The Claude Compliance API: what it captures, what it misses, and where Compliance for Claude fits
Anthropic ships a Compliance API for Claude Enterprise, relaunched in May 2026 with 28 security and compliance integrations (Microsoft Purview, CrowdStrike, Okta, Zscaler, and more). It is a real first-party audit feed, and if your firm is on Enterprise you should turn it on. It also has structural blind spots that matter for mortgage compliance, and that is exactly where Compliance for Claude fits.
What it actually captures
The Compliance API has two layers, and it is worth being precise about each, because the gap is not where people assume.
The Activity Feed (/v1/compliance/activities)
— event metadata: who acted (email, user ID, IP address), the
event type, the chat and project IDs, and timestamps. The feed itself
carries identifiers, not the content of conversations or projects.
The content endpoints — on-demand retrieval of full chat content, uploaded files, and projects, for claude.ai organizations, using a Compliance Access Key.
So it is more than metadata. With the right key, an admin can pull the actual conversation text and the files that were attached. Give it credit for that: the blind spots are not “it only sees metadata,” they are elsewhere, and they are specific.
Why a compliance officer should turn it on
- It’s already paid for. Enterprise includes it. (Team gets a capped CSV audit-log export with no content; Pro gets nothing.) Not using it leaves paid-for audit capacity on the table.
- It’s first-party identity and timing. The Activity Feed binds each session to a named user, recorded by Anthropic, not reconstructed from screenshots. That is the cleanest answer to an examiner’s “show me who used AI, and when.”
- It answers a question that’s coming. The OCC’s 2026 AI guidance puts human accountability for AI use on the institution. “Show me your employees’ AI usage” is a foreseeable ask, and first-party Anthropic data is the cleanest answer to it.
Where it stops: four blind spots
The Compliance API is a strong identity-and-content feed for claude.ai sessions. Four gaps matter for a mortgage compliance program, and the first one is the big one.
Cowork is excluded
Claude Cowork — the Microsoft 365 / Teams / SharePoint integration most regulated lenders will actually run on — is excluded from the Compliance API, the audit logs, and data exports. That history stays on user laptops. For the workflow this site recommends, the API captures nothing.
No tool, MCP, or sub-agent traces
The feed records that a session happened, not what the model did inside it: which prompts ran, which model answered, what tools were called, what they returned. Those signals live in OpenTelemetry, which Anthropic itself flags as not audit-grade.
Raw, not structured
Even where content is retrievable, it is an unstructured conversation dump. A chat transcript does not tell an examiner that §1024.41(b)(2) got refreshed, which obligation IDs were checked, or what changed in the P&P. That is the work; the API gives you the session, not the finding.
180-day retention
Anthropic keeps this data for 180 days. Mortgage compliance retention runs years. To keep an audit trail you have to export and retain it yourself: “it’s on Anthropic’s side” is a reason to export on a schedule, not a reason to relax.
Where Compliance for Claude fits
Compliance for Claude is built for the four gaps above. The Compliance Log is a structured workflow you attach to a Claude session:
- Structure. At the start of a session it has you declare the goal (annual refresh, new-rule catch-up, pre-exam spot-check, or a net-new P&P) and the exact regs bundle you are reviewing against. From there it keeps obligation-ID-tagged tables of what was reviewed, what changed, and the fact-finds and decisions behind each edit, and it ends with a P&P Change Log entry. That is the structured finding the raw feed cannot produce.
- Cowork coverage. It is a file you attach to the session, so it works inside Cowork / Microsoft 365: the exact place the Compliance API cannot see.
- Durability. Its output is a Markdown (and optional YAML) artifact you keep in your own SharePoint or DMS, on your retention schedule, not a 180-day window.
- Corpus-anchored. Every obligation traces back to a verbatim regulator-published quote with a source snapshot.
Pairing them: what works today, what’s buildable
Where you have both — Claude Enterprise on claude.ai, plus the Compliance Log on your reviews — the two are complementary: the API binds identity and timing, the Compliance Log carries the substance. A reconciliation that joins them on timestamp + user + filename (every API session that touched a P&P, matched to its Compliance Log output, with the unmatched rows flagged) is a natural next build.
To be clear: that reconciliation tooling is not built yet. It is a near-term pilot, and it only helps for claude.ai sessions — Cowork has nothing on the API side to join against. Today the durable move is simpler: run the Compliance Log on every review and keep its output, in your own retained library, alongside whatever the API export gives you.
Turning the feed on
The Compliance API is admin-only. It is unlocked by a Compliance Access Key the primary owner creates in claude.ai (full access), or an Admin API key in the Console (Activity Feed only). The CCO usually needs IT to enable it. Here is a request template the CCO can hand IT verbatim:
Compliance team request: Enable + export Claude Compliance API for
audit-trail review.
Scope: Members of {[email protected]}.
Slice: Sessions where attached files match /pp/* OR session title contains
any of {"P&P", "policy", "review", "refresh", "Compliance for Claude"}.
Frequency: Monthly export, NDJSON or CSV (Anthropic retains 180 days, so
export on a schedule and retain on our side).
Retention: 7 years on our side (matches firm's compliance record-retention
policy).
Reason: Standing audit-trail program for AI use on compliance work.
Supports OCC AI accountability expectations + your AI inventory
obligations.
Note: claude.ai sessions only — Claude Cowork is not covered by the
Compliance API, so Cowork reviews rely on the Compliance Log artifact.
Destination: {[email protected]} SharePoint library
"Compliance for Claude Reviews / _evidence-feed".
Compliance team owns the report and remediation; IT owns the feed plumbing.