Which 28 integrations matter for an India or UK rollout?

Anthropic groups them across DLP, SIEM, e-discovery, IAM, data classification and governance suites. Start with whatever your security team already runs — Splunk, Microsoft Purview, Netskope, Zscaler — and bolt on e-discovery only when legal asks.

How does this map to EU AI Act and DPDP audit obligations?

EU AI Act GPAI obligations apply fully from 2 August 2026 and require event logging plus incident reporting. DPDP and the UK ICO expect comparable audit trails. The Compliance API gives you a single source for that evidence.

Do we need Claude Enterprise to use the Compliance API?

Conversation content access is gated to Claude Enterprise. Activity event logs are available for both Enterprise and the Claude Platform, so Platform-only teams still get audit trails — just not chat transcripts.

What about data residency for Indian and UK regulated workloads?

Confirm where conversation content is stored and where the Compliance API endpoint terminates before signing. RBI, SEBI and the FCA all expect a documented residency story; route ingestion through your own region-local SIEM if in doubt.

Claude Compliance API + 28 Enterprise Integrations: Builder Guide

Q: What does the Claude Compliance API actually expose?

Programmatic access to conversation content from Claude Enterprise, plus activity event logs from both Claude Enterprise and the Claude Platform. That is the raw material your DLP, SIEM, e-discovery and audit tooling needs.

What Anthropic actually shipped

The headline from SecurityWeek's May 2026 write-up is two-fold. First, a new Compliance API gives IT and security teams programmatic access to conversation content from Claude Enterprise, plus activity event logs from both Claude Enterprise and the Claude Platform. Second, 28 security and compliance integrations now sit on top of that surface — covering data loss prevention (DLP), security information and event management (SIEM), e-discovery, audit, identity, and data classification.

For builders shipping into regulated industries, this is the first time you can wire Claude into your existing governance stack without screen-scraping the admin console or paying a vendor to do it for you. Anthropic also raised rate limits on Claude Code and lifted Opus API limits in the same window — the operational message is that enterprise governance and developer throughput moved together.

Compliance API — conversation content (Enterprise only) and activity event logs (Enterprise + Platform), accessed programmatically.
28 integrations — covering DLP, SIEM, e-discovery, audit, IAM and data classification suites.
Rate-limit lift — Claude Code doubled, Opus API limits raised. Useful context for capacity planning your governance ingestion pipeline.
Regulatory timing — EU AI Act GPAI obligations apply fully on 2 August 2026; UK FCA, ICO and India's DPDP all expect comparable audit trails.

Pro tip

Don't try to ingest everything into your SIEM on day one. Start with activity event logs only — login, model invocation, admin action, policy override — and prove the pipeline. Conversation content ingestion has a much bigger data-volume and retention bill, and most security teams don't need it until legal asks for an e-discovery hold.

The integration categories that matter

Anthropic has not published the full list of 28 partners in a single tidy place, but the categories are clear from the SecurityWeek coverage. Here is how to think about which ones earn a slot in your deployment plan.

Category	What it does for you	Example connected platforms	Builder use case
DLP	Inspects prompts and responses for sensitive data leakage before it leaves your tenant.	Microsoft Purview, Netskope, Zscaler	Block a banker pasting a customer's PAN or NI number into a Claude prompt; alert on PII in model output.
SIEM	Centralises Claude activity events alongside the rest of your security telemetry.	Splunk, Microsoft Sentinel, Elastic Security	Correlate a model jailbreak attempt with the same user's VPN session and SaaS access logs.
E-discovery	Pulls conversation content under legal hold and produces a defensible export.	Relativity, Logikcull, Onna	Respond to an SFO or SEBI subpoena without re-engineering your archival stack.
Audit + GRC	Maps Claude usage to control frameworks and produces evidence for auditors.	Vanta, Drata, ServiceNow GRC	Generate SOC 2 / ISO 27001 / DPDP evidence packs without manual screenshots.
IAM	Enforces SSO, group membership and just-in-time access for Claude workspaces.	Okta, Microsoft Entra ID, Ping Identity	Tie Claude Enterprise seats to your existing joiner-mover-leaver workflow.
Data classification	Tags content with sensitivity labels that travel with it into and out of Claude.	Microsoft Purview Information Protection, BigID	Keep an MNPI-tagged research note from being summarised into a public chat.

From a verified Builder

"We had two parallel governance asks — the security team wanted Claude events in Splunk, and legal wanted defensible e-discovery exports. Before the Compliance API we were polling the admin console with a headless browser, which the SOC team hated. We moved both pipelines onto the API in a week and the audit committee meeting actually got short."

— Verified Builder, regulated-fintech CISO office · Bengaluru, IN

What a Compliance API call looks like

Anthropic's developer docs will be the source of truth — the shape below is illustrative, based on the SecurityWeek description and standard Anthropic API conventions. Treat it as the conversation you want to be able to have, not the final spec.

// Illustrative — confirm against Anthropic's official docs before shipping

// 1. Pull activity event logs for a workspace, last 24 hours
GET https://api.anthropic.com/v1/compliance/events
  ?workspace_id=ws_01abcd
  &since=2026-05-28T06:00:00Z
  &until=2026-05-29T06:00:00Z
  &event_types=model_invocation,admin_action,policy_override
Authorization: Bearer $ANTHROPIC_COMPLIANCE_TOKEN
anthropic-version: 2026-05-01

// 2. Pull conversation content under a legal hold (Enterprise only)
GET https://api.anthropic.com/v1/compliance/conversations
  ?workspace_id=ws_01abcd
  &user_id=usr_01efgh
  &hold_id=hold_01ijkl
  &cursor=eyJwYWdlIjoyfQ==
Authorization: Bearer $ANTHROPIC_COMPLIANCE_TOKEN
anthropic-version: 2026-05-01

The pattern to design for is straightforward — a paged GET for events that your SIEM forwarder can poll on a tight loop, and a separate, more carefully scoped GET for conversation content that only fires when legal raises a hold. Treat the Compliance token as a top-tier secret; it reads conversation content across your whole Enterprise tenant.

Watch out — data residency

India's DPDP and the UK ICO both expect a documented residency story. The Compliance API endpoint may terminate outside your home region; confirm with Anthropic before ingestion. For BFSI workloads under RBI or SEBI, route the egress through a region-local SIEM collector and keep the long-term store in-country. The same applies for UK BFSI under the FCA's operational-resilience expectations — you want the audit copy on home soil regardless of where the API call lands.

How this maps to the regulators you actually answer to

The Compliance API is, at heart, an evidence-production surface. Here is how the four regulatory regimes a dual-market team faces line up against it.

EU AI Act (UK builders selling into the EU) — GPAI obligations apply fully from 2 August 2026 and require incident logging, serious-incident reporting and technical documentation. Activity event logs from the Compliance API map directly to the incident-logging requirement. See our EU AI Act GPAI enforcement checklist for the wider deadline picture.
UK FCA + PRA + ICO — operational resilience (SS1/21), the Consumer Duty, and UK GDPR all want a defensible record of automated decisioning. The SIEM and audit integrations give you that without bespoke engineering.
India RBI + SEBI + DPDP — RBI's outsourcing-of-IT guidelines and SEBI's tech-resilience circular both expect logging of third-party model usage. DPDP layers on consent and breach-notification timelines. Activity event logs into your SIEM are the cheapest way to satisfy the first; conversation-content access under a hold satisfies the second when an incident happens.
US export controls — if you ship to US customers, BIS still cares who can access frontier-model outputs. IAM integrations let you geo-fence Enterprise seats by group membership.

Want to discuss this with other Verified Builders?

Every article on AI Tech Connect is written or reviewed by a Verified Builder. Browse profiles, shortlist who you want to hire or collaborate with.

Browse Builders →

A deployment checklist for IN and UK builders

Six steps, in order. Resist the urge to do them in parallel — each one surfaces decisions that change the next.

Confirm your Claude tier — conversation-content access is Enterprise only. Platform-only teams get activity event logs and should plan around that.
Map your governance stack first — list what your security, legal and audit teams already run. Pick integrations that bolt onto that, not greenfield tools.
Start with events, not transcripts — wire activity event logs into your SIEM. Prove the pipeline with seven days of data before you touch conversation content.
Lock down the Compliance token — store it in your secrets manager, rotate quarterly, and put alerting on every use of the conversation-content endpoint.
Document residency — write a one-pager covering where the API terminates, where you store the ingested data, and which regulator that satisfies. Get it signed by your DPO.
Tabletop a legal hold — before you need it. Walk legal, IT and the SOC through pulling conversation content for a single user under a mock hold. Time it.

Common pitfalls

Ingesting conversation content by default — the storage and retention bill is real, and most teams don't need it until legal asks. Default to events; add transcripts when there is a documented reason.
Treating the Compliance token as a normal API key — it reads conversation content tenant-wide. It deserves the same handling as your root cloud credential.
Skipping the IAM tie-in — without SSO and group-based access, you cannot prove who used Claude on the day a regulator asks. Wire the IAM integration before you wire DLP.
Forgetting the agent surface — if your team uses Managed Agents or self-hosted sandboxes, the agent execution surface needs its own logging story. Compliance API covers the Claude side; agent tool calls land in your own infrastructure.
Ignoring the security-beta features — Anthropic's security beta vulnerability scanning is a complementary surface, not a substitute. Run both.

The bottom line for regulated-industry builders

The Compliance API plus 28 integrations is the first piece of Anthropic enterprise plumbing that makes Claude defensible inside a BFSI, healthcare or public-sector procurement in either market. For builders, the practical move is to stop treating governance as an afterthought you bolt on at the end of a pilot and start treating it as the first integration you wire — because that is what unblocks the procurement conversation, and procurement is what unblocks revenue.

The pattern we are already seeing across our Verified Builder community: the teams who shipped a governance pipeline before the pilot demo close enterprise deals two quarters faster than the teams who waited. That gap will widen as the EU AI Act enforcement date approaches and as Indian regulators sharpen their own model-usage expectations under DPDP and the upcoming Digital India Act framework. A clean Compliance API rollout, sized and documented for both jurisdictions, is now table stakes — not a differentiator. The differentiator is how quickly you can demonstrate the audit-trail-to-evidence-pack workflow end to end, on real production data, in front of a procurement committee.

Read the original announcement on SecurityWeek for Anthropic's own framing, then sanity-check it against your own regulator's audit-trail expectations before you scope the pipeline.

Claude Compliance API and 28 enterprise integrations: a builder's guide for IN and UK rollouts