SOC 2 is in theory not that dogmatic about how reviews happen, and I do know people who do reviews after merge and deployment for example with soc2. You need to have compensating controls and work with your auditor. Most people just go with the default of reviews pre commit.
Yep, no dispute here. It's just that my and other people's experience is that SOC2 controls are usually passed down by edict and whether you review before or after merge, there's typically (from my experiences at SaaS/Fintech) some form of reviews happening. I've done both styles in the same company for different reasons.
