// Posted 2026-07-08

Your SOC 2 Evidence Lives in a Screenshot Folder

Your security lead opens the SOC 2 folder, 214 evidence items requested, 63 are screenshots from September. Compliance is a function you never staffed.

Stacked translucent evidence panels in dark space with one amber panel frozen mid-screenshot and pink audit threads branching between the pages

It is Wednesday the 12th, 8:41 AM. Your security lead opens the SOC 2 audit request folder your auditor pushed on Monday. 214 evidence items across nine control families. 63 items are screenshots your predecessor uploaded last September. 41 sit under access reviews the head of IT last ran in April. 19 sit under change management with a note reading "will pull tomorrow" from the 4th. The observation window closes on the 30th.

She opens the access review sub-folder. The list of production admins is a screenshot of Okta from September 14th. The company hired 22 engineers since. Four left. The screenshot does not show the two contractors who got production access in November for a database migration and never got deprovisioned. Her auditor will ask for a live export by the 20th and flag the two contractors as a control gap.

She opens Slack. She pings the head of engineering about the change management evidence. He is in the Q3 planning offsite. She pings the head of IT about the access review. He tells her the last quarterly review shipped in April and Q3 slipped when the offsite moved. She pings the fractional CISO, who bills $340 an hour and answers on Fridays. Every evidence gap is a two-message conversation. Together they will burn nineteen business days against an eighteen-day window.

SOC 2 evidence collection is a function. Most Series B and C teams have not staffed it because the first audit at Series A ran 90 controls the security lead pulled by hand in two weeks. The scope grew to 180 controls at Type 2 and 214 items at the second observation window. The function lives in the gap between the security lead who owns the report, the head of IT who owns access, the head of engineering who owns change management, the head of people who owns onboarding and offboarding, the fractional CISO who owns the policy set, and the CFO who signs off on the auditor bill. On the org chart it sits under Security. In practice it sits inside a Google Drive folder nobody opens between audits.

The 214 evidence items nobody is tracking

Pull the last audit request list from your Vanta or Drata dashboard, the auditor's PBC list, the Google Drive folder your predecessor uploaded to, the Slack channel where evidence gets flagged, and the shared inbox for auditor questions. Most teams at Series B find 180 to 260 items requested, 40 to 60 percent still stale from the prior audit, 20 to 30 percent screenshots older than 90 days, and 8 to 15 percent tied to a control the responsible team lead has not seen this quarter.

Walk the past-90 bucket. The first item is the quarterly access review for production databases. The last export ran in April. Three engineers rotated off the on-call rotation and kept their credentials. The fourth item is the vendor risk review for a data pipeline SaaS the team onboarded in May with no security questionnaire on file. The seventh is the change management evidence for a June deploy where the ticket, the approval, and the deploy log live in three different tools with no thread linking them. Each item has a single, specific missing artifact. None of them are policy problems. All of them are nobody-collecting-the-evidence problems.

The team that should own this knows it is broken. The security lead cannot chase nine control owners, tie 63 screenshots to a live source system, and rewrite the vendor risk playbook in the same fortnight. The head of IT runs access reviews when audit week hits. The head of engineering approves the deploy and never uploads the ticket link. The auditor sends a Friday email with 34 follow-ups. The function sits unstaffed while the observation window closes on the 30th.

Hiring a GRC analyst is the slow answer

The textbook fix is a governance, risk, and compliance analyst or a security program manager. Loaded comp in the US runs $130K to $180K a year. Months one through two go to reading the last audit report, mapping the 214 controls to owners, and shadowing the security lead through one PBC cycle. Months three through six are when the vendor risk register gets rebuilt, the access review cadence moves from annual to quarterly, and the auditor stops asking for the same three screenshots twice.

The fractional version is faster to start and stops at the same wall. Six to ten thousand a month buys eight to twelve hours a week of senior GRC time. The first month closes twelve stale evidence items and writes the first vendor risk template. The 180 items that need a Tuesday nudge and a Thursday sign-off stay untouched because the hours run out and the consultant moves to the next client.

Both versions assume the work is a person chasing a checklist. The work itself is watching every source system for a control-relevant change the day it happens, pulling a live Okta export instead of a September screenshot, tying every production deploy to a ticket and an approval log inside the same thread, running the vendor risk questionnaire the day the finance team logs a new SaaS line, drafting the auditor response with the specific artifact linked, escalating the missing evidence to the right control owner with the deadline named, and never letting a PBC item sit past day three without a shipped response. On 214 items that is 40 to 60 hours a week of senior security work, and no single hire clears that pile while also running the tabletop and the phishing program.

What a fractional AI compliance function does

Hand the Vanta or Drata dashboard, the Okta or Google Workspace export, the AWS or GCP IAM tree, the GitHub audit log, the Jira change management history, the HRIS onboarding and offboarding feed, the SaaS subscription list, the vendor register, the policy library, and the auditor PBC list to a fractional AI agent that runs on a daily cadence with per-event triggers. The agent does the work a GRC analyst, a security program manager, and a compliance operations lead would do together. The cadence is daily on the PBC list, per-event on access and change, quarterly on the review cycle, and per-vendor on the risk register.

Every access review pulled live, not screenshotted. The production admin list, the AWS IAM policy tree, the GitHub org membership, and the Google Workspace admin roles get pulled on the 1st of the quarter against the HRIS active roster. The two contractors who kept production access in November surface on the December 1st review, not in the auditor gap letter in July. Same shape as the lead routing function on the sales side, run on the security side.

Every change management event tied to a ticket, an approval, and a deploy log. The June deploy with the ticket in Jira, the approval in Slack, and the log in CloudWatch gets stitched into one evidence packet the day it ships. The auditor gets a live link, not a screenshot of a Slack thread. The 34 Friday follow-ups collapse to four.

Every new vendor scored inside a day of the first invoice. The finance team logs a SaaS line on the 22nd. The vendor risk questionnaire goes out on the 23rd with the SOC 2 report request, the DPA link, and a scoping call scheduled. The May pipeline SaaS gap does not repeat in November.

PBC items tracked against a three-day clock. The agent watches every open item against the observation window close date. Any item past day three triggers a Monday brief for the security lead with the specific blocker, the control family, and a draft response. The 214-item list resolves into six workstreams on a Monday morning.

Policy drift caught between audits, not during them. The agent watches the pricing page, the DPA template, the customer MSA, and the internal policy set against the SOC 2 trust services criteria. Any policy that goes 180 days without a review triggers a routed request to the owner. The auditor stops flagging stale policies as observations.

Glowing indigo access nodes flowing through translucent control gates with one amber node stalled at a contractor deprovision fork and pink audit threads branching to a live evidence shelf

The unit economics of a screenshot folder

A Series B company at $19M ARR running a Type 2 audit is burning three specific things. The security lead, the head of IT, the head of engineering, and the fractional CISO spend a combined 70 to 120 hours a month on evidence collection against a fully loaded hour of $180 to $340. That is $13K to $40K a month of senior time on work a live pull covers. Ten to fifteen hours a week come back inside the first sprint.

The auditor bill is the second line. A clean PBC list closes in one round. A messy list runs three rounds with 34 follow-ups per round at $300 to $500 an hour of auditor time. The bill delta between a clean audit and a scrambling audit runs $18K to $45K on a Type 2 report. The observation gaps that land in the report cost more. One flagged access review is a two-slide conversation on every enterprise diligence call for the next twelve months.

The deal cycle is the third line. A SOC 2 report with two observations lands in the security review of every seven-figure prospect. Each observation adds three to seven days to the security questionnaire cycle. On a company shipping $470K in monthly new ARR and running six active enterprise deals, a five-day slip across two flagged controls costs $30K to $80K in slipped MRR. Multiply across the four quarters the report is valid and the observation cost compounds.

A 14-day sprint to stand up the agent runs in the low to mid five figures. Ongoing cost lands closer to one contractor than a GRC hire. Live access pulls land in week one. The vendor risk queue clears in week two. The PBC dashboard runs against a live clock before the sprint closes.

What changes after the sprint

Picture the same Wednesday the 12th, 8:41 AM moment, thirty days after the sprint ships. The security lead opens the PBC dashboard. 214 items requested. 198 closed. Twelve open, all inside the three-day window. Four routed to control owners with the specific artifact named. Zero screenshots older than 30 days. The two November contractors surfaced on the December 1st review and deprovisioned the same day.

By the 20th the auditor confirms one round of follow-ups instead of three. The change management packet for the June deploy pulls in one click with the Jira ticket, the Slack approval, and the CloudWatch log stitched. The vendor risk register shows every SaaS line onboarded in the last quarter with a signed DPA and a completed questionnaire. The report ships on the 28th with zero observations. The security review on the next enterprise deal closes in four days instead of eleven.

If your SOC 2 evidence currently lives in a Google Drive folder with 63 screenshots from last September and a checklist the security lead opens the week before the auditor call, the version where every access review pulls live and no PBC item sits past day three is fourteen days away. Compliance is a function. You can hire against it, you can retain a fractional CISO for it, or you can scope a sprint and have it running this month. The work is the same. The math is not.

// Related notes