Anthropic is rolling out a new Compliance API for the Claude Platform, and it’s clearly aimed at one audience: security, risk and compliance teams who keep asking “who did what, where, and when” inside AI tools.

At a basic level, the Compliance API gives Claude Platform admins a programmatic audit feed of what’s happening across their organization, instead of forcing them to rely on CSV exports or sporadic manual reviews. Think of it as turning Claude from a “black box” into something you can actually plug into your existing security stack and policy engine. Security and compliance teams can pull logs over an API, filter them by time window, user, or API key, and then route that data into SIEMs, GRC tools, or custom dashboards they already live in every day.

Anthropic is targeting some of the most heavily regulated sectors here—financial services, healthcare, legal, and government—where detailed audit trails are table stakes, not a nice-to-have. These organizations are used to proving, often in audits, exactly who accessed which system, what they changed, and whether those actions stayed inside policy. Until now, a lot of AI adoption in those environments has been constrained by a simple reality: once your data goes into an AI assistant, visibility gets blurry. Manual exports and quarterly reviews don’t scale when hundreds or thousands of employees are using AI tools every day.

The new API tries to fix that by exposing an activity feed focused on security‑relevant events inside Claude. Anthropic splits this into two broad buckets. First, there are admin and system activities: adding or removing members from workspaces, creating API keys, changing account settings, or modifying who has access to which entities. These are classic governance events—the kinds of actions auditors and security teams care about because they directly touch access control and configuration drift. Second, there are resource activities, which cover user actions that create or modify data: creating a file, downloading a file, or deleting a skill, especially when those actions might expose or move sensitive information.

Notably, Anthropic is drawing a line: the Compliance API does not log inference activity, meaning it doesn’t capture the content of every conversation or prompt by default on the Claude Platform. That’s a deliberate design tradeoff. For some customers, it reduces privacy and data‑minimization concerns, but for others—especially those who want a full, end‑to‑end record of how AI is being used—it leaves a gap between platform‑level events and what individual users and agents are actually doing in prompts. Some external security commentators are already calling the feature “necessary but incomplete”: a strong step for admin and configuration visibility, but not yet a full answer to “log everything AI touches.”

From an implementation standpoint, Anthropic isn’t flipping this on by default for everyone. Organizations need to work with their account teams to enable the Compliance API, and once it’s turned on, admins generate an elevated API key to query the activity feed. Logging starts at the moment of enablement; there’s no retroactive reconstruction of historical events, so early adopters will likely want to bring it online before they roll out Claude more broadly inside their companies. For enterprises already using the Compliance API on Claude Enterprise, Anthropic lets them place Claude Platform usage under the same parent organization and filter activity across both from a single feed, which is important for companies standardizing on Claude across multiple environments.

This launch also ties directly into Anthropic’s broader security and compliance positioning. The company already leans heavily on its Trust Center to showcase certifications like SOC 2 Type II and HIPAA support, along with documentation aimed at risk and procurement teams who need to sign off on AI usage before deployment. The Compliance API extends that story: instead of just saying “we meet the standard,” Anthropic is giving customers more telemetry they can plug into their own controls, retention policies, and monitoring pipelines. In practice, that might mean feeding Claude activity logs into a SIEM alongside identity provider events, endpoint logs, and other SaaS telemetry to get a coherent picture of how AI is being used next to the rest of the stack.

The timing also aligns with how enterprises are rethinking AI security overall. A lot of the risk conversation has shifted from “is the model safe?” to “how do we govern agents, connectors, and data flows around the model?” Tools like Claude Skills, connectors to platforms like Slack and Excel, and integrations via Model Context Protocol (MCP) all increase the surface area for data access—exactly the kind of thing compliance teams want to see in a log somewhere. Anthropic’s Compliance API is a step toward AI‑native telemetry: who connected which MCP server, what data was made accessible, what resources were created or deleted, and whether those patterns match internal policy.

Of course, the gaps matter too. Some third‑party security analysts point out that certain products in the Claude ecosystem, like Cowork, do not yet have their full activity captured in audit logs or the Compliance API, which could be a sticking point for organizations with strict obligations under SOC 2, HIPAA, PCI‑DSS or similar frameworks. Others emphasize that while platform‑level logs are a big improvement, many enterprises will still need additional endpoint telemetry, OpenTelemetry integration, or custom controls around how AI agents interact with files, repositories, and production systems. In other words, the Compliance API is an important piece, but it’s not the entire governance puzzle.

For teams already testing or rolling out Claude, the practical question is what this unlocks right now. At minimum, it means you can stop treating Claude Platform as an opaque tool and start wiring it into the compliance workflows you use everywhere else—alerting on suspicious admin actions, correlating workspace membership changes with identity events, or enforcing custom data retention on audit logs. For early adopters pushing toward agentic workflows and deep integrations, it’s also a signal that Anthropic understands the ask: visibility, control, and evidence that AI usage can stand up to an audit.