ISO 42001 · SOC 2 · AI questionnaires

Compliance, without theater

RootBlocks does not sell a checklist. It generates the AI-section evidence your existing compliance stack cannot collect, and maps it to the clauses that ask for it.

ISO 42001, Clause 8

Clause 8 asks for operational control over AI systems. A receipt binds each governed run to a policy, gates, and a human decision: operational control, recorded at the moment it happened.

SOC 2, CC8.1

Change management asks who authorized, built, reviewed and approved each change. The receipt chain answers all four for AI-written changes, with signatures instead of screenshots.

The AI section of the questionnaire

The AI section is now standard in enterprise security questionnaires. An exposure report from rootblocks scan answers the baseline questions: how much of your code agents write, and how much of it is reviewed.

EU AI Act

We do not lean on the EU AI Act as a forcing function. If it applies to you, receipts help with documentation duties; the operational drivers today are ISO 42001 and SOC 2.

Frameworks move. This page is maintained as they do, and the mappings ship inside the evidence pack export.

What an evidence pack contains

  • The receipts in scope, as signed JSON
  • The public key and the verification instructions
  • The framework mapping (ISO 42001 Clause 8, SOC 2 CC8.1)
  • The exposure summary: percent agent-authored and the review gap

Facing the questionnaire this quarter? Talk to us before you answer the AI section.

Book a call