The Claude Compliance API: what it captures, what it misses, and where Compliance for Claude fits

Anthropic ships a Compliance API for Claude Enterprise, relaunched in May 2026 with 28 security and compliance integrations (Microsoft Purview, CrowdStrike, Okta, Zscaler, and more). It is a real first-party audit feed, and if your firm is on Enterprise you should turn it on. It also has structural blind spots that matter for mortgage compliance, and that is exactly where Compliance for Claude fits.

What it actually captures

The Compliance API has two layers, and it is worth being precise about each, because the gap is not where people assume.

The Activity Feed (/v1/compliance/activities) — event metadata: who acted (email, user ID, IP address), the event type, the chat and project IDs, and timestamps. The feed itself carries identifiers, not the content of conversations or projects.

The content endpoints — on-demand retrieval of full chat content, uploaded files, and projects, for claude.ai organizations, using a Compliance Access Key.

So it is more than metadata. With the right key, an admin can pull the actual conversation text and the files that were attached. Give it credit for that: the blind spots are not “it only sees metadata,” they are elsewhere, and they are specific.

Why a compliance officer should turn it on

Where it stops: four blind spots

The Compliance API is a strong identity-and-content feed for claude.ai sessions. Four gaps matter for a mortgage compliance program, and the first one is the big one.

1

Cowork is excluded

Claude Cowork — the Microsoft 365 / Teams / SharePoint integration most regulated lenders will actually run on — is excluded from the Compliance API, the audit logs, and data exports. That history stays on user laptops. For the workflow this site recommends, the API captures nothing.

2

No tool, MCP, or sub-agent traces

The feed records that a session happened, not what the model did inside it: which prompts ran, which model answered, what tools were called, what they returned. Those signals live in OpenTelemetry, which Anthropic itself flags as not audit-grade.

3

Raw, not structured

Even where content is retrievable, it is an unstructured conversation dump. A chat transcript does not tell an examiner that §1024.41(b)(2) got refreshed, which obligation IDs were checked, or what changed in the P&P. That is the work; the API gives you the session, not the finding.

4

180-day retention

Anthropic keeps this data for 180 days. Mortgage compliance retention runs years. To keep an audit trail you have to export and retain it yourself: “it’s on Anthropic’s side” is a reason to export on a schedule, not a reason to relax.

Where Compliance for Claude fits

Compliance for Claude is built for the four gaps above. The Compliance Log is a structured workflow you attach to a Claude session:

Pairing them: what works today, what’s buildable

Where you have both — Claude Enterprise on claude.ai, plus the Compliance Log on your reviews — the two are complementary: the API binds identity and timing, the Compliance Log carries the substance. A reconciliation that joins them on timestamp + user + filename (every API session that touched a P&P, matched to its Compliance Log output, with the unmatched rows flagged) is a natural next build.

To be clear: that reconciliation tooling is not built yet. It is a near-term pilot, and it only helps for claude.ai sessions — Cowork has nothing on the API side to join against. Today the durable move is simpler: run the Compliance Log on every review and keep its output, in your own retained library, alongside whatever the API export gives you.

Turning the feed on

The Compliance API is admin-only. It is unlocked by a Compliance Access Key the primary owner creates in claude.ai (full access), or an Admin API key in the Console (Activity Feed only). The CCO usually needs IT to enable it. Here is a request template the CCO can hand IT verbatim:

Compliance team request: Enable + export Claude Compliance API for
audit-trail review.

Scope: Members of {[email protected]}.
Slice: Sessions where attached files match /pp/* OR session title contains
       any of {"P&P", "policy", "review", "refresh", "Compliance for Claude"}.
Frequency: Monthly export, NDJSON or CSV (Anthropic retains 180 days, so
           export on a schedule and retain on our side).
Retention: 7 years on our side (matches firm's compliance record-retention
           policy).
Reason: Standing audit-trail program for AI use on compliance work.
        Supports OCC AI accountability expectations + your AI inventory
        obligations.
Note: claude.ai sessions only — Claude Cowork is not covered by the
      Compliance API, so Cowork reviews rely on the Compliance Log artifact.
Destination: {[email protected]} SharePoint library
             "Compliance for Claude Reviews / _evidence-feed".

Compliance team owns the report and remediation; IT owns the feed plumbing.

What you can do today

  1. Check your plan. Enterprise almost certainly has the Compliance API (ask IT to enable it). Team has a capped CSV audit export only. Pro has none.
  2. Turn on the feed for your claude.ai sessions and export it on a schedule into a library you control. Anthropic keeps only 180 days, so the retained copy is on you.
  3. Use the Compliance Log on every P&P review — especially in Cowork, where the API cannot reach. The Compliance Log drops into any project or Cowork session.
  4. Keep the Compliance Log outputs in your own retained library. Same SharePoint folder as the API export. See the Microsoft 365 walkthrough for the recommended folder shape.