IAM Maturity Assessment for SOC 2
SOC 2 reports on a service organization’s controls against the AICPA Trust Services Criteria. The CC6 logical access series covers access provisioning, authentication, and removal, and a Type II report tests operating effectiveness over a period of time rather than at a point in time.
- Maturity threshold
- 2.5 / 4.0
- Mapped questions
- 25
- IAM domains
- 9
- Assessment scope
- All scopes
What SOC 2 Expects from Identity Programs
The identity-relevant themes below reflect the AXIS capabilities mapped to SOC 2 citations in the question bank. They paraphrase where identity fits, not the legal text itself.
- Logical access provisioning, authorization, and timely removal across systems in scope
- Authentication controls, including MFA and session integrity for workforce access
- Privileged access management and monitoring of administrative activity
- Evidence that access controls operate consistently over the audit period
AXIS Questions Mapped to SOC 2
25 of the 37 questions in the AXIS bank carry SOC 2 citations, including 5 domino controls (foundational capabilities that cap the overall score when weak).
| Question | Domain | Capability | SOC 2 references |
|---|---|---|---|
| IGA-02 | IGA | Access Requests & Approvals | SOC 2 CC6.2 |
| IGA-03 | IGA | Access Reviews & Recertification | SOC 2 CC6.3 |
| PAM-02 Domino | PAM | Secrets Management (Non-Human & Application Credentials) | SOC 2 CC6.1 |
| PAM-03 | PAM | Endpoint Privilege & Local Admin Control | SOC2 CC6.2 |
| PAM-04 | PAM | Just-In-Time (JIT) Cloud & Infrastructure Access | SOC2 CC6.1 |
| PAM-05 | PAM | Session Management and Recording | SOC2 CC7.2 |
| AUTH-01 Domino | Auth/SSO | Adaptive MFA | SOC2 CC7.2 |
| AUTH-02 | Auth/SSO | Single Sign-On (SSO) Coverage & Enforcement | SOC2 CC6.1 |
| AUTH-03 | Auth/SSO | Device Trust & Zero Trust Enforcement | SOC2 CC6.6 |
| AUTH-05 | Auth/SSO | Account Recovery & Identity Verification Resistance | SOC2 CC6.2 |
| CLOUD-01 Domino | Cloud | Multi-Cloud Permission Management (CIEM) | SOC2 CC6; SOC2 CC6.3; SOC2 CC7.1 |
| CLOUD-02 | Cloud | Non-Human Identity (NHI) Governance | SOC2 CC6.1; SOC2 CC6.8 |
| CLOUD-03 | Cloud | SaaS Application Discovery & Shadow IT Control | SOC2 CC6.6; SOC2 CC9.2 |
| CLOUD-04 | Cloud | Infrastructure-as-Code (IaC) IAM Guardrails & Drift Control | SOC2 CC7.1 |
| CLOUD-05 | Cloud | AI Agent Identity Governance | SOC2 CC6.1 |
| SEC-01 Domino | Security | Identity Threat Detection & Response (ITDR) | SOC2 CC7.2; SOC2 CC7.3; SOC2 CC7 |
| SEC-03 | Security | User Behavioral Analytics (UBA) | SOC2 CC7.2 |
| SEC-04 | Security | Data Security Posture & Identity-to-Data Risk Mapping (DSPM) | SOC2 CC6.1 |
| SEC-05 | Security | Identity Posture & Attack-Surface Management (ISPM) | SOC2 CC7.1 |
| GOV-01 Domino | Governance | Identity Data Ownership | SOC2 CC6.2 |
| GOV-02 | Governance | IAM Metrics, Risk & Executive Visibility | SOC 2 CC3.2 |
| GOV-03 | Governance | IAM Policy Definition, Enforcement & Drift Control | SOC 2 CC5.1 |
| CIAM-04 | CIAM | B2B Delegated Administration & Partner Identity | SOC2 CC6.2 (Access Authorization) |
| CIAM-DATA-01 | CIAM × Data | Customer Access-to-Data Visibility & Impact Control | SOC2 CC6.6 |
| CIAM-PAM-01 | CIAM × PAM | Customer-Admin Privilege Governance | SOC2 CC6.1; SOC2 CC6.2 |
How AXIS Scores SOC 2 Alignment
A threshold model: each mapped control either meets the SOC 2 maturity bar or it does not, and the alignment percentage is the share that does.
Threshold: 2.5 of 4.0
Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For SOC 2, a mapped control counts as passing when its answered maturity level reaches 2.5: documented and consistently enforced. The alignment percentage is the share of mapped controls at or above that bar.
Citations live on individual answer options, so the exact set of controls counted for SOC 2 in a given assessment reflects the answers selected. The table above lists every question whose answer options carry SOC 2 citations.
80%+
Aligned
60-79%
At Risk
<60%
Non-Compliant
Scope and Industry Awareness
SOC 2 appears in every assessment scope: workforce, customer identity (CIAM), and full.
It is shown for all assessed industries, so it appears in every compliance matrix where enough of its controls are answered.
Indicative Alignment, Not Certification
This page describes how the AXIS assessment maps its question bank to SOC 2 Type II. Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how SOC 2 applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.
See Where You Stand Against SOC 2
Run the AXIS assessment and get your maturity score, SOC 2 alignment, and a prioritized roadmap in one pass. No signup required to start.