For two years, enterprise security teams had a blind spot the size of a frontier model. Employees were pasting source code, customer records, and contract drafts into Claude, and none of it showed up in the SIEM, the DLP console, or the audit trail. AI usage was governable in theory and invisible in practice.
In May 2026, Anthropic closed a large part of that gap. The Claude Compliance API pipes conversation content and activity logs from Claude Enterprise straight into the security stack companies already run — and launched with 28 integration partners covering data loss prevention, SIEM, identity, and eDiscovery. For any organization weighing whether AI can pass an audit, this is the most consequential governance release of the year.
What the Compliance API actually does
The API exposes two distinct kinds of data, and the distinction matters for how you wire it up.
Conversation content — available on Claude Enterprise — includes chats, uploaded files, and project contents. This is the payload your DLP and data security tools scan: the actual text an employee typed and the documents they attached. If someone uploads a spreadsheet of customer PII, the Compliance API is what lets Microsoft Purview or Forcepoint see it and act.
Activity event logs — available across both Claude Enterprise and the Claude Platform — cover roughly 30 typed events: user logins, admin actions, role changes, SSO modifications, project lifecycle, API key creation, and configuration changes. These feed your SIEM and identity posture tools the same way logins from any other SaaS application would.
There is a deliberate split. The Claude Platform tier exposes activity events but not conversation content. Only Claude Enterprise surfaces the actual chat and file payloads. Events carry a 180-day retention window, and the content endpoints support on-demand retrieval and selective deletion — which is what makes GDPR Article 15 (right of access) and Article 17 (right to erasure) workflows scriptable rather than manual.
The 28 launch partners
Anthropic did not build connectors itself. Instead it published the API and let established security vendors integrate, which is why coverage spans nearly every category a CISO cares about on day one:
- DLP and data security: Cloudflare, Cyera, Forcepoint, Fortinet, Trellix, Varonis, Zscaler, Concentric AI
- SIEM and security operations: CrowdStrike, Datadog, Sumo Logic, Tenable, ReliaQuest, Cribl
- SASE and network: Netskope, Palo Alto Networks, Proofpoint
- Identity management: Okta, SailPoint
- eDiscovery and archiving: Relativity, Mimecast, Smarsh, Theta Lake
- Posture and others: Wiz, Snyk, Rubrik, IBM Guardium, Microsoft Purview, Geordie AI
The practical effect: if you already pay for one of these tools, governing Claude becomes a configuration task, not a procurement project. Cloudflare's CASB integration, for example, treats Claude as just another sanctioned SaaS app whose activity flows into existing data protection policies.
How to deploy it
For Claude Enterprise customers the setup is two steps:
- The Primary Owner enables the Compliance API in Organization settings.
- You connect a supported platform using that vendor's setup guide.
Claude Platform customers go through Anthropic sales rather than self-serve. A few operational notes that the documentation makes clear but teams routinely miss:
- The detailed endpoint specs sit behind an NDA-gated PDF, so loop in legal early if you want the raw API reference.
- Compliance API keys are production secrets. Treat them like any other privileged credential — rotate them, scope them, and never check them into a repo.
- This is an Enterprise-tier feature. Team plans get audit logs but not the programmatic API, so budget accordingly.
The Cowork gap you cannot ignore
Here is the part that does not make the press releases. The Compliance API covers Claude.ai and the API — but it does not cover Claude Cowork, Anthropic's desktop agent that reads files, executes code, and drives browser automation on an employee's own machine.
The independent assessment is blunt: Cowork conversations can contain regulated data on a user's local disk by design, and there is no audit trail Anthropic can hand you. No user prompts in compliance logs. No file read or write tracking. No browser action records. No MCP server call logs. Conversation history lives only on the user's machine and is not centrally exportable.
The honest conclusion is that enabling the Compliance API solves roughly half the governance problem for any organization running the full Claude product line. The practical guidance follows directly: regulated workloads — anything touching PHI, payment data, or material non-public information — do not belong on Cowork until Anthropic closes the gap.
A three-layer telemetry reality
Mature teams are landing on a layered model rather than treating any single feed as complete:
| Layer | Covers | Misses |
|---|---|---|
| Compliance API | Claude.ai, API, identity, lifecycle | All Cowork activity, inference details, tool calls |
| OpenTelemetry | Prompts, tools, decisions, costs | Marked non-audit grade; no web or admin events |
| On-device proxy | Egress, requests, MCP traffic | Server-side operations, local screen actions |
For framework alignment, the Compliance API audit feed maps cleanly to SOC 2 CC6/CC7 logical access and monitoring, HIPAA 164.312(b) for chat-based workflows, and ISO 27001 A.8.15 — but only for Claude.ai. The moment Cowork enters the picture, those mappings break.
What this means for MENA enterprises
For organizations across Tunisia, Saudi Arabia, and the wider region, the takeaway is encouraging but conditional. AI adoption no longer has to mean an ungovernable surface. If your security team already runs a tool on Anthropic's partner list, you can bring Claude under the same DLP and audit regime as the rest of your SaaS estate — a meaningful unblock for regulated sectors like banking, insurance, and healthcare that have been holding back precisely because of the visibility gap.
The discipline is to deploy in tiers: route audited, regulated work through Claude Enterprise with the Compliance API switched on and a partner connector wired in, and keep Cowork confined to non-sensitive, internal tasks until the desktop-agent audit story matures. Governance is no longer a reason to say no to enterprise AI — it is now a configuration you can actually own.
The Compliance API is not a finished story. But it is the moment AI usage inside the enterprise stopped being a black box and started becoming an auditable, policy-bound part of the stack. For teams that have spent two years saying "not until we can see it," that day has largely arrived.
Need help bringing AI into your enterprise security and compliance posture? Noqta helps organizations across the MENA region adopt AI safely — from governance architecture to secure integration. Get in touch.
Sources: Anthropic / Claude Help Center, Help Net Security, General Analysis: Coverage and Gaps, Cloudflare Blog, Security Boulevard.