The questions compliance, security, and risk teams ask when evaluating Claude and other LLMs.

The Compliance Mental Model — What They’re Actually Thinking About Claude

A map of the questions compliance officers, security teams, and risk committees ask when evaluating Claude (and any LLM). Some of this overlaps with the governance pattern; much of it is deeper — the anxieties, edge cases, and strategic worries that sit underneath the obvious data-privacy question.

Working draft — April 18, 2026

Why This Asset Exists

When you pitch Claude to a regulated firm, compliance doesn’t ask one question — they ask thirty. Some are the obvious data questions. Some are about vendor stability, contractual exit paths, model behavior changes, and liability you haven’t thought about yet.

If you walk into that room knowing only the marketing answers, you lose the deal. If you walk in having anticipated every question, you close it.

This asset is the anticipation map. Read it before any regulated-industry conversation. It pairs with connector-governance-pattern.md — that file is what you build; this file is what they’re worried about.

The One-Sentence Version

Compliance isn’t trying to block Claude. Compliance is trying to protect five things — data, regulatory standing, operational continuity, employee judgment, and the firm’s reputation. If your pitch addresses all five, compliance becomes your ally.

What Compliance Is Actually Trying to Protect

Compliance is often caricatured as “the no team.” In reality, they’re protecting five assets, and every question they ask maps to one of them. Know the asset, and you know how to answer.

#	Asset	What happens if it fails
1	Data — client PII, proprietary info, privileged content	Regulatory fines, litigation, breach notification costs, reputational hit
2	Regulatory standing — the firm’s license to operate	Exam findings, enforcement actions, loss of licensure
3	Operational continuity — the ability to keep doing business	Outages, vendor failure, data lock-in, contract disputes
4	Employee judgment — the humans making decisions	Over-reliance on AI, skill atrophy, liability for AI-driven decisions
5	Reputation — public perception and trust	AI-gaffe headlines, client defection, employer brand damage

The mistake most sellers make: answering only for Asset 1 (data). The other four matter just as much and often more in the final decision.

The Ten Questions Compliance Will Ask

These are the questions that come up in every evaluation, roughly in this order.

1. Where does our data actually go?

What they mean: Data flow diagram from our environment to Anthropic’s and back. Who sees what, on whose servers, passing through whose network.

How to answer: Walk through the three surfaces. Chat/Cowork/Code sit on Anthropic’s infrastructure. Connectors sit on your infrastructure and strip PII before anything leaves. Reference the front-desk metaphor from the governance pattern.

2. Will Anthropic train on our data?

What they mean: Is our proprietary content going to become part of a future model that our competitors can query?

How to answer: Under Claude Teams and Enterprise, Anthropic’s published policy is that customer conversations are not used to train models. Confirm this in writing in the firm’s specific Data Processing Agreement (DPA). The free consumer tier has different terms — that’s why Teams/Enterprise is the right purchase for any firm.

3. How long is data retained, and can we delete it?

What they mean: If we cancel, does our data disappear? If an employee makes a mistake, can we scrub it?

How to answer: Conversation history is retained per the firm’s agreement. Users and Teams admins can delete conversations. The DPA specifies timeline for full deletion including backups. A limited trust-and-safety retention window exists for abuse prevention — confirm the scope in writing.

4. How do we prove to an auditor that we’re using this responsibly?

What they mean: We have an exam coming. Can we produce an audit trail?

How to answer: Three layers of audit exist: (1) Teams admin console conversation logs, (2) connector-side logs (firm-controlled, on firm infrastructure — this is where the real audit lives), (3) output review logs if integrated into workflows. The connector logs are immutable and complete.

5. What can go wrong with AI output itself?

What they mean: Hallucinations. Confabulations. Confident wrong answers. What happens when an employee acts on something Claude got wrong?

How to answer: Every AI output is a draft requiring human review. Claude does not make decisions — humans do. Policy: no AI output goes to a client, a filing, or a counterparty without human review and sign-off. The audit trail shows which human approved what.

6. What if an employee violates our AI policy?

What they mean: We know someone is going to paste a client name into Claude by accident. What’s our process?

How to answer: Walk through the seven-step incident response pattern (detect → contain → notify → assess → vendor notify → document → remediate) from the governance pattern. Emphasize: the policy assumes violations will happen, and the process handles them cleanly.

7. How does this fit our existing regulatory obligations?

What they mean: Map Claude to our specific regs (SEC, FINRA, HIPAA, GDPR, state laws, industry bar requirements). Show your work.

How to answer: The governance pattern includes a regulatory mapping table. For the firm’s specific regulations, walk through requirement → how the connector architecture addresses it. Don’t hand-wave.

8. What’s our out?

What they mean: Vendor lock-in. Data portability. What if Anthropic raises prices 10x or gets acquired by a competitor?

How to answer: Your data lives in your systems, not in Claude. Conversation data can be exported. Skills and connector configurations are your intellectual property, not Anthropic’s. Model output is replaceable with another model’s output — the workflow belongs to the firm, not the vendor. Contract should include data return/destruction on exit.

9. Who in the vendor’s organization can see our data?

What they mean: Insider risk. Subprocessors. Who could access our conversations on a Tuesday afternoon at Anthropic?

How to answer: Anthropic has published data access controls. Limited personnel can access data and only for specific trust-and-safety purposes. Full details in the DPA. The firm can require contractual constraints on subprocessors. And — crucially — if the connector de-identification architecture is in place, even a worst-case insider breach returns only code numbers and structured data, not identifiable client content.

10. How do we keep this under control as adoption grows?

What they mean: It’s easy to govern 5 users. What happens when we have 500?

How to answer: The architecture is the governance. Connectors enforce policy per request, not per user. The AUP is uniform. The audit trail scales automatically. What changes with scale is training frequency and monitoring cadence — not the underlying controls.

LLM-General Concerns (applies to any AI vendor, not just Claude)

These are the questions that apply to any LLM evaluation. Know these before you walk in.

Hallucinations and accuracy

Every LLM can produce confident-sounding wrong answers.
Mitigation: human review, grounded prompts, structured data inputs via connectors.
Firm policy: no AI output is decisional without human sign-off. Full stop.

Prompt injection

A malicious or malformed input can make an LLM ignore its instructions.
Mitigation: connectors control what reaches Claude; user-generated content from external sources should be treated as untrusted.
Example: a client email containing “ignore previous instructions” shouldn’t be processed blindly.

Bias and fairness

All LLMs carry bias from training data.
Mitigation: human review of decisional outputs; sampled audits of AI-drafted content; documentation of how AI is used in consequential decisions.
Regulated industries (lending, hiring, healthcare): AI use in decision-making may trigger fair-access laws.

Over-reliance and skill atrophy

Employees may stop developing the judgment AI is supposed to assist.
Mitigation: training emphasizes AI as a draft generator, not a decision maker. Periodic unassisted work to keep skills sharp.
This is a real concern in wealth management, legal research, medical diagnosis — anywhere judgment is the product.

Model updates and behavior drift

LLMs change over time as vendors update them. Outputs tomorrow may differ from today’s.
Mitigation: test prompts regularly. Document model version in audit trail. Budget time for re-tuning workflows after major model releases.
Claude specifically: Anthropic typically provides deprecation notice of 12+ months, but behavior can still shift within a model version.

Cost predictability

Usage-based pricing can spike unexpectedly.
Mitigation: Teams/Enterprise plans have seat-based predictable pricing. Set per-user monthly extra-usage caps. Monitor the Usage tab.

Vendor stability

AI companies are new. Some will fail, be acquired, or pivot.
Mitigation: own your IP (skills, connectors, prompts). Your workflow should be portable to another LLM if needed.

Subprocessor chain

Your vendor’s vendors. Who does Anthropic use for hosting, monitoring, support?
Mitigation: DPA should list subprocessors. Firm should require notification of changes. Critical for GDPR/CPRA compliance.

Data sovereignty

Where are the servers physically located? Does that matter for your regulations?
Mitigation: ask where data is processed and stored. For EU firms, this is material. For US-only firms, usually manageable.

Claude-Specific Posture — Honest

Where Claude makes compliance easier, and where it doesn’t. Don’t oversell.

Where Claude helps

No-training-on-conversations policy for Teams/Enterprise — documented and contractually enforceable.
Native connector / MCP support — the governance architecture is first-class, not a bolt-on.
Teams admin console with real audit features.
Constitutional AI training — Claude is generally more conservative about harmful outputs than some competitors.
Anthropic’s safety posture — public methodology, a known responsible-scaling framework, and an Anthropic Acceptable Use Policy that aligns well with enterprise compliance.
Deprecation notice — 12+ months typically, which gives workflows time to adapt.
Enterprise agreements include BAA (for HIPAA) and DPA (for GDPR/CPRA). Ask your sales contact.

Where Claude requires the firm to do work

Connectors are your architecture. Anthropic provides the protocol (MCP); the firm builds the connector. Expect real IT investment.
Audit trail is split — some in Anthropic’s console, some in the firm’s connector logs. Firm must maintain both and reconcile if needed.
Training cannot be outsourced. Users will make mistakes. Ongoing training and AUP reinforcement are not optional.
Model-output liability is yours. Claude produces drafts. Humans sign. The firm bears responsibility for what gets sent.

Where Claude is still evolving

Regulatory certifications — SOC 2 Type II is available; FedRAMP, HITRUST, and some others are in varying stages. Confirm what’s live for your firm’s plan.
Data residency — options are growing but not uniform across regions. Ask if EU-resident or US-only processing is required.
On-premises option — not currently available. If the firm requires fully air-gapped AI, Claude is not the right fit today.
Microsoft ecosystem — Outlook, Teams, OneDrive, SharePoint don’t have direct connectors yet. Workaround via orchestration (Zapier, Make). Name this gap.

Red Flags and Green Flags

Red flags (compliance should push back)

Sales pitch that doesn’t mention the DPA.
Vendor can’t produce a list of subprocessors.
No clear answer on data deletion timeline.
No audit log accessible to the firm.
No BAA available (for HIPAA) or no DPA (for GDPR).
“No training on your data” — but only verbally, not in contract.
Free-tier usage being pitched for regulated work.
Vendor can’t show a concrete incident-response path.
No model-version documentation or deprecation policy.

Green flags (compliance should lean in)

Vendor walks through DPA terms without prompting.
Written confirmation: no training on customer data.
Published audit capabilities (Anthropic has these for Teams).
Native admin console with SSO + SCIM support.
Deletion procedures specified with concrete timelines.
Architecture allows firm-controlled de-identification (connectors).
Independent security certifications (SOC 2 Type II, etc.).
Transparent safety methodology and published model cards.
Contractual indemnification for IP and third-party claims.

Claude (on Teams/Enterprise) hits most of the green flags. The red flags are usually artifacts of free or unmanaged AI use — which is exactly what the firm should be replacing with governed Claude adoption.

The Industry-Specific Layer

General compliance questions get the firm to 70%. The remaining 30% is industry-specific. Pair this asset with:

connector-governance-pattern.md — the six-step pipeline, AUP template, industry adaptation table.
zenith-connector-governance.pdf — a concrete case study for wealth management.
connectors-by-industry.md — the specialty-tool stack per industry.

Map the industry before the meeting:

Industry	Core add-ons to compliance conversation
Financial services	SEC, FINRA, Reg S-P, books & records, supervision rules
Legal	Privilege preservation, conflicts, bar requirements, litigation hold
Healthcare	HIPAA, HITECH, BAA, minimum necessary rule, state privacy laws
Insurance	State DOI regulations, consumer notice rules, claims data handling
Government / public sector	FedRAMP posture, FOIA considerations, records retention
EU-facing firms	GDPR, EU AI Act, data residency, DPO involvement
California	CPRA, ADMT (automated decision-making tech — active Jan 2027)

How to Have This Conversation

Three rules for the seller.

1. Lead with the reframing. The instinctive compliance response is “block AI.” That’s actually higher-risk — because users will work around it by pasting data into consumer ChatGPT. The governed-Claude path gives the firm control. Open with that.

2. Answer in writing what you answer in the meeting. Every compliance answer should map to something durable — a DPA clause, a policy document, an architecture diagram. Verbal assurances get forgotten. Written answers survive.

3. Bring the pattern, not just the pitch. Show up with the governance pattern already drafted. Offer to co-author it with the firm’s compliance team as part of the engagement. That converts the conversation from “should we?” to “how do we?”

Landmark Language

Compliance isn’t the no team — they’re protecting five assets.
The five assets are data, regulatory standing, operational continuity, employee judgment, reputation.
The instinctive compliance move — block AI — is the highest-risk move, because users work around it.
Verbal answers don’t survive audits. Answer in writing.
Every AI output is a draft requiring human review. Humans sign.
The architecture is the governance. Connectors enforce policy per request, not per user.
If the DPA doesn’t say “no training on customer data” in writing, it isn’t true.
Your workflow belongs to the firm. The LLM is replaceable.

Say these and you sound like a compliance partner, not an AI salesperson. That’s the whole shift.

The Compliance Mental Model — What They're Actually Thinking About Claude