The Question an Auditor Actually Asks
Picture the Tuesday three weeks before your SOC 2 Type II fieldwork. A control owner pastes an access-review export into ChatGPT, asks it to summarize who has admin rights, and drops the tidy paragraph into the evidence folder. It reads beautifully. It is also worthless to the auditor, because nobody can say which console the export came from, what date it was pulled, or whether anyone with authority looked at it before it became "evidence."
That gap is the whole game. Compliance evidence collection is not a writing task that happens to involve compliance words. It is a chain-of-custody task: a SOC 2 audit file in a 50-300 person company pulls from your identity provider, cloud configuration exports, ticketing system, policy approval records, and control-owner attestations, and an auditor will test whether each artifact traces back to a real source on a real date. A general assistant can phrase the control language. It cannot, on its own, preserve that lineage across five systems.
The broad adoption numbers are real and worth using as pressure to fix the workflow, not as cover to automate the audit file. RSM's middle-market research, the San Francisco Fed's small-business analysis, and the OECD's SME adoption report converge on one practical point: AI pays off when it is bolted to accountable work and clean data. For evidence collection that means your control matrix, evidence repository, IdP, cloud console, and ticket system each need a named owner before AI touches any of them.
Where the Line Sits: Drafting vs. Custody
Run a simple test on every task you are tempted to hand the AI. Does the output need to survive an auditor asking "prove it"? If no, ChatGPT Business is fine and often genuinely useful. OpenAI describes ChatGPT Business as a shared workspace with admin controls, and its enterprise privacy commitments cover business data handling. So let it draft the evidence-request email to a control owner, rewrite a vague policy statement into clean control language, or summarize what SOC 2 CC6.1 expects so a new hire understands it. None of that enters the audit trail as proof.
The line gets crossed the moment the artifact itself must be assembled from systems of record without a human pasting screenshots into a chat box. That is when you build. A custom workflow makes the control matrix the organizing spine: every artifact is tagged to a specific control, stamped with the source system and pull date, flagged as current or stale, carried with the reviewer's comment, and — critically — annotated with a reason code when a piece of evidence is rejected. The model can narrate the packet. Deterministic logic, not a probabilistic answer, decides what is allowed into the file.
This is where two frameworks earn their place. Use the NIST AI Risk Management Framework to write down the intended use, the named reviewer, and the monitoring plan for this specific evidence workflow before you ship it. Use CISA's AI data-security guidance to govern how the workflow reaches employee, infrastructure, and customer records — because an access-review export is the kind of sensitive data you do not want flowing through an unscoped prompt. The non-negotiable rule: an AI-generated sentence does not become evidence unless its source, its permission check, and a human signoff travel attached to it.
Let the Rejection Rate Make the Call
Here is the metric that settles the build-vs-buy debate, and it is not prompt quality. It is your evidence rejection rate — the share of artifacts an auditor or internal reviewer kicks back as stale, unsourced, or unsupported. Deloitte's State of AI in the Enterprise 2026 is useful precisely because it pushes attention toward production value over pilot theater, and in evidence work production value is concrete: fewer kicked-back artifacts, faster control-owner turnaround, cleaner source lineage, less scramble during fieldwork.
So run the pilot and watch four numbers: evidence rejection rate, control-owner response time, packet completeness against the control matrix, and how many exceptions escalate to security or finance. If ChatGPT Business makes your evidence requests sharper but the same people are still hunting through the same folders and the rejection rate hasn't moved, you have a writing aid — keep it as one and stop pretending otherwise. If the real bottleneck is retrieval, reviewer assignment, or assembling the packet itself, that is the signal to build the controlled workflow.
Start narrow on Monday: pick one control family where audit rework is already painful — access management is usually the bleeding one — and map exactly how its evidence gets sourced today. We would sequence the rest through scoring the manual work worth fixing and a focused 90-day implementation plan: clean the source path for that one control, test low-risk summaries, prototype packet assembly, and expand only after a control owner can point at the screen and say what got more trustworthy. Whatever you decide, write down the reason — kept in ChatGPT Business, built custom, or paused for source cleanup — and let the rejection rate be the evidence on record.
