The Integrity Framework

Buyer\u2019s guide

How to vet AI tools when SOC 2 does not apply

To vet an AI tool that does not have SOC 2, vet on publicly verifiable artifacts: a public INTEGRITY.md self-mapping against The Integrity Framework, a versioned methodology page, a transparent changelog, named operators, and a real privacy policy. The directory at theintegrityframework.org indexes products that have done this with tier badges you can verify yourself. The seven steps below take about 30 minutes per tool.

The seven steps

  1. 1

    Confirm the product is sub-enterprise

    Pricing under roughly $5K ARR per buyer, contract length under 12 months, decision made by a single team lead or department head. If procurement is not in the room, the SOC 2 playbook is the wrong rubric. You are in the segment The Integrity Framework was published for.

  2. 2

    Look for an INTEGRITY.md

    Check the repo root, the marketing site at /integrity.md, and the trust or security page. A reachable file at a stable URL means the founder has already done the self-mapping work. See /integrity-md for the format and a worked example.

  3. 3

    Verify the tier badge

    Bronze means six Layer 1 vetoes self-mapped honestly. Silver adds either a green integrity-cli run or a versioned methodology page. Pull the listing from the directory and confirm the artifact links resolve.

  4. 4

    Walk the six Layer 1 vetoes yourself

    Even with a published INTEGRITY.md, the buyer\u2019s job is to confirm the self-mapping is honest. Five minutes per veto: artifact-vs-outcome, independence, verifiability, AI accountability, pricing-rigor alignment, the TechCrunch test. Write the gaps in your own notes \u2014 those notes are your audit trail later.

  5. 5

    Spot-check the linked artifacts

    Click every URL in the INTEGRITY.md. Repos should resolve. Methodology pages should load with dates on the changelog. If anything 404s, the verifiability claim is weak and the directory should know \u2014 use the listing\u2019s dispute path.

  6. 6

    Match pricing to claimed rigor

    Enterprise pricing on a self-attested artifact is a fail (Veto 5). Sub-enterprise pricing on artifacts that imply enterprise rigor is also a fail. The pricing page should be reachable without a demo. Hidden pricing is itself a TechCrunch-test risk.

  7. 7

    Buy or escalate

    If steps 1-6 pass, the tool is vetted to the standard this segment supports. If a Layer 1 veto fails, escalate the specific veto to the vendor in writing and decide based on the response. The framework gives you specific language; vague concerns get vague answers.

Red flags that cost a buyer six months

  • An AI feature with no audit trail or labeling. If the product writes decisions, summaries, or recommendations on behalf of the buyer and there is no way to inspect what it did, Veto 4 fails.
  • “Enterprise security” with no SOC 2 link. The phrase without the artifact is a Veto 1 fail \u2014 selling the artifact (security) without delivering it.
  • Hidden pricing.“Contact us” on a $20-200/month product is a Veto 5 mismatch unless every customer is on a custom contract, which the segment economics make implausible.
  • A trust page that lists certifications the company does not actually hold. Veto 6 territory. Cross-check every named certification against the issuing body\u2019s public directory.
  • Anonymous or unreachable operators. An LLC with no named principal, no LinkedIn, and no contact path is a Veto 2 fail by default.

If no tools in the category are listed yet

Two moves. First, ask the vendor: pointing them at theintegrityframework.org and asking when they will publish their INTEGRITY.md is a free signal that you, the buyer, expect this surface. Vendors who care about trust will write one; vendors who do not, will not, and that is also useful information.

Second, use the framework as a vetting rubric yourself. Walk the six Layer 1 vetoes against the product\u2019s public artifacts and write the gaps down. The framework is forkable under CC BY 4.0; the rubric works the same way whether the vendor has self-mapped or not.

Frequently asked questions

How do you vet an AI tool that does not have SOC 2?
For sub-enterprise AI tools — the segment where SOC 2 audits are too expensive and the wrong shape — vet on publicly verifiable artifacts: a public INTEGRITY.md self-mapping against The Integrity Framework, a versioned methodology page, a transparent changelog, named operators, and a real privacy policy. The directory at theintegrityframework.org indexes products that have done this, with tier badges buyers can verify themselves.
What is The Integrity Framework?
A published standard for product trustworthiness aimed at sub-enterprise AI tools where SOC 2 does not apply. Founders self-map their product against six Layer 1 vetoes, post a public INTEGRITY.md, and the directory at theintegrityframework.org publishes them with a Bronze or Silver tier badge. Free and CC BY 4.0.
What red flags should I watch for when vetting an AI tool?
Five recurring ones: (1) An AI feature with no audit trail or labeling. (2) A pricing page that hides per-seat or per-token math behind “demo only”. (3) Marketing claims of “enterprise security” with no SOC 2 or equivalent artifact. (4) A trust page that lists certifications the company does not actually hold. (5) Operators who are anonymous or unreachable. Each of these maps to a Layer 1 veto in The Integrity Framework.
Is INTEGRITY.md a substitute for SOC 2 in my vendor review?
No. SOC 2 remains the right artifact for service organizations at enterprise spend levels with regulated data flows. INTEGRITY.md is the right artifact for the segment SOC 2 prices out — $20-$200/month products that one team buys without procurement. Most departmental AI purchases live in that segment, not the SOC 2 segment, and vetting them like SOC 2 vendors produces a quiet failure mode: the team buys anyway, just without any artifact at all.
How long should an AI tool vetting take?
For a sub-enterprise tool with a published INTEGRITY.md and a listing in the directory: 15-30 minutes. For one without an INTEGRITY.md: it depends on how much surface the buyer needs to assemble themselves — typically 1-2 hours of reading the privacy policy, the security page, the changelog, and the operator background. The framework exists so that the 1-2 hour assembly job is done once by the vendor, not repeatedly by every buyer.
What if no AI tools in my category have an INTEGRITY.md yet?
Two practical moves. (1) Ask the vendor: pointing them at theintegrityframework.org and asking when they will publish their INTEGRITY.md is a free signal that you, the buyer, expect this surface. (2) Use the framework yourself as a vetting rubric — walk the six Layer 1 vetoes against the product’s public artifacts and write the gaps down. The framework is forkable; the rubric works the same way whether the vendor has self-mapped or not.
Where do I report an AI tool that fails the TechCrunch test?
For products listed in the directory at theintegrityframework.org, listings have a public dispute path on each listing page; quarterly re-scans reflect changes. For unlisted products, the framework spec is CC BY 4.0 and can be cited in your own vendor-review documentation; the directory does not run a global complaint-handling service.
Browse the directoryRead the framework specINTEGRITY.md template