Governance & Compliance Best Practices
A condensed set of practices for keeping a Claude workspace governed responsibly, drawn from the rest of this section.
Use it as a quick-reference gut check before or after a rollout, not as a replacement for the fuller checklists elsewhere in this section.
How to Use This List
- Treat each item as a standing practice, not a one-time task - most of these need to be revisited periodically, not just completed once.
- Use this as a summary to orient a new admin quickly, then point them to the fuller checklists and explainers for detail.
- Revisit this list whenever your organization's data usage or team footprint changes meaningfully.
A - Data Retention and Training Settings
- Set the data retention window deliberately, not on default. Confirm the current value and document why it fits your organization's data sensitivity.
- Configure the training opt-out as its own decision. Don't assume tightening retention also opts conversations out of training - verify both settings independently.
- Set the retention window to match your most sensitive use case, not the average one. The strictest team in scope should effectively set the floor for the whole workspace.
- Document the reasoning behind these settings, not just the final values, so a later audit or review doesn't require reconstructing the logic from scratch.
B - Compliance Posture
- Know which frameworks actually apply to your organization - SOC2, GDPR, both, or neither in a formal sense - before assuming every setting needs to be maximally strict.
- Treat vendor compliance posture and your own compliance obligations as separate, related things. A vendor's SOC2 report is evidence about the vendor; your organization's own configuration and documentation is what satisfies your GDPR-style obligations.
- Keep compliance evidence together in one place - retention settings, training opt-out status, and vendor documentation should be easy to produce together during a review.
- Re-check your compliance posture whenever the organization's data usage changes - a new regulated project or client contract is a natural trigger, not just an annual calendar date.
C - Audit Logging
- Turn on and locate the audit log before you need it, not during an active incident.
- Assign a named owner for audit log review. A log nobody reviews provides limited practical value regardless of how complete it is.
- Review on a fixed cadence, quarterly at minimum, plus ad hoc review whenever something unexpected changes in the workspace.
- Remember what the audit log does and doesn't cover. It records admin actions and access events, not conversation content - plan other controls to cover what it doesn't.
D - DLP and Employee Guidance
- Write short, category-based guidance on what's okay to paste into Claude, rather than an exhaustive list of banned terms that goes stale quickly.
- Distribute that guidance at onboarding, and reinforce it periodically. A single mention during setup tends to be forgotten within months.
- Give high-risk teams tailored guidance. Legal, finance, customer support, and HR generally handle more sensitive data than a general-purpose team and warrant more specific rules.
- Name a clear point of contact for unclear cases. Removing ambiguity about who to ask is one of the most effective ways to prevent accidental exposure.
E - Rollout Governance
- Assign a single accountable owner for the overall governance posture, even when individual tasks are delegated across teams.
- Treat expansion to a new team or business unit as a trigger to re-verify settings, not an assumption that existing configuration automatically covers the new scope.
- Schedule a post-rollout check-in, not just a pre-launch review, since real usage at scale often reveals gaps that planning alone doesn't catch.
- Revisit this entire list at least annually, and immediately after any major organizational change.
FAQs
Is this list a substitute for the full checklists elsewhere in this section?
No - it's a condensed summary meant for quick orientation.
For a full pre-rollout walkthrough, use the dedicated checklists on configuring admin settings and preparing for an enterprise-wide rollout.
Which of these practices matters most to get right first?
Data retention and training settings (section A) - they're foundational, and getting them wrong affects everything else, including how much exposure a later DLP mistake actually creates.
How often should this list be revisited?
At least annually, plus any time the organization's data usage, team footprint, or applicable regulations change meaningfully.
Why does audit logging show up as its own category here?
Because it's the practice most commonly set up correctly and then never actually used - having the log active isn't the same as having someone review it on a defined cadence.
Do smaller teams need to follow all five categories, or can some be skipped?
Even small teams benefit from a lightweight version of all five - the depth can scale down, but skipping a category entirely (especially guidance and settings) tends to create the same kind of risk regardless of team size.
What's the single most commonly skipped practice on this list?
Reinforcing employee guidance after the initial distribution - it's easy to write and distribute once, and easy to forget to repeat, which is exactly when it stops being effective.
Related
- Governance & Compliance Basics - the full walkthrough these practices are drawn from
- Data Handling Controls Every Admin Should Configure - the detailed checklist behind sections A and C
- Compliance Checklist Before Rolling Out Claude Enterprise-Wide - the detailed checklist behind section E
- Writing PII Handling Guidance for Teams Pasting Sensitive Data - the detailed guide behind section D
Stack versions: Written against the Claude model lineup current as of ~June 2026 - Claude Fable 5, Claude Opus 4.8, Claude Sonnet 5 (the default), and Claude Haiku 4.5. Model names, pricing, and product features move quickly - verify current specifics at platform.claude.com/docs before relying on them.