I've worked with SOC2-certified companies where employees would email each other plaintext credentials, publish them in Notion pages, etc. You cannot cure stupidity by "complying".

There's no particular reason anyone's SOC2 DRL would cover "make sure people don't email credentials". It's not a technical certification.