ONE AIASSESSMENT.FOUR DOMAINS.
The APA AI Posture Assessment is not just a SOC 2 AI add-on. It evaluates the four domains that actually determine AI exposure: governance + risk, identity + access, security + privacy, and vendor + supply chain. You get the evidence package needed for SOC 2 AI scrutiny and the posture analysis leadership needs to understand where real exposure sits before an auditor, buyer, or regulator finds it.
Tier is confirmed on the call · no commitment required.
Confidential · Prepared by Custodia, LLC
CUSTODIA APA™
Governance · Identity · Security · Vendor
Prepared For
ACME Technologies Inc.
Assessment Date: March 2026
APA Posture Score
PRIORITY GAPS IDENTIFIED
GOVERNANCE
D
IDENTITY
C+
SECURITY
B
VENDOR
C
Custodia, LLC · aiprivacyandgovernance.com
WHAT MOST AI ASSESSMENTS MISS
Most firms sell AI governance in isolation or SOC 2 evidence in isolation. That is too narrow. A real AI posture review has to cover the policy and risk layer, the identity layer, the security and privacy layer, and the vendor chain underneath the system. If one of those is missing, the assessment is incomplete.
WHAT BUYERS AND AUDITORS ACTUALLY ASK
They ask who approved the AI tool, who has access, how service accounts are governed, whether customer or employee data is flowing into models, which vendors sit underneath the service, and what happens if the model changes or fails. Those questions cut across multiple teams. They cannot be answered by a generic dashboard export.
WHY APA EXISTS
APA gives you one scored assessment across the four domains that matter. It helps you satisfy SOC 2 AI evidence expectations, but it also answers the bigger executive question: do we actually understand and control our AI footprint? That combination is what makes the assessment useful beyond a single audit cycle.
SOC 2 is often the forcing function, not the whole reason to act. The same gaps that create AI audit findings usually expose deeper problems in access governance, privacy, vendor oversight, and accountability. APA is designed to solve both problems at once: produce credible AI evidence for audit scrutiny and show leadership where the real operational risk sits.
What human review means.
APA is not a platform scan. It is a practitioner-led assessment of your actual AI posture. We review the documents, owners, workflows, identities, vendors, and security controls behind the systems in use. Every finding is documented with evidence notes, mapped to the relevant frameworks, and translated into plain business risk. That is materially different from a checklist or dashboard screenshot.
Why platforms cannot replace it.
Tools are useful for collecting standard system evidence. They do not interview owners, inspect AI approval workflows, trace vendor subprocessor chains, or challenge whether access governance actually exists for AI accounts and keys. That is why the AI layer still requires human review. For most companies, that review has never been done comprehensively.
// THE SOLUTION
The Custodia APA AI Posture Assessment™
APA is a fixed-price, fixed-scope assessment that combines AI governance review, identity and access analysis, security/privacy assessment, and vendor supply-chain diligence in one engagement. It is built to generate credible SOC 2 AI evidence where needed, but its value is broader: one score, one narrative, and one roadmap across the four domains that shape AI posture.
Three tiers. One four-domain methodology.
Every tier delivers a scored APA output, findings report, and remediation roadmap. Scope and depth scale to your company size, AI footprint, and regulatory exposure.
TIER 1 — APA ESSENTIALS
APA Essentials
— Baseline Clarity
$5,000
Flat · 5–7 business days
Seed to Series A · 10–75 employees
CC6.1 · CC6.2 · CC6.3 · CC9.2 · AI inventory
Establish your baseline AI posture and cover the most immediate evidence needs.
- Governance baseline review: AI policy, inventory, ownership, and approval flow
- Core IAM gap analysis for AI tools, service accounts, and API keys
- Security/privacy screen for top AI systems and data flows
- Vendor review for top AI providers including contracts and training settings
- SOC 2 AI evidence baseline for the most likely criteria in scope
- 2-page executive summary for leadership and buyers
- Prioritized 30-day remediation checklist
- APA posture score
- Timestamped practitioner report
- Custodia-retained evidence copy
Annual reassessment $3,000
Book Essentials CallTier is confirmed on the call — no commitment required.
TIER 2 — APA PROFESSIONAL
APA Professional
— Full Coverage
$12,500
Flat · 10–14 business days
Series B/C · SMB · 75–300 employees
CC1 · CC3 · CC6 · CC7 · CC9 · PI1 · Privacy P1–P10
Full four-domain assessment for teams that need audit evidence and operational clarity.
- Everything in Essentials
- Full governance review with AI risk assessments and system classification
- Full 14-question IAM gap analysis — deepest AI access review in the offering
- AI monitoring, prompt injection, logging, and incident response assessment
- Privacy TSC P1 through P10 review for AI data handling and automated decisions
- Vendor contract, certification, subprocessor, and training opt-out review
- 4-page board-ready executive summary
- Full evidence table mapped to applicable frameworks
- All three remediation roadmap tracks — 30, 90, and 12-month
- 60-minute live findings presentation with your team
Annual reassessment $7,500
Book Professional CallTier is confirmed on the call — no commitment required.
TIER 3 — APA ENTERPRISE
APA Enterprise
— Regulatory Grade
$22,500
Flat · 14 business days
300–1,000 employees · Regulated industry
Full SOC 2 + HIPAA + FFIEC + PCI DSS + EU AI Act
Expanded review for regulated teams with complex AI estates and stricter external scrutiny.
- Everything in Professional
- HIPAA, PCI DSS, FFIEC, and EU AI Act overlays where applicable
- High-risk AI classification and quality-management review for covered systems
- 6 stakeholder interviews for full organizational coverage
- Extended IAM deep dive — service account forensics, privileged access architecture, full access log analysis
- Deep vendor supply-chain mapping including subprocessors and incident obligations
- Multi-framework evidence mapping — one finding closes gaps across multiple frameworks simultaneously
- Extended regulatory briefing document for legal team and board
Annual reassessment $14,000
Book Enterprise CallTier is confirmed on the call — no commitment required.
ALL TIERS INCLUDE
Tier confirmed on a free 30-minute discovery call · No commitment required
Annual reassessment rates: Essentials $3,000 · Professional $7,500 · Enterprise $14,000
APA produces more than a checklist. Every finding is mapped to the relevant framework, explained in business terms, and tied to a remediation path. Where SOC 2 AI evidence is needed, the output is ready for that use. Where broader exposure exists, leadership sees it.
| Requirement or Exposure | What APA Produces |
|---|---|
| Governance + risk baseline | AI policy review, full system inventory, ownership mapping, tool approval workflow assessment, and risk classification output. |
| SOC 2 CC6 — AI identity and access | Assessment of AI access lists, service accounts, API keys, provisioning, reviews, offboarding, privileged access, and human oversight controls. |
| SOC 2 CC7 / CC9 — model operations and security | Prompt injection, monitoring, output logging, incident response, and model integrity findings with evidence notes. |
| Privacy TSC / GDPR / regulated data exposure | AI data-flow review, DPA and DPIA analysis, retention and training-use review, and privacy control mapping. |
| Vendor and supply-chain exposure | Contract review, certification review, subprocessor mapping, opt-out verification, and notification/SLA findings. |
| Executive decision support | One APA score, executive narrative, and 30/90/12-month remediation roadmap prioritized by business impact. |
All findings are documented with evidence notes, scoring rationale, and remediation guidance. Third-party documented. Timestamped. Useful in an audit and useful after the audit.
APA is not a SOC 2 audit and does not issue an opinion. It is a practitioner-led posture assessment that can support your SOC 2 AI evidence needs while also mapping exposure across the other frameworks your customers, regulators, and legal team may care about.
| Audit Framework Testing AI | Specific Controls Assessed | What APA Provides |
|---|---|---|
| SOC 2 | CC6.1, CC6.2, CC6.3 | Evidence of AI identity governance, provisioning controls, and periodic access review documentation for AI systems. |
| ISO 27001 | Annex A 5.15, 5.16, 5.18, 8.2, 8.5 | Assessment of identity management, access rights, and privileged access controls applied to AI systems and accounts. |
| HIPAA | 45 CFR 164.308(a)(4), 164.312(a)(1) | Documentation of workforce AI access controls and governance over AI systems touching protected health information. |
| PCI DSS v4.0 | Requirements 7 and 8 | Evidence of access control governance and identity management for AI systems within or adjacent to cardholder data environments. |
| EU AI Act | Articles 9, 10, 17 | Documented risk management, data governance assessment, and quality-management evidence for covered AI systems. |
| NIST AI RMF | Govern, Map, Measure, Manage | Cross-framework alignment documentation suitable for enterprise due diligence, questionnaires, and internal governance reporting. |
Custodia retains a timestamped copy of every APA output. When an auditor, buyer, or executive asks what AI due diligence your organization has actually performed, this is the document you can produce. Annual reassessments keep the evidence current and the score trackable over time.
DO IT INTERNALLY
Your team tries to stitch together policy review, IAM analysis, privacy review, and vendor diligence internally. This assumes someone has deep AI governance, identity, security, and privacy experience all at once. Most teams do not. The result is partial coverage and a lot of hidden confidence.
Typical cost $6K–$30K in internal labor. Audit risk remains.
HIRE A SOC 2 READINESS FIRM
A generalist firm checks whether policies exist and whether a framework can be mapped. They usually do not assess AI IAM controls at implementation depth, review vendor training settings, or trace AI-specific privacy and monitoring gaps. You get a compliance narrative without a true posture assessment underneath it.
Typical cost $25K–$85K. Still misses the AI-specific gap.
THE APA ASSESSMENT
One practitioner-led assessment across governance, identity, security/privacy, and vendor risk. Deep IAM review where most firms stop short. Credible SOC 2 AI evidence where needed. Clear posture narrative for leadership where broader exposure exists. Fixed price. Two weeks. Built for the real shape of AI risk.
Essentials $5,000 · Professional $12,500 · Enterprise $22,500. One score. Four domains.
Four domains. One assessment.
GOVERNANCE + RISK
Governance starts with knowing what AI exists and who owns the risk.
APA establishes the baseline most companies do not have: AI use policy, full system inventory, risk assessments, accountable owners, approval workflow, and risk-tier classification. This is the foundation for both audit evidence and real oversight.
NIST AI RMF GOVERN · EU AI Act Art. 6/9 · SOC 2 CC9
IDENTITY + ACCESS
This is where APA becomes different from generic AI compliance work.
We assess AI tool access lists, API keys, service accounts, privileged access, access reviews, offboarding, and human oversight of AI-driven decisions. That IAM depth is what closes SOC 2 CC6 gaps and surfaces real insider and orphaned-access risk.
SOC 2 CC6 · ISO 27001 Annex A · GDPR Art. 22
SECURITY + PRIVACY
Evidence for auditors, plus real visibility into AI security and privacy exposure.
APA reviews DPAs, DPIAs, retention and training settings, AI incident response, prompt injection controls, output logging, and Privacy TSC readiness. It is built for the evidence your auditor needs and the exposure your security and legal teams care about.
SOC 2 CC7/CC9 · Privacy TSC P1–P10 · GDPR
VENDOR + SUPPLY CHAIN
Your AI risk is only as strong as the vendors and model providers behind it.
APA reviews AI contracts, certifications, subprocessors, model-training opt-out status, change notifications, and incident SLAs. Most firms stop at policy language. We follow the chain of custody and control to where third-party risk actually lives.
SOC 2 CC9.2 · GDPR Art. 28 · EU AI Act Art. 10
Kickoff to scored APA output in two weeks.
01
DISCOVERY CALL
Day 0 · 30 min · Free
We confirm your AI footprint, audit or buyer pressure, regulatory exposure, and likely tier. You leave knowing whether you need a baseline APA snapshot or full four-domain coverage. No commitment required.
02
INTAKE AND EVIDENCE REQUEST
Days 1–3
Flat-fee engagement signed. We send the APA intake and document request list covering governance, identity, security/privacy, and vendor evidence. Your team provides access and artifacts. We drive the process from there.
03
FOUR-DOMAIN PRACTITIONER REVIEW
Days 4–14
Practitioner-led review of the controls your tools cannot assess: AI governance maturity, access governance, AI security/privacy practices, and vendor supply chain. Includes document review, stakeholder interviews, and IAM analysis at implementation depth.
04
SCORED REPORT + ROADMAP DELIVERED
Days 15–21
Your scored APA deliverable package is delivered as a board-ready PDF with executive summary, findings, evidence mapping, and remediation roadmap. Where SOC 2 AI evidence is needed, the output is ready for that use. Where posture gaps exist beyond SOC 2, leadership sees them clearly.
Questions we get before someone books.
Our Vanta is already set up. Why do we need this?
Vanta automates evidence for connected systems. It does not perform a four-domain review of your AI posture. It will not inventory shadow AI, review AI service accounts at depth, assess your vendor chain, or determine whether your privacy and security controls actually cover AI usage. APA fills that gap.
Is this a SOC 2 certification?
No. Only a licensed CPA firm can issue a SOC 2 opinion. APA is a practitioner-led posture assessment. It can produce strong supporting evidence for the AI controls your auditor will review, but it also goes beyond SOC 2 to evaluate the broader AI governance, identity, security/privacy, and vendor picture.
We're a startup. Do we actually need this?
If you are selling into enterprise, raising institutional money, or using AI in customer-facing or sensitive workflows, yes. APA Essentials was built for this exact stage: enough rigor to answer buyer and auditor questions before your AI footprint grows into a larger governance problem.
We have SOC 2. Doesn't that cover AI governance?
Your SOC 2 covers general controls. It usually does not mean anyone has assessed your actual AI inventory, AI access model, vendor chain, automated decision points, or AI-specific privacy exposure. APA is designed to evaluate that AI layer directly.
What do the tiers cover? How do we know which one we need?
APA is available in three tiers — $5,000, $12,500, and $22,500 — all flat fees. The right tier depends on your AI footprint, regulatory profile, and how deep the review needs to go across the four domains. Every tier includes a score, findings, and a roadmap. You are paying for assessment depth, not consulting theater.
What happens after the report?
You get a prioritized roadmap with 30/90/12-month recommendations. Most clients handle remediation internally and use the score plus roadmap to track progress. Annual reassessments are available if you want to keep the posture current or refresh evidence for auditors and buyers.
How do we know the findings are credible?
The assessment is conducted by a Senior AI GRC Partner with an MSISPM from Carnegie Mellon, AIGP and CIPP credentials, and SailPoint enterprise IAM implementation experience. The methodology maps directly to SOC 2 Trust Service Criteria, ISO 27001 Annex A, and NIST AI RMF — the frameworks your SOC 2 auditor uses to evaluate your posture.
We already have a compliance program. Does this overlap with what we already do?
Your existing compliance program may cover the framework layer. APA covers the AI posture layer underneath it. That means the actual systems, identities, data flows, vendors, and controls behind AI usage. In practice, it complements most compliance programs rather than duplicating them.
Why do we need this every year?
Two reasons. First, your AI footprint changes — new tools get deployed, vendors change, service accounts accumulate, access patterns shift. An assessment from last year does not cover new AI systems added since then. Second, your SOC 2 audit covers the current period. Evidence of AI controls needs to be current at the time of audit. Annual reassessment keeps your evidence current, your SOC 2 AI section covered, and your AI inventory up to date.
How is this different from what our SOC 2 auditor does?
Your SOC 2 auditor evaluates whether controls exist and operate effectively. APA is the readiness and posture work that helps you understand the AI environment before that happens. We identify gaps, document the evidence that exists, and show you where your exposure goes beyond a single audit requirement.
YOUR SOC 2AI EVIDENCEAND POSTURE.
APA gives you a four-domain view of AI governance, identity, security/privacy, and vendor exposure in one fixed-price engagement. If SOC 2 AI evidence is the immediate need, it supports that. If leadership needs to understand the broader posture around AI use, it does that too.
Essentials $5,000 · Professional $12,500 · Enterprise $22,500 · Annual reassessments from $3,000 · Tier confirmed on call · No commitment required · Custodia, LLC · Pittsburgh PA · Remote nationwide
The Custodia APA AI Posture Assessment™ is a proprietary assessment methodology. Custodia, LLC · aiprivacyandgovernance.com · Pittsburgh, PA