Claude Governance
How to roll out Claude without leaking confidential data.
If you handle sensitive data, the question is not whether Claude is safe. It is whether you have put the right data in the right workspace, controlled who can see it, and can prove it. This guide is the governance reference for the people who answer to compliance, finance, and the board.
Start here
The biggest objection is already answered
By default, Anthropic does not train its models on the inputs or outputs of paid commercial plans, Team or Enterprise. That is a contractual commitment, and it is the same answer on both tiers. A Data Processing Addendum is included automatically with both. The one way commercial data enters training is if your organization explicitly opts in, or if a user clicks the thumbs up or down feedback button, and an admin can switch that button off across the organization.
Consumer tiers (Free, Pro, Max) are a different product with different terms, and they are not fit for business or regulated data. Block them. The real governance work is not about training. It is about classification, access, and proof, which is what the rest of this guide covers.
The floor
The minimum defensible floor for business data is Team. The floor for regulated or audited governance is Enterprise. A personal consumer account fails on every count: no DPA, longer retention exposure, a likely breach of your own data policy, and human review of flagged content.
Step one
Classify your data first
Governance only works if you know what you are protecting. Four tiers cover almost every team. Decide what belongs in each, then the rest of the controls follow.
The diagnostic question
The fastest way to find out where a team really stands: ask how today’s policy would stop someone from pasting a confidential document into a personal AI account at home. If the answer is that it would not, the policy exists on paper only.
Step two
Pick the tier on governance, not headcount
Both tiers carry the no-training commitment and a DPA. What separates them is control. Team is fine for a small pilot. The moment you need SSO with your identity provider, audit logs into a SIEM, custom retention, or roles that enforce an information barrier, you want Enterprise. One thing to plan for: the Team-to-Enterprise migration is a one-way door, so if you expect to need Enterprise within a year, start there.
Want the full pricing and billing breakdown? Read the complete Team vs Enterprise comparison.
Step three
Write a six-part AI use policy
A workable policy is short, specific to your actual Claude setup, and different for different roles. Keep it to six parts, and back it with the technical controls above. A policy with nothing enforcing it is the stage-one trap.
1. Approved tools and accounts
Name the approved environment explicitly: the company's Claude Team or Enterprise tenant only. Block personal accounts and consumer tiers for any work. The most common failure is people using the wrong workspace, not a model flaw, so train people to recognize which account they are in.
2. Acceptable use
List the workflows that are approved: research on public information, drafting internal memos from non-sensitive inputs, summarizing public documents, formatting, editing, code. Tie each one to a data tier so the line is concrete.
3. Prohibited use
No restricted data. No material behind an information barrier. No regulated personal data your policy forbids. No data barred by an NDA or data-room clause. And no AI as the final decision-maker on a customer or investment outcome.
4. Human in the loop
Require a named human to review and own any AI-assisted output before it is used. Distinguish a cursory read from a substantive review, and write down which one is required for which kind of work.
5. Disclosure norms
Decide where AI use is disclosed. A working line: AI as an internal tool assisting a reviewed work product usually needs no disclosure; AI-generated content sent to a customer, investor, or counterparty without human review does. Keep any public claims about your AI capabilities accurate.
6. The drafts-only rule for anything outbound
AI output is a draft until a human reviews, edits, and signs off. Nothing AI-touched reaches a client, an investor, a board, a counterparty, or a regulator without that step. For regulated firms this is the single most important operational rule, because outbound communications carry the most exposure.
Where teams really are
The three stages of control
Most teams have a written policy and assume it protects them. It does not enforce itself. Real governance moves through three stages, and very few teams have reached the third.
Stage 1
Written policy only
A document exists and nothing enforces it. Most teams are here. A policy does not stop a junior from pasting a confidential file into a personal AI account at home.
Stage 2
Technical controls on access
DNS, proxy, or endpoint controls restrict which AI tools people can reach, so consumer accounts are blocked and the approved tenant is the path of least resistance.
Stage 3
Data loss prevention tied to classification
DLP is wired to your data classification, so an employee cannot paste or upload classified data into even an approved tool. This is the goal, and it requires a real classification program first.
For Microsoft shops
The Microsoft 365 connector, in plain terms
If your company runs on Microsoft 365, this is the integration that matters, and it was built with governance in mind. The connector to Outlook, SharePoint, OneDrive, and Teams is read-only. It cannot send mail, create documents, or post in Teams. It uses per-user sign-in, so Claude sees only what the signed-in person can already open, and it respects sensitivity labels, folder permissions, and your Conditional Access rules. Every retrieval lands in your Microsoft 365 audit log.
Turning it on takes two deliberate steps: an organization owner enables the connector, then a Microsoft Entra global administrator grants consent. Until both happen, no one has access. You can scope it to a pilot security group first, and you can revoke any individual capability (mail, files, SharePoint, Teams) from Entra at any time.
The one sharp edge
SharePoint search uses a tenant-wide read scope. You cannot tell the connector to search only certain sites. Because it still mirrors each user’s own permissions, the control is on the Microsoft side: anyone who should not reach a walled site simply should not have access to it in the first place. Lock down third-party app consent too, so individuals cannot quietly self-register a connector through a personal account.
The questions you will be asked
What compliance, finance, and the board will want to know
Short, accurate answers to the questions that come up in every governance conversation.
Does Anthropic train on our data?
Not on paid commercial plans. By default, Anthropic does not train on the inputs or outputs of Team or Enterprise, and this is a contractual commitment in the commercial terms. The exceptions are if your organization explicitly opts in, or if a user submits thumbs up or down feedback, and admins can disable that feedback button across the organization. Consumer tiers (Free, Pro, Max) are different and are not appropriate for business data.
Where does our data go, and is there an EU option?
First-party Claude (Team and Enterprise chat) processes and stores in the US, and Enterprise offers a US-only inference control. There is no first-party EU workspace today. If you need EU data residency, the route is Claude through AWS Bedrock or Google Vertex AI in EU regions, which shifts the primary processing contract to AWS or Google. Settle this with counsel if you have EU customers or entities.
Who can see what inside our organization?
By default, Anthropic employees cannot read your conversations, with narrow exceptions for your consent or a safety flag. Within your org, chats are private to the user unless shared, and projects can be private or shared. Enterprise adds fine-grained custom roles and groups so you can enforce information barriers. There is no live admin dashboard that reads employee chats in real time on either tier.
What is logged, and can we feed it to our SIEM?
Enterprise only. Audit logs capture user actions, sign-ins, and file and system events as metadata; chat content is not in the audit log. The Compliance API gives programmatic access to the activity feed plus chat and file content and feeds tools like Splunk, Sentinel, and Datadog. Team has no audit logs, only an on-demand export by the primary owner. One gap to flag: Claude Cowork activity is currently excluded from audit logs, the Compliance API, and data exports, so OpenTelemetry to your SIEM is the only visibility there.
How long is data retained, and can we control it?
Team keeps a 30-day default with no custom control. Enterprise lets you configure retention (30-day minimum) with automatic deletion when it expires. The API default is shorter. Content flagged for a policy violation can be retained longer. Enterprise's Compliance API also supports scripted deletion for data-subject requests.
Is there a DPA or a BAA?
A Data Processing Addendum with Standard Contractual Clauses is automatically included with Team and Enterprise through the commercial terms, so no separate signature is needed for standard deployments. Free and Pro carry no DPA. A BAA is available on Enterprise as a sales-assisted, HIPAA-ready offering, relevant mainly if a part of your business handles protected health information.
How do we prevent shadow AI and unauthorized connectors?
Block consumer tiers with DNS, proxy, or endpoint controls, and provide the approved tenant so people do not reach for personal accounts. In Microsoft, require admin approval for third-party app consent, audit Entra Enterprise Applications for entries named Claude or MCP, and use Defender for Cloud Apps and Entra Shadow AI discovery. The deeper fix is technical access control plus DLP, not policy alone.
Can we restrict which SharePoint sites Claude can search?
Not at the connector level. SharePoint search through the Microsoft 365 connector uses a tenant-wide read scope, and per-site allowlisting is not supported. Control it on the Microsoft side: because the connector mirrors each user's own permissions, a walled site should simply not be accessible to the person running the query, or you remove the SharePoint scope entirely.
How do we measure adoption without reading anyone's chats?
Enterprise's Analytics API gives aggregated engagement and adoption metrics across the organization without exposing individual chat content. That lets you report utilization to leadership without monitoring conversations. Audit logs are metadata, content requires a deliberate export, and there is no real-time per-message monitoring.
Regulated industries
When the stakes are higher
Some sectors carry exposure that ordinary teams do not. The governance pattern is the same. The default-deny line just moves earlier, and a few questions belong with your own counsel rather than with us.
Investment firms, private equity, and finance
Here the crown-jewel data is not personal information. It is confidential investment data and material non-public information. Treat that material the way you treat an information barrier: never enter it into a general workspace, and mirror your deal-team walls in Claude using Enterprise roles, groups, and private projects rather than one shared org. NDAs and data-room agreements increasingly bar uploading material into AI systems, so check the documents before any diligence content goes near a tool. Securities-law questions, whether something is material non-public information, Regulation S-P timelines, marketing-rule and recordkeeping obligations, and accuracy of any public AI-capability claims all stay with your compliance officer and counsel. This page is operational guidance, not legal advice.
Healthcare and protected health information
If any part of your business handles protected health information, that is Enterprise plus a signed BAA, and a few features are limited under that arrangement. Confirm the current terms with Anthropic before relying on them, and keep clinical and regulatory determinations with your own advisors.
Multi-entity groups and portfolios
If you run several companies, each usually has its own legal entity, its own Microsoft tenant, and often its own compliance perimeter. That points to separate Enterprise organizations per entity with shared policy templates, not one organization for everyone. Several controls (zero-retention arrangements, the Compliance API, customer-managed keys, retention) are set per organization, so plan for a consistent federation rather than a single monolith.
About this guide
Product facts here are current as of June 2026 and are drawn from Anthropic’s published documentation, privacy center, and pricing page. Plan terms, retention defaults, seat limits, and feature placement change, so verify against docs.claude.com, trust.anthropic.com, and claude.com/pricing before relying on a specific detail in a contract.
This is operational guidance, not legal or regulatory advice. Determinations about securities law, regulated personal data, fiduciary duties, and recordkeeping belong with your own counsel and compliance officer. Claude Training is an independent practice and is not affiliated with, endorsed by, or sponsored by Anthropic.
Roll out Claude with the governance already built in
The 60-Day Claude Rollout installs the operating layer and the controls together: classification, access, an AI use policy, and a measurable adoption story your board can read. Book a free call to talk through what your team needs.