts, reduce costs, and save time preparing for audits and maintaining compliance. Drata is the trust management platform with the mission of serving as the trust layer between great companies. We help thousands of companies streamline compliance for SOC 2, ISO 27001, HIPAA, GDPR, your own custom frameworks, and many more through continuous, automated control monitoring and evidence collection. Drata is backed by ICONIQ Growth, Alkeon, Salesforce Ventures, Notable Capital, Okta Ventures, SVCI (Silicon Valley CISO Investments), Cowboy Ventures, Leaders Fund, Basis Set Ventures, SV Angel, and many key industry leaders. Drata is based in San Diego, CA with team members across the globe.

As organizations integrate artificial intelligence into their operations, a critical question arises: who is governing these systems? Many businesses manage AI risk reactively, addressing issues as they occur or focusing on individual tools. This fragmented approach is ineffective. It leads to inconsistent oversight, creates compliance gaps, and makes it incredibly difficult to scale AI innovation responsibly.  

What organizations truly need is a comprehensive AI governance strategy. This creates a unified and repeatable framework for managing AI across the entire enterprise. This post explores why such a strategy is a strategic necessity, moving beyond one-off checks to build a stable and trustworthy AI ecosystem. 

The urgent need for AI governance

The rapid adoption of AI is outpacing the development of proper oversight. This gap creates tangible risks that can impact an organization’s reputation, finances, and legal standing. Issues like algorithmic bias, customer privacy violations, and security vulnerabilities are not just theoretical problems; they are real-world challenges that businesses face today. 

The statistics paint a clear picture of the current landscape: 

• 63% of organizations lack any formal AI governance policies. 
• More than 20% of organizations have already experienced a breach related to their AI models or applications. 

These figures highlight a widespread vulnerability. Without a structured approach to governance, organizations are operating in a high-risk environment.  

The market is also shifting, with analysts predicting that by 2027, 75% of AI platforms will include built-in governance and responsible AI capabilities. However, this leaves a significant gap in time. AI is a vulnerability right now, and waiting for built-in governance is not a viable solution. Organizations need to act now by proactively establishing governance frameworks to mitigate risks and ensure responsible innovation.  

AI governance as a comprehensive compliance strategy 

Effective AI governance moves beyond simple compliance checklists. It is a holistic framework designed to proactively manage risks, align with evolving regulations, and build deep-seated trust with stakeholders. It ensures all AI systems — whether built in-house or sourced from third-party vendors — adhere to the same high standards of security, fairness, and transparency. 

By embedding governance into the entire AI lifecycle, organizations can shift from a reactive security posture to a proactive one. It provides a stable foundation upon which to build, test, and deploy AI with confidence, knowing that risks are managed from the very beginning. 

This proactive approach delivers significant benefits: 

• Demonstrates AI security and trustworthiness to investors, boards, and customers. 
• Helps organizations get ahead of evolving regulatory requirements for AI. 
• Provides third-party validation for cloud-native and platform-based AI providers. 
• Establishes a proactive risk management posture rather than a reactive one. 

Key components of a modern AI governance framework 

A robust AI governance strategy is not a one-size-fits-all solution. It is a suite of customizable components tailored to an organization’s specific needs, infrastructure, and risk profile. These components include core frameworks and supporting tools. 

Frameworks and certifications 

• ISO/IEC 42001: This international standard provides requirements for establishing, implementing, and maintaining an AI Management System (AIMS). It serves as an excellent foundation for organization-wide AI governance and confirms that proper management practices are in place. 
• AI Model Audit: For organizations needing focused assurance on a specific AI product, a model audit offers independent validation of its performance, testing, and system-level controls. It is a faster, more targeted attestation that demonstrates due diligence without the complexity of a full certification.  
• HITRUST AI: For organizations in healthcare and other sectors handling sensitive data, HITRUST offers AI-specific assessments and certifications. These add-ons help validate that security controls and processes are tailored to protect data within an AI environment. 

Supporting tools for continuous security 

• AI Red Teaming: This practice involves simulating adversarial attacks to identify vulnerabilities in AI systems before malicious actors can exploit them.  
• AI Insurance: As an additional layer of protection, AI insurance offers a safeguard against financial liability resulting from security incidents or performance failures. 

Case study: Workday and the importance of layered AI governance 

Workday, a leader in HR technology, achieved ISO 42001 certification to demonstrate its commitment to responsible AI. However, the company later faced a lawsuit alleging bias in its AI hiring tools. This situation highlights the need for layered governance strategies that go beyond foundational frameworks. 

While a certification like ISO 42001 ensures a strong management system is in place, it does not guarantee that a specific AI model is free from hidden flaws. This is where continuous monitoring and outcomes-focused AI governance solutions become essential. Offensive security practices like AI Red Teaming provide ongoing, adversarial testing designed to uncover hard-to-find risks, such as algorithmic bias, before they escalate into legal challenges or cause reputational damage. AI Model Audit provides focused assurance that the AI model is producing outcomes as intended. By combining a solid framework with proactive security measures, organizations can build a more resilient and trustworthy AI program. 

How to get started with AI governance 

Beginning the journey toward AI governance can feel overwhelming, but it starts with a few foundational steps. 

1. Identify your role: Determine how your organization interacts with AI. Are you a user of AI tools, a developer building them, or a provider offering AI-powered services? Your role will shape your specific governance needs and responsibilities. 
2. Assess your current state: Evaluate your risks, needs, and objectives. Understand which teams are using AI and what existing frameworks (like ISO 27001) could be extended to cover AI. 
3. Choose the right starting point: You do not have to do everything at once. Select a solution that matches your maturity and goals. An AI Model Audit can provide quick, system-level validation for a key product, while ISO 42001 is ideal for establishing organization-wide governance. For those already in the HITRUST ecosystem, HITRUST AI is a logical next step. 

Build trust, enable innovation 

AI governance is no longer an optional extra; it is a fundamental pillar of modern business strategy. By moving away from reactive, disjointed, ad-hoc fixes and embracing a comprehensive governance framework, organizations can effectively manage risk, ensure compliance, and build the trust necessary to innovate with confidence. 

SOC 2 is the most popular cybersecurity audit, and for good reason. This framework is the foundation for many organizations’ compliance strategies and is now an expectation to do business with customers in many industries. 

Read on to learn why SOC 2 is so popular and how your organization can begin its compliance journey with a SOC 2 attestation. Follow along and download the guide here. In this guide, we will: 

• Define SOC 2 and its criteria 

• Explain the examination process 

• Share best practices for choosing a quality audit partner 

• Spotlight real-world SOC 2 success stories 

• Give you a list of questions to evaluate potential audit partners 

Defining SOC 2 

What is SOC 2? 

A SOC 2 report (System and Organization Controls) report is an independent attestation that evaluates the effectiveness of a company’s controls as they relate to Security, Availability, Processing Integrity, Confidentiality, and Privacy.  The security of your environment is assessed against the requirements within a SOC 2 examination, known as the Trust Services Criteria (TSC): 

• Security (required) 

• Availability (optional) 

• Processing Integrity (optional) 

• Confidentiality (optional) 

• Privacy (optional) 

Who needs SOC 2? 

Service organizations that process, store, or transmit data for their clients or partners need a SOC 2 attestation. While SOC 2 applies to almost any organization, it’s particularly important to data centers, software-as-a-service companies, and managed service providers.   

Who can perform a SOC 2 audit? 

Only licensed CPA firms that are accredited by the American Institute of Certified Public Accountants can complete a SOC 2 audit. 

What are the SOC 2 Trust Services Criteria? 

SOC 2 is comprised of five TSCs. To determine which TSCs are best for your organization, it’s important to understand what type of data you store, process, and/or transmit.  

• Security: Comprised of 9 control families ranging from organization and management to risk assessment, to logical security and change management. This criterion is required in every SOC 2 report. 

• Availability: Addresses controls related to availability and redundancy of services to meet client SLAs. The Availability Criteria is a great add-on for most organizations. 

• Processing Integrity: Addresses controls related to accurate processing of customer data without corruption or unauthorized alteration. Processing Integrity is largely specific to an organization’s services and not often applicable to all organizations. 

• Confidentiality: Addresses controls related to protection of data deemed confidential between an organization and its client. This extends to any data deemed confidential. The Confidentiality Criteria is a great add-on for most organizations. 

• Privacy: Addresses controls related to the protection of Personally Identifiable Information (PII). This is anything that can be tied to an individual. Privacy is large and cumbersome, and only applicable to organizations that store, process, or transmit PII. 

The examination process 

The SOC 2 examination process is a well-defined, six-step audit cycle. The steps include: 

• Readiness assessment (optional) 

• Audit planning 

• Audit testing and review of evidence 

• Closing meeting and draft report preparation 

• Issuance of the final report 

Understanding the steps is an essential part of preparing for your SOC 2 examination.   

Building a partner team   

Before beginning your audit, you may enlist the help of tools or partners that can help you maximize efficiency, accelerate outcomes, and drive continuous growth for your SOC 2 attestation. Government, risk and compliance software solutions frequently work in tandem with your auditor, especially if they are tech-enabled with an audit management platform. This partnership typically shows up in four steps: 

• Laying the foundation: GRC tools can help you prepare for your SOC 2 audit by automating evidence collection in addition to managing policies and procedures related to your audit. 

• Accelerating with intelligence: This is where your audit partner begins their work. Choosing a tech-enabled auditor means that they can generate request lists, match evidence, and deduplicate requests across frameworks if you are conducting multiple audits, all powered by AI. 

• Realizing results: This stage will include your audit partner conducting assessments, reviewing evidence, and delivering your final report. 

• Proving compliance at scale: After you’ve earned your attestation, it’s time to show it off to the world. GRC tools can help you showcase and provide automated, secure access to accreditations to potential buyers, saving your team time and effort on manual approvals and questionnaires. 

In addition to these steps, GRC tools provide continuous monitoring, which keeps your team in the loop on potential issues and areas for improvement long after you’ve completed your first attestation. 

The readiness assessment 

Readiness assessments are an optional way for your organization to understand the current state of your compliance before entering an audit cycle. These assessments can give your team the confidence to prepare for your SOC 2 examination. Your audit partner may take one of two approaches with these assessments: 

• Traditional approach: Your auditor will perform a formal Readiness Assessment that simulates a Type 1 or Type 2 audit and results in a report with recommendations from the auditor. This option is recommended for companies that don’t have many formal procedures or have never been through an audit before. 

• Belay approach: This hybrid two-step approach has a smaller high-level gap assessment of key controls prior to the Type 1 SOC 2 examination. This approach saves time and costs and is designed for more mature organizations with formally established and implemented procedures who still have concerns or questions about their readiness for a SOC 2 audit. 

Scoping 

During the scoping phase, your auditor team will work with your organization to better understand the scope of services as well as to identify and evaluate the controls in place specific to the scope of services. The auditors will also work with your organization to further explain the SOC 2 framework and TSCs. 

Audit planning 

Once your organization has secured plans to engage a SOC 2 with an auditor, you will be introduced to the audit management team to begin the planning phase of your audit. An official kickoff call will be scheduled to discuss timing of the audit and share key planning information and provide an Information Request List (IRL) relevant to the defined scope. Your organization should review each of the requests within the IRL to ensure you understand what is being requested, then begin to gather and provide the requested evidence to the auditors. As the dedicated audit testing date nears, the audit team will set up regular touchpoints with you to answer questions and encourage your organization to upload as much evidence as possible to and audit management platform like A-SCEND or your GRC tool of choice prior to the start of testing. 

Testing and reviewing of evidence 

At this stage, the assigned auditor actively reviews all evidence and completes the required testing, which is either performed remotely, onsite or a combination of both (depending on scope). It is essential that a majority of evidence is uploaded before this phase begins. During the testing and review of evidence phase, the auditor performs the following tasks: 

• Explains testing approach based on the SOC 2 requirements 

• Confirms the key processes and procedures observed relevant to the scope of services and provides feedback on the system description 

• Holds meetings with process owners to understand the controls in place and operation 

• Reviews evidence to corroborate management’s controls and completes testing of those controls utilizing the evidence that has been provided in the planning phase 

• Asks clarifying questions relating to the evidence provided and processes observed 

• Requests additional evidence needed in support of testing the scope of services 

• Identifies and proactively communicates potential findings identified in the testing 

• Proactively communicates the status of testing and roadblocks encountered 

Closing meeting and draft report 

Step four begins once all evidence has been provided, reviewed and accepted by the auditor. Your auditor then performs various rounds of quality review, involving multiple levels audit management, and prepares a draft version of the report. When the draft report is delivered, it is accompanied by a management representation letter that must be signed by an appropriate member of the organization and returned to your audit team. Management will have an opportunity to review the draft report prior to final issuance. 

The final report 

Once you have reviewed and returned the signed management letter and draft report with your comments and suggested updates, the auditor works to finalize the report, which includes addressing any comments left by your organization. Once all comments are addressed and updates applied, the report is finalized and delivered to your organization electronically (a hard copy can also be requested). For more about these steps, download our SOC 2 Buyer’s Guide.

Selecting a quality audit partner 

Choosing the right auditor can make all the difference during your examination process. Quality auditors will drive efficiencies for your team and instill confidence in customers that your SOC 2 attestation is reputable and meets a high standard. 

There are many ways to define what makes up a quality audit partner. Here are a few considerations to keep in mind when evaluating potential auditors. 

Experience and credentials 

A potential partner’s experience and credentials is one of the first things you should evaluate when choosing an auditor. Look for partners that have been in business for a long time and have a track record of success. In addition to reputation, technical credentials are important. Is this auditor accredited with the AICPA? Only independently licensed CPAs can issue SOC 2 attestation reports. 

Report quality 

Not all reports are created equal. High-quality audit reports won’t just confirm your compliance; they will highlight areas for improvement and risk mitigation strategies that are specific to your organization’s security posture. The AICPA has developed a downloadable checklist to guide management during their review of a SOC 2 to evaluate the sufficiency and quality of the report.  

Tech-enabled services 

Choosing an auditor that embraces technology isn’t a preference anymore, it’s essential. Auditors that perform all audit tasks manually will take longer to finish your audit and may be less accurate. We recommend partnering with an auditor that uses their own audit management platform to streamline the process. Additionally, you should enlist the help of an audit partner that integrates with your existing compliance and trust management software. 

Audit process 

It’s essential to understand the process that your chosen audit partner will use to complete your SOC 2 examination. Be sure to ask any potential partners about the timeline, scoping, audit cycle synchronization, and team communication before moving forward. 

Case study: Obsidian Security 

Obsidian Security is a market leader in comprehensive SaaS security, specializing in threat management integration, third-party risk, security posture and configuration, and compliance. 

Obsidian’s path toward creating a robust security program started when the team only had 15 employees and a tight budget. Although they were a small team, Obsidian secured business from multinational, highly regulated customers with complex security needs. 

The company reached a point of inflection where they needed to scale their compliance program and meet the growing demands of their enterprise customers. With their sights set on obtaining a SOC 2 report, Obsidian looked for an audit partner to help them meet their compliance goals. 

Obsidian sought a high-quality report and efficient audit process, driven by a partnership focused on continual improvement. Ultimately, Obsidian chose to engage with A-LIGN and Drata for their audit and GRC requirements. 

Obsidian has implemented a robust third-party risk management program, which involves thorough scrutiny of attestation reports from various companies, so their team has ample knowledge on what makes a trusted high-quality, robust audit report. 

Of all the assessors’ reports, Alfredo said A-LIGN’s stands out for its well-structured and comprehensive nature, particularly in assessing performance and coverage of controls. The detailed report assures customers and prospects of proper due diligence and fosters trust with other key stakeholders. 

“The value proposition of having an audit partner like A-LIGN at the strategic level and having a partner like Drata at the technical and operational level is that you can streamline the entire audit process.” 
– Alfredo Hickman, CISO, Obsidian Security 

Checklist: Questions to ask your audit partner  

Choosing an audit partner is one of the most important steps to completing a SOC 2 attestation for your organization. This decision will impact every other step – from start to finish, your assessor will be with you through it all. This SOC 2 checklist details questions that we recommend you ask any potential assessor. 

• What is your experience with SOC 2 attestations? 

• Is your company accredited by the AICPA? 

• How many SOC 2 attestations have you completed? 

• How many SOC auditors does your team have? 

• Do you have experience conducting SOC 2 attestations in my industry? 

• Does your organization conduct other audits? 

• Are we able to pursue multiple frameworks at the same time with your organization? How does your team handle this? 

• Do you have experience identifying overlaps among multiple frameworks? 

• What can I expect during the audit process? 

• Does your organization use technology to enhance the audit process? 

• What is your response time to questions from our team? 

• How do you ensure the quality of your audits? 

• How do you define quality? 

• What sets your audit process apart from other audit firms? 

• How much will my SOC 2 attestation cost? 

• What are your rates and what do they include? 

• How long does a SOC 2 attestation take with your organization? 

• How long will each step of the process take? 

• Do you have references and case studies from satisfied customers? 

Next steps 

If you’re ready to take the next step, contact A-LIGN today to begin your journey to SOC 2 compliance. The A-LIGN difference is:  

• 17.5k+ SOC assessments completed  

• #1 SOC 2 issuer in the world  

• 200+ SOC auditors globally 

A-LIGN is the leading provider of high-quality, efficient cybersecurity compliance programs. Combining experienced auditors and audit management technology, A-LIGN provides the widest breadth and depth of services including SOC 2, ISO 27001, HITRUST, FedRAMP, and PCI. A-LIGN is the number one issuer of SOC 2 and a leading HITRUST and FedRAMP assessor. 

The Cybersecurity Maturity Model Certification (CMMC)  is now a contractual requirement for organisations doing business with the US Department of Defense (DoD) as of 10 November 2025. 

This marks the beginning of Phase 1 of the CMMC rollout, and from this date forward, any organisation — regardless of its headquarters location — must demonstrate CMMC compliance to be eligible for new US DoD contracts. 

Why this matters for UK and European companies

Organisations that handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) as part of their work with the DoD or its prime contractors are required to be CMMC certified by a certified third-party assessor organisation (C3PAO).  

According to The Cyber AB, the official accreditation body for CMMC, there is no reciprocity with other cybersecurity standards — including ISO 27001, NIS2 Directive, or GDPR. All contractors, whether US-based or international, must follow the same certification process, with no exceptions. 

What you should do now 

Start early! The average preparation time for a CMMC Level 2 assessment is 9 to 12 months. With limited C3PAO availability and rising demand, early engagement helps you avoid delays and stay ahead of competitors. Here are some steps to get started:  

STEP 1. Identify your CMMC level:  

Level 1 [Foundational]: Applicable to defence or aerospace contractors bidding on DoD contracts handling FCI. All contractors in Level 1 must implement 17 basic cybersecurity practices to safeguard FCI. If the FAR 52.204-21 requirement is in your current contracts, you are most likely in the CMMC Level 1 category. 

Level 2 [Advanced]: Applicable to defence or aerospace contractors bidding on DoD contracts handling: 

• CUI 
• CTI 
• ITAR or export-controlled data that is CUI 
• All contractors in Level 2 must implement 110 security controls from NIST 800-171. If the DFARS 252.204-7012 requirement is in your current contracts, you are most likely in the Level 2 category. 

Level 3 [Expert]: Applicable to defence or aerospace contractors bidding on DoD contracts handling Critical CUI. Level 3 security requirements are expected to contain a subset of NIST SP 800-172. If the DFARS 252.204-7012 requirement is in your current contracts and you have had a DIBCAC assessment, you are most likely in the Level 3 category. 

STEP 2. Identify in-scope assets such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). 

STEP 3. Identify gaps by performing a gap assessment.  

STEP 4. Develop an implementation plan based on findings from your gap assessment and address vulnerabilities to meet the control objective requirements.  

STEP 5. Engage a C3PAO: Because CMMC is a rigorous cybersecurity framework, it’s critical to engage with a C3PAO that has extensive US federal expertise with frameworks such as FedRAMP. There are a limited number of C3PAOs authorised to conduct CMMC assessments, and not all are created equal. We recommend seeking out a C3PAO that has deep experience in US federal compliance, delivers high-quality final reports, and streamlines the process. To learn more about choosing the right C3PAO, download our CMMC Checklist.   

How A-LIGN can help

A-LIGN is the only leading American C3PAO with offices in Europe. For companies headquartered in the UK and Europe, this means having access to deep US federal expertise with the convenience of local support in your own time zone.  

We’ve completed over 1,000 US federal assessments, including: 

• CMMC: Certified C3PAO with extensive readiness experience. 
• NIST 800-171: The foundation of CMMC Level 2. 
• FedRAMP: Top 3PAO with 100% authorisation success rate. A-LIGN’s A-SCEND is one of a few audit management platforms to be FedRAMP 20x authorised. 
• GovRAMP: The only registered assessor currently on the market. 

A-LIGN offers fast onboarding, with CMMC kick-off in just 6–8 weeks—twice as fast as the industry average—and streamlined support, with tailored guidance for international companies and a local presence in Europe. 

Ready to start your CMMC journey? Book a meeting with A-LIGN today and get expert support on your timeline, in your region.  

The role of the Chief Information Security Officer has never been more complex — or more critical. With cyber threats evolving daily, regulatory expectations tightening, and transformative technologies like AI entering the enterprise at full speed, today’s CISOs face the challenge of balancing operational efficiency, security maturity, and compliance at scale.

In this blog, longtime security expert and RegScale CISO Dale Hoak will share:

• Key trends CISOs should be watching, like Continuous Controls Monitoring, managing the risks of AI, third-party risk management, and collaborating across their organization.
• Practical strategies for managing risk including frameworks centered around AI, tools for continuous compliance and oversight, and tightening controls.
• How to turn security into a competitive advantage that can help your organization stand out in a crowded marketplace, drive efficiency, and build customer trust.

Read on to learn how to implement these tactics in your organization’s overall compliance strategy.

Key trends CISOs should be watching

1. Continuous compliance is replacing point-in-time audits
Annual audits and periodic assessments are increasingly insufficient for modern risk environments. The shift toward Continuous Controls Monitoring (CCM) enables organizations to collect and validate evidence in near real-time, reducing the window of exposure when controls drift or fail. This evolution ensures security and compliance posture are “always on” rather than a snapshot in time.

2. AI as a double-edged sword
AI is rapidly becoming a core tool for security operations, compliance automation, and risk detection. However, the same technology is being weaponized by threat actors to create more convincing phishing campaigns, automate reconnaissance, and exploit vulnerabilities faster. CISOs must view AI as both an enabler and a risk vector, building governance frameworks to control its use internally and defend against it externally.

3. Prioritizing supply chain and third-party risk management
Recent high-profile breaches have underscored the reality that your security is only as strong as the least secure vendor in your supply chain. Increasing regulatory focus, including requirements for real-time vendor monitoring, makes proactive third-party risk management a top priority.

4. Convergence of security and compliance functions
Historically separated teams are increasingly being integrated under the CISO’s leadership. This convergence drives efficiency but also demands tools that support both compliance reporting and operational security in a single pane of glass.

Get ahead: Strategies to mitigate security risks and embrace AI safely

It’s not enough to just keep up in the world of compliance; CISOs and their teams need to look ahead when it comes to protecting sensitive data, obtaining new certifications, and handling third-party risk management. I recommend CISOs consider the following strategies to keep their organizations ahead of the next cyberattack.

1. Build a risk-based AI adoption framework
Before deploying AI, classify its use cases, assess related risks, and apply guardrails. Include policies for data privacy, ethical use, and model transparency. Partner with compliance experts to ensure AI deployments meet applicable regulations and industry standards.

2. Leverage CCM
Your systems are only as secure and compliant as the controls that govern them. Continuous Controls Monitoring ensures that controls, particularly those that are AI-related (e.g. access restrictions, data handling policies, and model retraining procedures) remain in effect over time.

3. Tighten identity and access controls
A single compromised account in your system can cause exponential damage. Integrate identity governance, conditional access, and multi-factor authentication into your compliance program to reduce the attack surface.

4. Expand third-party oversight
Ensure all your vendors meet your organization’s security and compliance standards. Continuous vendor monitoring should be non-negotiable.

Beyond compliance: Turning security into a competitive advantage

The most mature organizations recognize that compliance isn’t the ceiling; it’s the floor. In other words, meeting compliance is a bare minimum requirement that should automatically result from robust security and risk management processes.

But compliance isn’t just a basic necessity; it’s also a competitive advantage. By embedding security and compliance into daily operations, CISOs can deliver measurable ROI in several ways:

• Customer trust: Transparent compliance reporting builds confidence with clients, partners, and regulators.
• Operational efficiency: Automated evidence collection and reporting cut manual workloads by up to 70%, according to RegScale’s 2025 State of CCM Report.
• Faster market entry: Streamlined compliance processes enable quicker product launches in regulated markets.

The path forward

Cybersecurity leadership is at a crossroads. Emerging threats, evolving compliance mandates, and the promise (and peril) of AI are reshaping what it means to be a CISO.

By embracing Continuous Controls Monitoring, aligning AI use with risk governance, and integrating security and compliance into a unified strategy, CISOs can transform regulatory obligations into operational strengths.

The next era of cybersecurity won’t wait. The time to act — and automate — is now.

About Dale Hoak

Dale Hoak is a results-driven cybersecurity leader who has delivered measurable impact across the U.S. Navy, law enforcement, and corporate sectors. As CISO at RegScale, he secured critical certifications—including SOC 2, FedRAMP High, and CSA STAR—enabling expansion into regulated markets. His AI-driven security automation enhanced compliance capabilities and unlocked over $1M in additional revenue. At the NYPD, he established the first fully operational Security Operations Center (SOC), slashing incident response times. Previously, he led global cybersecurity transformations, securing 45K+ endpoints and managing 37 major security events. Dale excels at aligning security with business growth, ensuring resilience in high-stakes environments.

About RegScale

RegScale is a Continuous Controls Monitoring (CCM) platform designed to be the operational risk tool for the CISO. Built on a compliance as code foundation, RegScale enables extreme automation with our API-first strategy, self-updating paperwork, and powerful AI agents that all but eliminate manual labor and make your program more proactive — helping you save money, accelerate time to market, and reduce risk in your operational environment. Heavily regulated organizations, including Fortune 500 enterprises and the federal government, use RegScale and report achieving compliance certifications 90% faster and trimming audit preparation efforts by 60%, thereby strengthening security and reducing costs. Learn more at www.regscale.com.