Anthropic announced on 21 May 2026 that Claude now integrates with 28 security and compliance tools through a new Compliance API. The integrations span data loss prevention, secure access service edge platforms, security information and event management systems, identity providers, eDiscovery vendors, and AI security posture management tools. Partners on the launch list include Cloudflare, CrowdStrike, and Datadog. For Australian firms operating under APRA CPS 234, the Privacy Act 1988, AUSTRAC obligations, and the Security of Critical Infrastructure (SOCI) Act, this is the first time a frontier model vendor has shipped a control plane that maps cleanly onto the Australian regulator stack. We have spent the past two weeks talking to clients in Sydney, Melbourne, and Brisbane about what changes for their AI governance program now that this API exists, and the answer is: more than most expected.
What the Compliance API actually covers
The Compliance API is a programmatic surface that lets enterprise IT and security teams govern Claude the same way they govern Microsoft 365, Salesforce, or any other workplace SaaS application. Where most AI vendors ask security teams to trust marketing claims about data handling, Anthropic has shipped a documented API that connects to the tools your security team already runs. The result is that Claude usage no longer sits in a separate, opaque governance silo. The same DLP rules, the same identity policies, the same audit retention windows, and the same incident response runbooks can apply. For a Sydney-based bank with an existing investment of around $1.2M per year in its security operations stack, the alternative was either banning Claude internally or building a custom shadow governance layer that nobody could fully audit. The Compliance API removes that choice.
The 28 launch partners cover five broad categories. Knowing which category your existing controls fall into determines how much integration work you face.
Data loss prevention (DLP): tools that inspect prompts and outputs for sensitive content, blocking or redacting when policy is breached. Useful for Privacy Act compliance when staff paste personal information into Claude.
Secure access service edge (SASE): cloud-delivered network controls that route Claude traffic through corporate inspection points without forcing VPN configuration on individual machines.
Security information and event management (SIEM): collectors that pull Claude usage telemetry into the same dashboard your security team already watches for everything else, enabling incident correlation across SaaS.
Identity providers: SCIM provisioning, single sign-on, and conditional access tied to your existing Entra ID or Okta deployment. Joiner-mover-leaver workflows now apply to Claude licences as a matter of course.
AI security posture management (AISPM): a newer category that monitors prompts and responses for prompt injection, exfiltration attempts, and policy drift specific to AI workloads.
Why this matters for APRA CPS 234 and the Australian regulator stack
APRA CPS 234 sets information security obligations for regulated entities. It requires boards to remain accountable for cyber resilience and demands that material information assets, including those managed by third parties, are protected with controls commensurate with their criticality. Until now, Australian banks and insurers have had three honest paths with Claude: ban it, allow it with weak controls, or build a custom telemetry layer. The Compliance API gives a fourth path. Claude usage data flows into the SIEM you already report on. DLP policies apply at the prompt level rather than after the fact. Identity governance is unified. For an APRA-regulated entity that currently spends roughly $450,000 a year on third-party assurance reviews for its SaaS stack, the integration reduces the amount of bespoke evidence the AI vendor needs to produce in each annual review.
AUSTRAC enforcement under the AML/CTF Act has tightened materially in the past 18 months. Reporting entities that use AI in any part of their customer onboarding, ongoing monitoring, or threshold reporting workflow need defensible evidence that prompts containing customer identifiers are handled inside the same control envelope as the rest of their reporting pipeline. The Privacy Act 1988 reform that started in 2024 has raised the cost of mishandled personal information for everyone else. The new Compliance API does not make those obligations go away, but it removes the most common excuse for non-compliance, which was that the AI vendor governance surface did not connect to standard enterprise tooling. The Office of the Australian Information Commissioner has been clear in recent guidance that opacity in AI vendor controls is not a defence.
The 28-partner roster and what to look for in your stack
The launch partners include Cloudflare for SASE and network controls, CrowdStrike for endpoint and identity protection, and Datadog for observability and SIEM forwarding. Microsoft Purview and Splunk are also on the list. The full set covers about 80 percent of the security tools we see deployed inside Sydney mid-market and Melbourne enterprise customers. The remaining 20 percent are either smaller Australian vendors or older on-premises platforms that have not yet built MCP-compatible connectors. Anthropic has stated that the API is the same one its partner programme uses, so adding a new integration is not gated on Anthropic itself, which is the right architectural call.
When we audit a client's existing stack against the new launch list, we work through a short checklist before recommending which integrations to prioritise.
Which of our SaaS apps already feeds the SIEM, and does Claude need to match that retention window of 12 or 24 months for board reporting?
Does our DLP solution already inspect outbound traffic to the Claude endpoint, and what is the rule coverage gap we are accepting if we turn this off pending the API rollout?
Do our identity policies already enforce conditional access on Claude licences, including device posture checks for non-managed BYOD scenarios that Australian staff frequently use?
What is the AI-specific telemetry our security team needs that the general SIEM does not yet capture, and which of the AISPM partners covers that gap most directly?
What does the evidence pack for the next APRA tripartite assurance review look like with the Compliance API in place compared to the bespoke version we built last year?
How Australian firms should sequence rollout
The work breaks into three phases for most clients we have walked through this. Phase one is identity and single sign-on integration through your existing provider, which is the fastest path to bringing Claude under joiner-mover-leaver governance. We typically complete this in under two weeks of part-time effort for a 500-seat Australian firm and the licensing cost is already in the budget. Phase two is DLP and SIEM forwarding, where the work depends on how well your existing rules are documented. For a Sydney firm with mature DLP coverage on Microsoft 365, the incremental policy work for Claude prompts and outputs sits at around $35,000 of integration effort across a six-week window. Phase three is AI security posture management, which is the newest category and where we recommend most clients pilot rather than deploy at full scale. The tooling is still maturing and the false-positive rates on prompt injection detection are not yet where the SIEM team will be comfortable signing off.
For Australian firms still running a blanket Claude ban because the governance story was not clear enough for the CISO, the Compliance API removes the principal objection. The conversation moves from 'should we allow Claude' to 'which of the 28 integrations do we turn on first.' Automata AI runs fixed-fee 30-day Claude governance reviews for Australian firms that need an independent read on the integration map before they commit to a rollout sequence. The output is a written assessment of which integrations to prioritise, a budget estimate against your existing security stack, and a draft board paper that maps Claude controls onto your APRA, AUSTRAC, and Privacy Act obligations. If you want to talk through what the new API changes for your specific environment, you can book a brainstorm session through our contact page.
