When your organization adopted AWS, Google Cloud, or Azure, a great deal of work went into vetting the provider: security reviews, contract negotiation, data processing agreements, audit rights, and mapping the provider's attestations to your own regulatory obligations. Compliance inheritance is the idea that a service running inside that vetted environment starts from that established baseline instead of from zero. For Claude on Amazon Bedrock, Google Vertex AI, or Microsoft Foundry, the model is offered as a service of the cloud platform itself, so much of the paperwork your auditors care about is paperwork you already hold.
What inheritance actually gives you
Three concrete things. First, contractual coverage: usage typically falls under your existing agreements with the cloud provider — including data processing terms — rather than requiring a new vendor relationship, which alone can save months of procurement and legal review. Second, infrastructure assurance: the physical, network, and operational security of the underlying platform is covered by the provider's compliance program, which they document and have assessed on an ongoing basis. Third, familiar control surfaces: identity and access management, audit logging, private networking, and encryption controls are the same ones your teams already operate and your auditors already test, so evidence collection reuses existing machinery.
A necessary hedge: which specific certifications, attestations, and regulatory frameworks cover which services, in which regions, changes over time and differs by provider. Running Claude inside your cloud means it inherits your cloud provider's compliance posture — but confirm the specifics with your provider, in writing, for the exact service and region you plan to use. Never assume a platform holds a particular certification because the provider's other services do, and never let this guide substitute for that confirmation.
What inheritance does not cover
Everything above the platform line is yours. Inheritance says nothing about who in your organization can invoke the model, what data your application sends in prompts, whether your retrieval pipeline leaks records across customer boundaries, how outputs are reviewed before they reach users, how long you retain your own logs, or whether your use of an LLM in a given business process is appropriate under the regulations that govern that process. An auditor's questions about your Claude deployment will mostly land in this upper layer, precisely because the lower layer is already well-trodden.
Regulated industries add a further layer: sector rules (in finance, healthcare, government) govern how you may use automated systems for particular decisions, and no infrastructure attestation answers those questions. That analysis belongs to your compliance and legal teams, ideally engaged before the pilot rather than after it.
Using inheritance well in an audit
The teams that sail through reviews do three things. They obtain the provider's current compliance documentation for the specific AI service and keep it with the project record, rather than citing it from memory. They map each of their own obligations to a control: platform-inherited ones point at provider documentation, application-layer ones point at their own evidence — access policies, audit logs, data-handling procedures, human-review gates. And they keep the story current: platforms add capabilities and change terms, so an annual re-check of the provider documentation is cheap insurance against an audit finding that your evidence is stale.
One special note for Claude Platform on AWS: it is operated by Anthropic and runs on AWS, which is a different arrangement from a cloud-provider-operated service like Bedrock. Do not assume its compliance story is identical to Bedrock's — ask for its specific documentation and treat it as its own line in your assessment.
Where to go next
Ground the compliance story in the actual data flows with Where Does Your Data Go?, and prepare for the questions reviewers actually ask in The Security Review: What Your CISO Will Ask. The main guide's FAQ covers the short-answer versions.