SOC 2 for AI-Native Products: What Changes When Agents Help Write the Code

AI agents are now doing the work of mid-level engineers — writing code, reviewing PRs, managing deployments. Headcount is down. Output is up. And the controls your auditor expects to see were never designed for this.

SOC 2 auditors often expect to see humans reviewing code and approving changes. When an agent steps into those roles, compliance with security standards may be at risk. 

In this session presented by UnderDefense and Boulay, a CPA firm with a global SOC 2 reporting practice, the panel will discuss the pitfalls that may occur during your audit when too much reliance is placed on AI in the software development process.

What we'll cover:

1. The new operating reality – Agents are handling entry and mid-level engineering work. Controls previously performed by humans are quietly disappearing in the name of speed and cost savings.
   
   
2. Why audits got harder – We’ll walk through the five questions AI-native companies struggle with: AI usage policies, code review, change management, access controls, and evidence chain-of-custody.
   
   
3. How copilots bypass traditional controls – Branch protection disabled “just this once.” Code review signed off by the agent that wrote the code. Secrets shared informally because the agent needed access. All these instances carry security risks.
   
   
4. The best path to security compliance – We’ll show how pairing continuous compliance tooling with a security partner that runs DevSecOps the way an auditor expects can compress the timeline and produce compliance results your customers expect.