CC9 stopped being a questionnaire. It is a sample, now.
The AICPA's Common Criteria 9: Risk Mitigation: was, until 2024, the section of a SOC 2 most clients answered with a vendor list and a screenshot of an annual review meeting. In 2026, three of the five auditors we field with treat CC9 as a sampled control. They will pick three to five vendors at random and ask for: the dated risk assessment, the contractual evidence of the security commitment, and the monitoring artifact that proves the commitment held.
The pattern hardened after a series of 2024 third-party-incident reports: most prominently the file-transfer and identity-broker breaches: that surfaced in finding letters six months later. Auditors are no longer willing to opine that vendor risk is managed without sampling whether it actually is.
(1) Inventory with classification tier. (2) Dated risk assessment per tier. (3) Contractual evidence: DPA, BAA, security addendum: keyed to tier. (4) Monitoring evidence within the period: SOC 2 letter received and reviewed, breach notice tracked, attestation refreshed. (5) Off-boarding evidence for the vendors that exited.
AI risk is now inside CC3, not next to it.
Through 2024, AI tooling sat in a footnote of CC3: Risk Assessment: if it appeared at all. Most engagement letters didn't name it. In 2026, every engagement we have run has included a CC3 walk-through with named generative-AI vendors, named retrieval pipelines, and named human-review points. The auditor will ask: where is your inventory of AI systems in scope; what is your risk assessment per system; what changes have you made to your access-review evidence to account for AI-issued tickets and AI-generated approvals.
The shift tracks two things: (1) the AICPA's 2024 update to its risk-assessment guidance, and (2) the parallel pressure from ISO 42001 and the EU AI Act, which give auditors a vocabulary they did not have a year ago.
What this looks like in the field
If you can hand the auditor an inventory of AI systems with role, vendor, data classes, and a dated risk note per system, CC3 closes in one walkthrough. If you cannot, you will spend two weeks producing the inventory the auditor's narrative now requires. Build it before the engagement letter is signed.
Continuous monitoring is the evidence, not the dashboard.
In 2024, "we have continuous monitoring" was a sentence. In 2026, it is a sample. The auditor will pick a control: say, encryption at rest, or access provisioning: and ask the monitoring tool to produce the evidence trail for the entire period. Not the screenshot. The trail.
| Control area | 2024 evidence | 2026 evidence |
|---|---|---|
| Access provisioning | Sampled tickets | Continuous join/move/leave log w/ exceptions |
| Vulnerability management | Quarterly scan report | Period-wide SLA adherence report |
| Encryption | Spot configuration screenshot | Configuration drift log over the period |
| Backup | Sample restore test | Continuous restore-success metric per system |
If your ConMon stack cannot answer in periods, it is a 2024 artifact. The 2026 finding letter wants periods.
A.5.7: Threat intelligence is now a function, not a feed.
The 2022 revision of ISO 27001 introduced eleven new Annex A controls. Two are now consistently failing in lead-auditor reports: A.5.7 (threat intelligence) and A.5.30 (ICT readiness for business continuity). On A.5.7, lead auditors are no longer accepting "we subscribe to a threat feed." They want the function: who reads the intelligence; how it gets translated into changes; which changes were made in the audit period and what they were.
A defensible A.5.7 file in 2026 contains: a named owner, a documented intake process, a changelog showing intelligence-driven changes per quarter, and a tabletop or exercise where threat intel was the input. Three quarters with no recorded change is itself a finding.
A.5.30: ICT readiness is the control that fails the most right now.
A.5.30 sits at the join of business continuity and IT operations. Most clients we engage with have a BCP document and a DR runbook, both written before the 2022 revision, neither tested in twelve months. The Annex A control wants something different: evidence that your ICT services have a stated continuity objective, that the objective has been tested in the period, and that the test produced corrective actions which closed.
- A continuity objective per service tier (not per system).
- A test that exercises the objective, not the runbook.
- Corrective actions tracked to closure within the audit period.
- Evidence the test included a third-party dependency: the failure mode auditors now look for first.
This is the single control that, in our 2025–2026 engagements, has produced the most major nonconformities. It is also the easiest to remediate before fieldwork: if you start eight weeks out.
What this means for your next audit.
If your last SOC 2 was 2023 or 2024, and your next is 2026, you will walk into five new test areas with no rehearsal. The fixes are not expensive. They are sequencing problems: they take eight to twelve weeks because the artifacts have to accrue inside the audit period, not be retroactively assembled.
Eight weeks before fieldwork: vendor sample
Pre-pull three vendors. Reconstruct the CC9 trail end-to-end for each. Whatever is missing is what your auditor will find missing.
Six weeks before: AI inventory
Name every generative-AI tool in scope. Tier them. Write one paragraph of risk note per tool. CC3 is yours.
Four weeks before: ConMon period query
Ask your monitoring stack to produce a period-wide query for one control. If it can't, you need a rehearsal with the auditor before the period closes.
Two weeks before: A.5.7 changelog
Write the threat-intelligence changelog for the period. If there are no entries, run the tabletop now.
Three positions we are willing to retract.
- If the AICPA publishes 2026 guidance that softens CC9 sampling expectations, the §01 position weakens. Watching for the next TSP 100 update.
- If three of our next five engagements close CC3 without an AI inventory, §02 may be auditor-specific rather than market-wide.
- If A.5.30 stops appearing as a major nonconformity in our portfolio over a four-quarter window, §05 is overcalled.
None of these are likely in 2026. We will say so in print if they prove out.