Enterprise Governance & Risk

Records Your Regulators May Ask For

When an examiner asks "show me how you govern your AI," the answer is a set of documents. The organizations that struggle are not the ones with weak governance — they are the ones who governed well and wrote nothing down.

Claude 3P 101 · Updated July 2026 · Unofficial guide

Regulatory expectations for AI vary enormously by industry and jurisdiction, and this article makes no claim that any particular record set satisfies any specific requirement — that determination belongs to your compliance and legal teams. What is remarkably consistent across regimes, though, is the categories of documentation examiners ask for. If you maintain these as living records rather than reconstructing them under deadline, most documentation requests become retrieval exercises. Here are the categories, and where Claude's platforms help you populate them.

1. Inventory and risk assessments

The near-universal first request: a complete list of AI use cases, each with an owner, a description, a risk classification, and the reasoning behind it. This is your AI registry plus, for each entry, the intake-time risk assessment: what could go wrong, who could be harmed, what controls exist. Include the deployment details examiners increasingly probe — which model (Claude model IDs are pinned snapshots, so an exact ID identifies exactly what ran), which platform (first-party API, Claude Platform on AWS, Bedrock, Vertex AI, Foundry), and who acts as data processor on that platform.

2. Validation and testing evidence

Examiners want proof the system was tested before deployment and is re-tested when it changes: evaluation plans and results, accuracy and error analysis for the intended use, bias evaluations where relevant, and the acceptance decision with a name and date on it. The key property is reproducibility — recorded model ID, prompt version, test set, and results that a reviewer could re-run.

3. Change logs

A record of what changed and when: model version migrations, system prompt revisions, configuration changes, and the re-validation each triggered. Model migrations deserve special care because they are observable events with published timelines — for example, Anthropic publishes deprecation and retirement dates for model IDs — so an examiner can check whether your change log acknowledges a migration you demonstrably had to make. Version your prompts like code (see system prompt versioning) and this category largely writes itself.

4. Operational and usage records

Evidence the system is monitored in operation: usage patterns, error and refusal rates, spend, and anomaly reviews. On the first-party Claude API, the Usage and Cost Admin API provides token usage with breakdowns by model, workspace, and service tier, and cost reports at daily granularity — a durable, exportable basis for usage records. Anthropic's documentation also describes a Compliance API whose Activity Feed retains data for six years, aimed at organizations with monitoring obligations. On Bedrock, Vertex AI, and Foundry, the equivalent evidence comes from your cloud provider's logging and billing systems. Decide retention periods for these records deliberately, with your counsel, not by tool default.

5. Incident records

What went wrong, when it was detected, who was notified, what was done, and what changed afterward. An empty incident log is less credible than a modest one with closed loops. Your incident playbook defines the process; this record proves it runs.

6. Governance and accountability artifacts

The program-level paper: your AI policy, role definitions and committee charters, training completion records (see the literacy program), and vendor due-diligence files. For the vendor file on Anthropic specifically: Anthropic states it has obtained SOC 2 Type I & II, ISO 27001:2022, ISO/IEC 42001:2023 (AI management systems), and offers a HIPAA-ready configuration with BAA — with compliance documentation available through its Trust Center. Two cautions: those statements apply to Anthropic's commercial products such as the Anthropic API, and they do not extend to deployments through Amazon Bedrock, Google Cloud, or Microsoft Foundry, where the cloud provider is the data processor and you must verify certifications and data-handling terms with that provider. Your vendor file should therefore document both Anthropic's posture and your cloud provider's, matched to the platform you actually use.

CategoryLiving source
Inventory & risk assessmentsAI registry + intake records
Validation evidenceEval results, pinned model IDs, sign-offs
Change logsPrompt/config version control, migration records
Operational recordsUsage/Cost API exports, cloud provider logs
Incident recordsIncident tracker with closed loops
Governance artifactsPolicies, charters, training records, vendor files
Rule of thumb: every record should answer, without a meeting: what ran, who owned it, how you knew it worked, and what you did when it didn't.

Where to go next

The registry that anchors category 1 is covered in maintaining an enterprise AI registry; see also decision audit trails and compliance inheritance for the platform-side evidence.

Sources