SOC 2 is mostly about proving you do what your policies say, and there’s more flexibility than people think.

For small teams it doesn’t have to be heavyweight. A risk register can be a simple doc with a few real risks and mitigations.

That said, I agree there’s a lot of theater. For smaller companies and budgets, it often turns into rubber stamping. Auditors rely on the evidence you provide, so the report can look much cleaner than day to day reality.

Still, it has value. It forces you to formalize basic practices, and if you want those customers, you’re signing up for that level of scrutiny.