Compliance

SOC2 Auditors Are Now Asking About AI Tool Usage

Your SOC2 controls cover infrastructure, access management, and change management. Do they cover what your developers send to GitHub Copilot and Claude Code? Pretense adds the AI layer to your compliance posture.

Start Free Trial Talk to an Enterprise Expert

100%AI requests logged

PDF + JSONReport export formats

WAL-modeTamper-resistant audit store

Type IIEvidence for continuous controls

The Problem

Why existing controls do not address AI coding tool risk for compliance teams.

AI tool usage is a new SOC2 control area

SOC2 Trust Service Criteria require documented controls around data access, transmission, and third-party sharing. AI coding tools create a new category: continuous, high-volume transmission of code and data to external model providers. Most SOC2 programs have no controls covering this.

Auditors want evidence, not policies

Writing an AI acceptable use policy satisfies the policy control. It does not satisfy the evidence control. SOC2 Type II requires evidence that controls were operating effectively over the audit period. For AI tools, that means logs.

Developer behavior is impossible to audit manually

You cannot interview 200 developers and ask whether they ever pasted a customer's data into an AI prompt. You need automated controls that produce evidence without relying on developer self-reporting.

How Pretense Solves It

Audit log for every AI API request

Pretense logs every request with timestamp, provider endpoint, mutation count, blocked secrets count, and a request hash. Logs are immutable once written. The SQLite WAL-mode store ensures no silent data loss. Auditors receive a complete record of every AI tool interaction over the audit period.

Exportable SOC2 compliance reports

Pretense generates compliance reports in PDF and JSON formats. Reports include: total request volume, unique developers, providers used, secrets blocked, mutation coverage rate, and daily breakdown tables. These reports are formatted for inclusion in SOC2 evidence packages.

Technical control that cannot be bypassed

A policy requires developer compliance. A proxy control does not. Pretense enforces protection at the network layer. Developers cannot bypass mutation without reconfiguring their tools, which creates a detectable audit event. This is a technical control, not a procedural one.

SIEM forwarding for centralized log management

If your SOC2 program uses centralized log management, Pretense events forward to Splunk, Microsoft Sentinel, and Elastic. All AI tool request events are co-located with your other security telemetry and available for SIEM correlation rules.

Compliance Coverage

Pretense generates audit evidence and compliance documentation for the frameworks that matter to compliance teams.

SOC2 Type II

Audit evidence for CC controls

CC6.1 Ready

Logical access and data transmission controls

CC7.2 Ready

Monitoring and anomaly detection

CC9.2 Ready

Third-party vendor risk management

SIEM Integration

Splunk, Sentinel, Elastic

What the LLM Actually Sees

Pretense transforms proprietary identifiers into synthetic tokens before transmission. Structure and logic are preserved. Your IP is not.

Without Pretense: identifiers exposed

// Sent to LLM provider verbatim
async function fetchPatientMedicalHistory(
  patientId: string,
  includeSSN: boolean
) {
  return await ehrClient.getRecord(
    patientId, ENCRYPTION_KEY
  );
}

With Pretense: synthetic identifiers only

// Pretense-mutated before transmission
async function _fn4a2b(
  _v8c3d: string,
  _v2f1a: boolean
) {
  return await _v9e4b._fn7d2c(
    _v8c3d, _v6b1a
  );
}

After the LLM responds, Pretense reverses every mutation. You receive real, working code with your original identifiers restored byte-for-byte.

Frequently Asked Questions

Which SOC2 Trust Service Criteria does Pretense address?

Pretense primarily addresses CC6 (Logical and Physical Access Controls) and CC9 (Risk Mitigation) criteria. Specifically: CC6.6 (logical access restrictions for transmitting data), CC6.7 (restricting transmission of data to authorized parties), and CC9.2 (third-party vendor risk assessment evidence).

What does a Pretense compliance report contain?

Each report includes: audit period dates, total AI API requests, providers used, unique developer count, total mutations performed, secrets blocked with categories, mutation coverage rate, daily request breakdown, and system configuration summary. Reports are signed with a report ID for audit traceability.

Does Pretense have its own SOC2 certification?

Pretense is in the process of SOC2 Type II certification. Current documentation available includes penetration test results, architecture diagrams, data flow documentation, and mutation algorithm specification. Contact the security team for the full security package.

Can we use Pretense audit logs in an existing SIEM-based SOC2 program?

Yes. Pretense forwards events to Splunk, Sentinel, and Elastic in CEF, LEEF, and JSON formats. Events include all audit fields required by your SOC2 program. This enables AI tool usage to be part of your centralized security monitoring posture.

Explore More Use Cases

AI Coding Tools Enterprise Security Healthcare Financial Services

Protect your compliance team in 30 seconds

One environment variable. No code changes. No workflow disruption. Pretense intercepts every AI API request from day one.

Start Free Trial View Pricing

No credit card required. Free tier available. Local-first, nothing leaves your machine.