Policy Incidents

• Violations appear on the Detection & Response page, filterable by Channel = Claude (Compliance API).

• Each incident shows the matching content (prompt text, completion text, or file content) with findings highlighted. Credentials are redacted with ████).

• Status is IN_PROGRESS until an analyst acts on the incident. This matches Nightfall's standard async-violation behavior.

• The Claude Activity view shows admin events (logins, member changes, API-key creation, configuration changes) from your Claude organization. These events are written to the Nightfall audit log and forwarded to SIEM. They never appear as incidents.

Scope and limitations

Read this section before deploying so expectations match reality.

• Monitor-only on this channel. The Compliance API is post-hoc, so Nightfall sees content after it has been submitted to Claude. Inline pre-submit blocking on Claude is handled by the Nightfall endpoint agent on Claude Desktop, Claude Code, and the browser tab. (Link to endpoint-agent help doc.)

• Claude Enterprise only. Claude Team plan is not exposed by the Compliance API.

• No model-inference coverage on the Claude Platform. The Compliance API does not expose model-inference content. For real-time scanning and blocking on Claude Code (IDE and CLI), see the Nightfall AI Agent Security integration based on Claude Code Hooks and OpenTelemetry. (Link to AI Agent Security help doc.)

• No coverage of Claude on Amazon Bedrock or Google Vertex AI.

• No ACL or permission graph. Identity governance over Claude (who can access which project) lives with Okta and SailPoint.