Standards & Certifications

IAM Maturity Assessment for SOC 2

SOC 2 reports on a service organization’s controls against the AICPA Trust Services Criteria. The CC6 logical access series covers access provisioning, authentication, and removal, and a Type II report tests operating effectiveness over a period of time rather than at a point in time.

Maturity threshold
2.5 / 4.0
Mapped questions
25
IAM domains
9
Assessment scope
All scopes
Identity Expectations

What SOC 2 Expects from Identity Programs

The identity-relevant themes below reflect the AXIS capabilities mapped to SOC 2 citations in the question bank. They paraphrase where identity fits, not the legal text itself.

  • Logical access provisioning, authorization, and timely removal across systems in scope
  • Authentication controls, including MFA and session integrity for workforce access
  • Privileged access management and monitoring of administrative activity
  • Evidence that access controls operate consistently over the audit period
Question Mapping

AXIS Questions Mapped to SOC 2

25 of the 37 questions in the AXIS bank carry SOC 2 citations, including 5 domino controls (foundational capabilities that cap the overall score when weak).

AXIS assessment questions mapped to SOC 2, with domain, capability, and framework references
QuestionDomainCapabilitySOC 2 references
IGA-02IGAAccess Requests & ApprovalsSOC 2 CC6.2
IGA-03IGAAccess Reviews & RecertificationSOC 2 CC6.3
PAM-02
Domino
PAMSecrets Management (Non-Human & Application Credentials)SOC 2 CC6.1
PAM-03PAMEndpoint Privilege & Local Admin ControlSOC2 CC6.2
PAM-04PAMJust-In-Time (JIT) Cloud & Infrastructure AccessSOC2 CC6.1
PAM-05PAMSession Management and RecordingSOC2 CC7.2
AUTH-01
Domino
Auth/SSOAdaptive MFASOC2 CC7.2
AUTH-02Auth/SSOSingle Sign-On (SSO) Coverage & EnforcementSOC2 CC6.1
AUTH-03Auth/SSODevice Trust & Zero Trust EnforcementSOC2 CC6.6
AUTH-05Auth/SSOAccount Recovery & Identity Verification ResistanceSOC2 CC6.2
CLOUD-01
Domino
CloudMulti-Cloud Permission Management (CIEM)SOC2 CC6; SOC2 CC6.3; SOC2 CC7.1
CLOUD-02CloudNon-Human Identity (NHI) GovernanceSOC2 CC6.1; SOC2 CC6.8
CLOUD-03CloudSaaS Application Discovery & Shadow IT ControlSOC2 CC6.6; SOC2 CC9.2
CLOUD-04CloudInfrastructure-as-Code (IaC) IAM Guardrails & Drift ControlSOC2 CC7.1
CLOUD-05CloudAI Agent Identity GovernanceSOC2 CC6.1
SEC-01
Domino
SecurityIdentity Threat Detection & Response (ITDR)SOC2 CC7.2; SOC2 CC7.3; SOC2 CC7
SEC-03SecurityUser Behavioral Analytics (UBA)SOC2 CC7.2
SEC-04SecurityData Security Posture & Identity-to-Data Risk Mapping (DSPM)SOC2 CC6.1
SEC-05SecurityIdentity Posture & Attack-Surface Management (ISPM)SOC2 CC7.1
GOV-01
Domino
GovernanceIdentity Data OwnershipSOC2 CC6.2
GOV-02GovernanceIAM Metrics, Risk & Executive VisibilitySOC 2 CC3.2
GOV-03GovernanceIAM Policy Definition, Enforcement & Drift ControlSOC 2 CC5.1
CIAM-04CIAMB2B Delegated Administration & Partner IdentitySOC2 CC6.2 (Access Authorization)
CIAM-DATA-01CIAM × DataCustomer Access-to-Data Visibility & Impact ControlSOC2 CC6.6
CIAM-PAM-01CIAM × PAMCustomer-Admin Privilege GovernanceSOC2 CC6.1; SOC2 CC6.2
Scoring Model

How AXIS Scores SOC 2 Alignment

A threshold model: each mapped control either meets the SOC 2 maturity bar or it does not, and the alignment percentage is the share that does.

Threshold: 2.5 of 4.0

Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For SOC 2, a mapped control counts as passing when its answered maturity level reaches 2.5: documented and consistently enforced. The alignment percentage is the share of mapped controls at or above that bar.

Citations live on individual answer options, so the exact set of controls counted for SOC 2 in a given assessment reflects the answers selected. The table above lists every question whose answer options carry SOC 2 citations.

80%+

Aligned

60-79%

At Risk

<60%

Non-Compliant

Scope and Industry Awareness

SOC 2 appears in every assessment scope: workforce, customer identity (CIAM), and full.

It is shown for all assessed industries, so it appears in every compliance matrix where enough of its controls are answered.

Indicative Alignment, Not Certification

This page describes how the AXIS assessment maps its question bank to SOC 2 Type II. Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how SOC 2 applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.

See Where You Stand Against SOC 2

Run the AXIS assessment and get your maturity score, SOC 2 alignment, and a prioritized roadmap in one pass. No signup required to start.