Claude activity governance: what it means for IAM teams

TL;DR: C1’s integration with Anthropic’s Claude Compliance API extends identity governance into Claude Enterprise and the Claude Platform, adding activity telemetry to access reviews, lifecycle workflows, and audit trails for human users and AI agents, according to ConductorOne. The governance problem is no longer seat provisioning alone, but whether access and activity can be tied together before dormant privileges and orphaned API keys become audit findings.

NHIMG editorial — what this means for NHI practitioners

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

Questions worth separating out

Q: How should security teams govern access to AI platforms that are used by both people and agents?

A: Security teams should govern AI platforms with the same lifecycle discipline they use for NHIs, but add activity evidence to the review process.

Q: Why do AI platform permissions create lifecycle risk for IAM programmes?

A: AI platform permissions create lifecycle risk because access often outlives the task, project, or owner that justified it.

Q: How do you know if AI access reviews are actually working?

A: They are working only if reviewers can see current usage, revoke stale access, and produce evidence that the activity matched the approved purpose.

Practitioner guidance

• Correlate access reviews with actual platform activity Require reviewers to see recent Claude activity alongside entitlement records so they can distinguish active users from dormant ones before recertification closes.
• Link API keys to accountable identities Map every Claude Platform key back to a named person, role, and approval record so usage can be traced when the key is exercised by automation or an AI workflow.
• Remove access when the business purpose ends Automate lifecycle workflows to flag and revoke dormant seats, orphaned API access, and unused admin permissions when project or role ownership changes.

What's in the full announcement

ConductorOne's full post covers the operational detail this post intentionally leaves for the source:

• How the Claude Compliance API exposes user logins, admin actions, and configuration changes into C1.
• What the connector settings change for existing customers who need to enable Claude governance.
• How C1 ties activity back to the person behind the key for audit and lifecycle workflows.
• Which access review, approval, and evidence records are visible once Claude activity lands in the identity platform.

👉 Read ConductorOne's post on governing Claude identity and activity in C1 →

Claude activity governance: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →