AI assistants like Anthropic's Claude have moved from a curiosity to core infrastructure in less than a year. Engineering teams write code with them, finance teams model with them, legal teams summarize contracts with them, and security teams themselves use them to investigate alerts. Every one of those workflows touches sensitive data, including source code, financials, PII, and trade secrets, and every one of them creates a new identity, a new project, a new chat that lives outside the SIEM, the DLP, and the access reviews that protect the rest of the enterprise.
For security and SOC teams, that gap is uncomfortable. You can see who logged into Okta last night. You can see what files were touched in Google Drive. But until now, what your finance lead pasted into a Claude chat at 2 a.m. from an IP in a country your company doesn't operate in was invisible.
We're announcing that Exaforce has integrated with Claude's Compliance API, bringing Claude Enterprise activity directly into the Exaforce platform, for inventory and as a first-class source for identity context, content sensitivity, and threat detection. Claude is now an enterprise data surface. Exaforce makes it governable, investigable, and detectable like the rest of the security stack.
What Exaforce sees once you connect Claude
When you connect your Claude Enterprise organization to Exaforce, we pull from the Compliance API to build a complete picture of how Claude is being used inside your company:
- Organizations, users, and organizational roles: every Claude user is mapped back to their corporate identity in Okta, Entra, Google Workspace, or whatever IdP you run.
- Projects, project roles, and ownership: privacy settings, attachment counts, chat counts, and the humans accountable for each project.
- Conversations and messages: auditable events, with content available for sensitivity analysis (more on this below).
- Attachments and project knowledge: files uploaded into Claude projects are inventoried as resources, with relationships back to the projects and identities that touched them.
- Audit events: logins, role changes, API key creation, project membership changes, conversation views, and more.
- Posture findings: stale API keys, elevated users with no recent activity, sensitive projects with broad membership, orphaned project owners, weakened project privacy settings, and projects containing sensitive chats or files.
Most AI visibility stops at inventory and audit logs. Exaforce connects Claude activity to identity, sensitivity, behavior, and access, so teams can understand not just what happened, but who was involved, what data was exposed, and whether the behavior was abnormal. That's the foundation. It's also roughly where most AI visibility stories stop. Exaforce goes further in three specific ways that matter for SecOps.
1. Threat detection on Claude audit events
Inventory tells you what exists. Detection tells you when something is wrong. Exaforce treats Claude audit events the same way it treats Okta, Google Workspace, GitHub, and Zscaler events as a stream that gets baselined in several dimensions, per-identity, per-workspace, per-project, and so on, and evaluated against behavioral and rule-based detectors. Because Claude activity is correlated with surrounding enterprise telemetry, Exaforce can connect a Claude event to identity, device, network, repository, cloud, endpoint, and SaaS activity during the same investigation.
For example, sensitive chats viewed from an anomalous location. A user whose 90-day baseline shows logins exclusively from Bengaluru suddenly opens a chat labeled as containing PII from an ASN in another country. Exaforce correlates the Claude conversation viewed event with the user's identity-graph baseline (geo, ASN, device, time-of-day) and raises an alert with the full chain of evidence.
Other out-of-the-box detections include anomalous off-hours access to high-sensitivity projects, first-time API key creation by an identity that has never used the API surface before, bulk attachment downloads from a project containing chats previously flagged as sensitive, role escalation where a user is promoted to Owner or admin of a project they never previously touched, and disabled SSO or weakened privacy settings on projects that hold sensitive content.
2. Sensitive chat labeling
Knowing that a chat was viewed is useful. Knowing whether that chat contained PII, secrets, or regulated data is what turns an interesting audit event into an actionable incident.
Exaforce analyzes Claude chat content and labels each conversation based on what types of sensitive data it contains. That analysis is broad by design. A single conversation might contain a customer's name and email, a payment card number, and an internal API key all at once, and Exaforce will flag each category present. The goal is to give your team enough signal to know whether a chat is routine or worth investigating before they ever open it. Those same labels also support AI governance and audit workflows by showing where regulated data, secrets, customer data, financial data, or other sensitive material appears inside Claude projects.
These labels then feed back into detections and into the access graph. An alert for sensitive chat viewed from an anomalous location only fires because the chat has a sensitivity label. An alert about a sensitive chat shared in a new project only matters if we know what sensitive means in your environment. Labels are the connective tissue between identity, audit, and risk.
Importantly, sensitivity analysis runs without keeping a parallel copy of your conversation content; only labels and minimal evidence snippets flow into the platform. Exaforce does not need to become a second long-term repository for Claude conversations. Conversation content is analyzed to produce sensitivity labels, minimal evidence, and detection context, while the original content remains governed in Claude.
3. Identity access graph
The third piece, and the one most analogous to what teams already use Exaforce for across the rest of their stack, is the identity access graph.
Exaforce builds a graph that walks from a corporate identity all the way down to the individual Claude resources that identity can reach, through organization roles, through organization membership, through project roles, into the projects themselves, and finally into the attachments and project knowledge files inside them.
Here's an example of what that graph looks like for a single user with Owner role on three Claude projects:
Each node in the graph maps to a layer of access. Identity is the corporate user, resolved against your IdP. OrganizationRole captures what that user can do at the Claude org level, while Organization tracks which Claude Enterprise org they belong to. From there, ProjectRole records the role they hold inside each project, Project surfaces every project they can reach along with its privacy settings and metadata, and Resource exposes the actual content reachable from those projects, including project knowledge files, datasets, and attachments.
Click any node and you can pivot. For example, you can show every identity that can reach a dataset, or show every project a user owns that contains PII-labeled chats. The same graph traversals that your team already runs for AWS IAM, Okta groups, or GitHub repo access now work for Claude.
Who this helps across security and governance
SOC analysts investigating an identity compromise can immediately see what Claude projects, chats, and attachments the compromised account could reach, and whether any sensitive chats were opened during the window of interest. Detection engineers can write rules against Claude audit events in the same language and engine they already use for the rest of the identity stack, with behavioral baselines computed per-user.
Compliance leads can prove who has access to what, where sensitive data lives inside Claude projects, and produce audit-ready evidence without exporting logs into yet another tool. Insider risk teams get a complete picture of how a departing employee or a flagged user has been using Claude, including what they viewed, what they uploaded, and what they shared, alongside everything else Exaforce already monitors.
As Claude expands into developer workflows, connected tools, MCP servers, repositories, webhooks, and automation, Exaforce gives teams a way to correlate Claude activity with the broader AI supply chain by understanding the identity, the resource, the sensitivity, and detecting when behavior deviates from normal.
Get started securing Claude
The Claude Compliance API integration is available now for joint Exaforce and Claude Enterprise customers. If you're already running Exaforce, you can onboard via the connector directly from the Data Sources page. If you're new to Exaforce and want to see Claude usage through a SOC-grade lens, reach out for a demo.
Claude is going to be inside every workflow that matters. The visibility, sensitivity, and detection layers should be there too.
