Your company is preparing for SOC2. The auditors will examine your infrastructure, your access controls, your incident response procedures, and your change management processes. At some point during the audit, someone will ask a question that catches most engineering teams off guard: "How do you control changes to feature flags in production?"
Feature flags modify production behavior without code deployments. They bypass pull request reviews, CI/CD pipelines, and traditional change management gates. From an auditor's perspective, a feature flag toggle is a production change -- and production changes require controls, documentation, and audit trails.
Most engineering organizations have no governance framework for feature flags. In our experience working with companies preparing for SOC2, change management gaps are among the most common findings -- and insufficient controls around feature flags and configuration changes are a frequent contributor. These are not hypothetical risks. They are findings that delay audit completion, increase remediation costs, and in some cases require re-examination.
This guide maps SOC2 Trust Service Criteria to feature flag practices, explains what auditors actually ask, and provides a practical framework for building a flag governance program that satisfies compliance requirements while keeping your engineering team productive.
SOC2 Trust Service Criteria and feature flags
SOC2 is built on five Trust Service Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy. Feature flags intersect with three of these criteria in ways that auditors specifically examine.
CC8.1: Change management
The criterion: The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
How feature flags intersect: A feature flag change in production is a software change. When an engineer toggles a flag from off to on, they are modifying the behavior of production software for some or all users. SOC2 auditors evaluate whether these changes follow the same authorization, testing, and documentation requirements as code deployments.
What auditors look for:
| Control Area | Auditor's Question | What "Good" Looks Like |
|---|---|---|
| Authorization | Who can change flag state in production? | RBAC with explicit production permissions |
| Approval workflow | Are production flag changes reviewed before execution? | Approval required for production environments |
| Testing | Are flag changes tested before reaching production? | Lower environments mirror production flag config |
| Documentation | Is there a record of what changed, when, and why? | Immutable audit log with timestamps and user IDs |
| Rollback capability | Can flag changes be reverted? | Flag history with point-in-time restore |
The gap most teams have: Feature flag changes are treated as operational decisions, not change management events. An engineer can toggle a flag in LaunchDarkly, Split.io, or Unleash without any approval, without any documentation, and without any audit trail beyond the platform's built-in log. For SOC2, this is equivalent to deploying code to production without a pull request review.
CC6.1 and CC6.3: Logical access controls
The criterion: The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events. Access is restricted and modified when conditions warrant.
How feature flags intersect: Feature flags often control access to features, data, and capabilities. A permission flag that gates access to admin functionality is an access control mechanism. If that flag can be modified by anyone with access to the flag management platform, the access control is only as strong as the weakest flag management permission.
What auditors look for:
| Control Area | Auditor's Question | What "Good" Looks Like |
|---|---|---|
| Least privilege | Do all engineers have the same flag permissions? | Tiered permissions: read-only, modify non-prod, modify prod |
| Separation of duties | Can the person who creates a flag also approve it for production? | Different roles for creation and production approval |
| Access review | Are flag management permissions reviewed periodically? | Quarterly access reviews with documented outcomes |
| Service accounts | Do automated systems have appropriate access? | Scoped API keys with minimum necessary permissions |
| Deprovisioning | Are permissions removed when employees leave? | Flag platform integrated with identity provider (SSO/SCIM) |
CC3.1 and CC3.2: Risk assessment
The criterion: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. The entity identifies risks to the achievement of its objectives and analyzes risks as a basis for determining how the risks should be managed.
How feature flags intersect: Stale feature flags are a risk. Every flag in the codebase adds a conditional path that can be toggled, creating a potential vector for unintended behavior changes. Auditors evaluate whether the organization has identified this risk and implemented controls to manage it.
The risk profile of stale flags:
| Risk Category | Description | SOC2 Relevance |
|---|---|---|
| Unintended behavior change | Stale flag toggled accidentally or maliciously | Processing Integrity, Availability |
| Increased attack surface | Flag controls a code path with a vulnerability | Security |
| Compliance drift | Flag bypasses a compliance-required behavior | All criteria |
| Audit complexity | Hundreds of flags make behavior difficult to verify | All criteria |
| Incident response delay | Responders cannot quickly identify flag impact | Availability |
What auditors look for:
- A documented inventory of all active feature flags
- Classification of flags by risk level (does the flag control access, data, or money?)
- A process for reviewing and removing stale flags
- Evidence that the flag inventory is maintained over time (not just a one-time audit)
What auditors actually ask
SOC2 auditors vary in their technical depth, but the questions below represent what a thorough auditor will cover regarding feature flags. Preparing answers and evidence for each of these positions your organization well.
Question set 1: Change management
-
"Describe your process for making changes to feature flag configurations in production." Expected evidence: Documented change management procedure that includes feature flags. This should describe who can make changes, what approvals are required, how changes are tested, and how they are documented.
-
"Show me the audit trail for a production feature flag change from the past 30 days." Expected evidence: An audit log showing the timestamp, the user who made the change, the flag that was changed, the previous state, the new state, and ideally a comment explaining why the change was made.
-
"How do you ensure feature flag changes are tested before reaching production?" Expected evidence: Flag configurations that mirror production in lower environments (staging, QA). Evidence that flag changes are validated in staging before being applied to production.
-
"What is your rollback procedure for a feature flag change that causes an incident?" Expected evidence: Documented incident response procedure that includes feature flag rollback. Evidence of at least one flag rollback with documentation.
Question set 2: Access control
-
"Who has the ability to modify feature flags in your production environment?" Expected evidence: A list of users with production flag modification permissions. This list should be significantly smaller than the total number of users on the flag platform.
-
"How are feature flag platform permissions aligned with your identity provider?" Expected evidence: SSO integration with the flag management platform. SCIM provisioning/deprovisioning. Evidence of access reviews.
-
"Can you demonstrate the approval workflow for a high-risk flag change?" Expected evidence: An approval workflow in the flag platform that requires a second person to approve changes to flags classified as high-risk (payment flags, access control flags, data flags).
Question set 3: Risk management
-
"How many feature flags are currently active in your production environment?" Expected evidence: A current inventory count with the ability to break it down by category, age, and owner. The auditor is checking whether you know the answer, not whether the number is high or low.
-
"What is your process for identifying and removing stale feature flags?" Expected evidence: A documented process that includes periodic review, criteria for staleness, and a cleanup workflow. Evidence that the process is executed regularly (not just documented).
-
"How do you classify feature flags by risk level?" Expected evidence: A classification scheme (e.g., low/medium/high/critical) with criteria for each level. Flags that control access, financial transactions, or data handling should be classified as high or critical.
Building a flag governance program
A flag governance program satisfies SOC2 requirements while providing operational benefits beyond compliance. The framework below covers the five pillars that auditors evaluate.
Pillar 1: Flag inventory and classification
You cannot govern what you cannot see. The foundation of flag governance is a complete, current inventory of all flags in your codebase and your flag management platform.
Inventory requirements:
| Data Point | Purpose | SOC2 Relevance |
|---|---|---|
| Flag key/name | Unique identifier | Audit trail reference |
| Owner | Individual responsible for the flag | Accountability, access review |
| Creation date | When the flag was introduced | Staleness detection |
| Classification | Risk level (low/medium/high/critical) | Risk assessment |
| Status | Active, deprecated, stale | Inventory management |
| Description | What the flag controls and why it exists | Change management documentation |
| Last modified | When the flag was last changed | Staleness detection |
| Code locations | Where the flag is evaluated in code | Impact assessment |
Classification criteria:
| Classification | Criteria | Example Flags | Governance Requirements |
|---|---|---|---|
| Critical | Controls access to systems, financial transactions, or PII | permission_admin_access, gate_pci_payment_flow | Approval workflow, quarterly review, immediate cleanup when stale |
| High | Affects core business functionality or user experience for all users | release_new_checkout, ops_circuit_breaker_db | Approval for production, monthly review |
| Medium | Affects non-critical features or limited user segments | experiment_onboarding_v3, release_dashboard_widget | Standard change management, quarterly review |
| Low | Cosmetic changes, internal tools, development flags | release_button_color_update, debug_verbose_logging | Minimal governance, standard cleanup timeline |
Maintaining the inventory: Manual inventories go stale within weeks. Automated flag detection that scans your codebase on every pull request is the only sustainable approach. Tools like FlagShark maintain a real-time inventory by detecting flag additions and removals as they happen in pull requests, using tree-sitter AST parsing to accurately identify flags across 11 programming languages. This eliminates the "inventory drift" problem where your documented inventory diverges from what is actually in the code.
Pillar 2: Access control (RBAC)
Feature flag platforms must enforce role-based access control that aligns with SOC2's logical access requirements.
Recommended role structure:
| Role | Read Flags | Modify Dev/Staging | Modify Production | Create Flags | Archive Flags | Manage Permissions |
|---|---|---|---|---|---|---|
| Viewer | Yes | No | No | No | No | No |
| Developer | Yes | Yes | No | Yes | No | No |
| Lead/Senior | Yes | Yes | Yes (with approval) | Yes | Yes | No |
| Platform Admin | Yes | Yes | Yes | Yes | Yes | Yes |
Key access control requirements for SOC2:
-
Production changes require approval. At minimum, flag changes in production should require approval from someone other than the person making the change. Most flag platforms (LaunchDarkly, Split.io) support approval workflows for specific environments.
-
API keys are scoped and rotated. Service-to-service API keys should have the minimum permissions necessary. A read-only SDK key should not have write access. Keys should be rotated on a defined schedule (90 days is common).
-
SSO and SCIM are configured. The flag platform should authenticate through your identity provider. When an employee leaves the company, their access to the flag platform should be automatically revoked through SCIM deprovisioning.
-
Access reviews are documented. Quarterly, review who has production-level access to the flag platform and confirm each person still needs that access. Document the review outcome, including any access that was removed.
Example access review documentation:
ACCESS REVIEW: Feature Flag Platform (LaunchDarkly)
Date: 2026-01-15
Reviewer: Jane Smith (Engineering Director)
Next Review: 2026-04-15
Production Modify Access:
- Alice Chen (Staff Engineer, Checkout) → RETAIN: Active flag owner, 3 production changes in Q4
- Bob Kim (Senior Engineer, Platform) → RETAIN: On-call rotation, needs kill switch access
- Carlos Lopez (Engineer, Growth) → REMOVE: Transferred to data team, no longer needs prod access
- Dana Williams (Engineering Manager) → RETAIN: Approval authority for high-risk flags
Actions Taken:
- Removed Carlos Lopez's production modify permission (ticket: SEC-1234)
- Confirmed all API keys rotated within 90-day window
- Verified SCIM sync is active (last sync: 2026-01-14)
Pillar 3: Audit trails
SOC2 requires an immutable record of who changed what, when, and ideally why. For feature flags, this means capturing every state change with sufficient detail to reconstruct the timeline of any flag's history.
Required audit trail fields:
| Field | Description | Example |
|---|---|---|
| Timestamp | When the change occurred (UTC) | 2026-01-15T14:32:07Z |
| Actor | Who made the change (user ID + email) | user-123 (alice@company.com) |
| Action | What type of change | flag.state.changed |
| Flag key | Which flag was affected | release_new_checkout |
| Environment | Which environment | production |
| Previous value | State before the change | off |
| New value | State after the change | on (100% rollout) |
| Approval | Who approved (if applicable) | user-456 (bob@company.com) |
| Reason | Why the change was made | "Rollout complete, enabling for all users per JIRA-789" |
Audit trail sources:
Most flag management platforms provide built-in audit logs. However, relying solely on the platform's log creates a single point of failure and may not meet your retention requirements.
| Source | What It Captures | Retention |
|---|---|---|
| Flag platform audit log | Flag state changes, targeting updates, user access | Platform-dependent (often 1-2 years) |
| Git history | Flag code additions and removals | Indefinite |
| CI/CD logs | Deployment events, automated flag changes | Typically 90 days |
| SIEM/log aggregation | Consolidated view across all sources | Per retention policy |
| Flag lifecycle tool | Flag creation, aging, cleanup events | Tool-dependent |
Audit trail best practices for SOC2:
-
Export and archive platform audit logs. Do not rely on the flag platform as the sole repository. Export logs to your SIEM or a dedicated compliance data store with your required retention period (typically 1-7 years for SOC2).
-
Require comments on production changes. Most flag platforms support mandatory comments. Enable this for production environments so every change has a human-readable explanation.
-
Correlate flag changes with incidents. When an incident occurs, your audit trail should make it possible to identify which flag changes happened in the relevant time window. This supports both compliance and operational needs.
-
Include automated changes. If automated systems modify flags (scheduled changes, automated rollbacks, API-driven updates), these must also appear in the audit trail with clear identification of the automated system as the actor.
FlagShark provides audit trail capabilities by tracking every flag lifecycle event -- detection in pull requests, aging milestones, cleanup PR generation, and removal confirmation -- creating a comprehensive record that complements your flag management platform's built-in audit log. This data can be exported for auditor review in standard formats.
Pillar 4: Flag lifecycle and stale flag management
Stale flags are a compliance risk because they represent unmanaged change vectors in production. Every stale flag is a toggle that can be switched, intentionally or accidentally, to alter production behavior. Auditors view unmanaged change vectors as control gaps.
Building a stale flag process that satisfies auditors:
Step 1: Define staleness criteria
| Flag Classification | Staleness Threshold | Rationale |
|---|---|---|
| Release flags | 45 days after full rollout | Release flags are temporary by definition |
| Experiment flags | 30 days after experiment conclusion | Results should be acted on promptly |
| Permission flags | 90 days without modification | Permissions may be long-lived but need periodic review |
| Operational flags | 180 days without evaluation | Kill switches need periodic validation |
Step 2: Automate detection
Manual identification of stale flags does not satisfy auditors because it is not repeatable or provable. Automated scanning produces evidence:
Weekly Stale Flag Report - 2026-01-15
Generated by: Automated scan (FlagShark)
Total active flags: 127
Stale flags identified: 18
CRITICAL (immediate action required):
- gate_legacy_auth_bypass (312 days, no owner, Classification: Critical)
- permission_beta_data_export (189 days, Classification: High)
WARNING (scheduled cleanup required):
- release_new_dashboard_v3 (67 days, Owner: alice@company.com)
- experiment_signup_variant_b (52 days, Owner: bob@company.com)
- release_checkout_redesign (48 days, Owner: carol@company.com)
... [13 additional flags]
Action items assigned:
- gate_legacy_auth_bypass → Escalated to Engineering Director (no owner)
- permission_beta_data_export → Cleanup ticket created (JIRA-1456)
- 16 flags → Owners notified, 14-day cleanup deadline set
Step 3: Document remediation
For each stale flag identified, document the remediation action:
| Flag | Identified Date | Action | Completion Date | Evidence |
|---|---|---|---|---|
| gate_legacy_auth_bypass | 2026-01-15 | Removed (cleanup PR #4521) | 2026-01-22 | PR merged, flag archived |
| permission_beta_data_export | 2026-01-15 | Reclassified as permanent, owner assigned | 2026-01-18 | Classification updated in inventory |
| release_new_dashboard_v3 | 2026-01-15 | Cleanup PR generated, under review | 2026-01-29 | PR #4530 merged |
Step 4: Report to auditors
Prepare a quarterly flag hygiene report that demonstrates ongoing management:
QUARTERLY FLAG HYGIENE REPORT - Q4 2025
Flag Inventory:
- Start of quarter: 142 active flags
- Created during quarter: 47
- Removed during quarter: 52
- End of quarter: 137 active flags
- Net change: -5 (inventory decreasing)
Staleness Metrics:
- Flags exceeding staleness threshold at quarter start: 23
- Flags exceeding staleness threshold at quarter end: 11
- Remediation rate: 52% reduction
Classification Breakdown:
- Critical flags: 8 (all reviewed this quarter)
- High flags: 24 (22 reviewed, 2 scheduled for next quarter)
- Medium flags: 61
- Low flags: 44
Access Control:
- Access reviews completed: 2 (Oct 15, Jan 15)
- Permissions removed: 4 users
- API keys rotated: All (Oct 1)
Incidents Related to Feature Flags: 0
Pillar 5: Data retention and export
SOC2 auditors need to verify that your compliance data is retained for the required period and can be produced on request. For feature flags, this means:
Retention requirements:
| Data Type | Minimum Retention | Recommended Retention | Format |
|---|---|---|---|
| Flag audit trail | 1 year | 3 years | JSON, CSV |
| Access review records | 1 year | 3 years | PDF, structured data |
| Flag inventory snapshots | 1 year | 3 years | JSON, CSV |
| Stale flag reports | 1 year | 3 years | PDF, structured data |
| Remediation evidence | 1 year | 3 years | PR links, tickets |
| Incident reports (flag-related) | 1 year | 5 years | PDF, structured data |
Export capabilities to evaluate in your tooling:
- Can you export the complete audit trail for a specific flag?
- Can you export a point-in-time snapshot of your flag inventory?
- Can you export access review records with approval/denial evidence?
- Can you produce these exports in a format auditors can review (PDF, CSV, not just API responses)?
FlagShark supports data export for compliance purposes, allowing teams to export flag lifecycle data, detection history, and cleanup records in formats suitable for auditor review. This complements the audit logs from your flag management platform to provide a complete picture of flag governance.
The compliance cost of flag neglect
Organizations that approach SOC2 with an ungoverned flag environment face specific, quantifiable costs:
Audit delays: Remediation of flag-related findings can add weeks to the audit timeline. The additional professional fees for extended audit support add up quickly.
Finding severity: Flag-related findings most commonly fall under CC8.1 (change management) and are classified as deficiencies rather than exceptions. A deficiency means the control exists but is not operating effectively -- which is better than an exception (no control exists at all) but still requires formal remediation and re-testing.
Remediation effort: Building a flag governance program from scratch during an audit is significantly more expensive than building it proactively. The typical remediation effort:
| Task | Proactive (pre-audit) | Reactive (during audit) |
|---|---|---|
| Flag inventory creation | 2-3 days (with tooling) | 1-2 weeks (manual + tooling setup) |
| RBAC implementation | 1-2 days | 3-5 days (urgent, may disrupt teams) |
| Audit trail configuration | 1 day | 2-3 days (plus backfill limitations) |
| Stale flag remediation | Ongoing (automated) | 2-4 weeks (batch cleanup) |
| Documentation | 2-3 days | 1-2 weeks (retroactive documentation) |
| Total | 1-2 weeks | 6-10 weeks |
A practical implementation timeline
Month 1: Foundation
Week 1-2: Inventory and classification
- Deploy automated flag detection across all repositories
- Generate initial flag inventory
- Classify all flags by risk level (focus on Critical and High first)
- Assign owners to all ownerless flags
Week 3-4: Access control
- Configure SSO for flag management platform
- Implement RBAC with production-specific permissions
- Enable approval workflows for production flag changes on Critical and High flags
- Conduct initial access review and document results
Month 2: Audit trails and lifecycle
Week 5-6: Audit trail
- Enable mandatory comments on production flag changes
- Configure audit log export to your SIEM or compliance data store
- Verify audit trail captures all required fields
- Test audit trail retrieval for a sample flag
Week 7-8: Stale flag management
- Define staleness thresholds per flag classification
- Implement automated stale flag detection and reporting
- Begin remediation of existing stale flags (prioritize Critical and High)
- Document the stale flag management process
Month 3: Documentation and validation
Week 9-10: Documentation
- Write the feature flag change management procedure
- Document the RBAC model and access review schedule
- Create the quarterly flag hygiene report template
- Compile evidence packets for each control area
Week 11-12: Validation
- Conduct an internal audit simulation
- Walk through all auditor questions with evidence
- Identify and remediate any gaps
- Brief the audit team on the flag governance program
Beyond SOC2: Flag governance as engineering practice
The work required for SOC2 compliance overlaps significantly with good engineering practice. The inventory, access controls, audit trails, and lifecycle management that auditors require are the same capabilities that reduce incidents, improve developer productivity, and prevent the accumulation of technical debt.
Organizations that build flag governance solely for compliance tend to maintain it grudgingly. Organizations that recognize flag governance as an engineering quality practice tend to exceed compliance requirements naturally. The difference is framing: SOC2 does not require you to do anything you should not already be doing. It requires you to prove that you are doing it.
The overlap between compliance and engineering quality:
| SOC2 Requirement | Engineering Benefit |
|---|---|
| Flag inventory | Developers know what flags exist and who owns them |
| RBAC | Fewer accidental production changes |
| Audit trail | Faster incident investigation |
| Stale flag management | Less technical debt, simpler codebase |
| Documented processes | Faster onboarding, consistent practices |
| Regular reviews | Catches issues before they compound |
SOC2 auditors do not care how many feature flags you have. They care whether you know how many you have, who can change them, what happens when they change, and what you do when they become stale. The organizations that answer these questions confidently -- with evidence, not promises -- pass their audits smoothly and, more importantly, operate more safely every day. Feature flag governance is not a compliance checkbox. It is how mature engineering organizations manage one of the most powerful and potentially dangerous tools in their toolkit.