Most startups treat SOC 2 as a documentation exercise separate from engineering. It doesn't have to be. The controls auditors look for — change management, access control, vulnerability detection, monitoring; map almost directly to what a well-run CI/CD pipeline already does.
Source: [HackerNoon](https://hackernoon.com/soc-2-controls-as-code-how-to-bake-compliance-into-your-cicd-pipeline?source=rss)