AI Gateway

Claude Code for Regulated Industries: VPC and Audit Logs

Claude Code for Regulated Industries: VPC and Audit Logs

Deploy Claude Code for regulated industries with in-VPC isolation, immutable audit logs, and compliance patterns for SOC 2, HIPAA, GDPR, and ISO 27001.

Claude Code for regulated industries is the most demanding deployment pattern in the AI coding agent space. The tool reads entire repositories, executes shell commands, edits source code, and calls external tools, and in healthcare, financial services, and public sector environments those repositories contain protected health information, customer financial records, or classified data subject to strict residency and retention requirements. The default Claude Code deployment, individual developer API keys pointing at api.anthropic.com, fails every meaningful audit: no per-user attribution, no audit trail, no network isolation, and no enforced access policy. Bifrost, the open-source AI gateway by Maxim AI, closes that gap by deploying inside the customer's VPC, enforcing identity-bound virtual keys, and producing immutable audit logs for every Claude Code request, with only 11 microseconds of overhead per request at 5,000 RPS.

Why Claude Code Raises Compliance Challenges in Regulated Industries

Claude Code's value comes from breadth of access: a single session can touch source code, build systems, infrastructure secrets, and customer data referenced in tests or seed files. That same breadth becomes the compliance problem. In a regulated environment, three issues surface almost immediately:

  • No identity binding. When every developer holds their own Anthropic API key, there is no central record of who invoked which model with which prompt. The HIPAA Security Rule treats audit controls that "record and examine activity in information systems that contain or use electronic protected health information" as a baseline technical safeguard, per the HHS Security Rule summary.
  • No data residency control. Prompts and tool outputs can leave the network boundary the moment a Claude Code session starts, with no way to enforce geographic or in-VPC processing.
  • No policy enforcement. A junior contractor with Claude Code can call the same models, on the same data, with the same tools as a senior staff engineer.

The NIST AI Risk Management Framework treats each of these as a Govern and Manage function output, not an optional add-on, which puts pressure on platform teams to solve them at the infrastructure layer rather than per developer.

How a Gateway Closes the Claude Code Compliance Gap

Claude Code accepts a single environment variable to redirect traffic, ANTHROPIC_BASE_URL, and that one hook is all a gateway needs to take over the entire request path. Pointing it at a Bifrost instance routes every Claude Code call through a control plane that adds identity, governance, and observability without changing how developers use the tool:

export ANTHROPIC_BASE_URL=http://your-bifrost-instance:8080/anthropic
export ANTHROPIC_API_KEY=sk-bf-...   # virtual key, not a raw provider key

Once redirected, every Claude Code session inherits four governance layers documented on the Bifrost Claude Code resource page: in-VPC deployment, audit logs, virtual keys with role-based access control, and multi-provider failover. The full configuration walkthrough is in the Claude Code integration docs.

In-VPC Deployment for Claude Code

In-VPC deployment is the foundation of Claude Code for regulated industries. Bifrost runs as a single Go binary that deploys into the customer's own VPC, on Kubernetes, ECS, GKE, or a managed VM. From that point forward, prompts, tool calls, response payloads, and audit logs never leave the network boundary unless the gateway is explicitly configured to forward them to a model provider.

Three deployment properties matter for regulated workloads:

  • Network isolation. The Bifrost gateway speaks to LLM providers through outbound NAT or VPC endpoints, with allow-listed egress controlled by the customer's security team.
  • Vault-managed credentials. Provider API keys live in HashiCorp Vault, AWS Secrets Manager, Google Secret Manager, or Azure Key Vault, never on developer machines or in environment files.
  • Air-gapped and on-prem support. For workloads that require fully isolated infrastructure, Bifrost supports air-gapped and on-prem deployments where every component, including configuration storage and audit logs, runs inside customer-controlled hardware.

The full architectural pattern is documented in the in-VPC deployments guide.

Audit Logs and Compliance Evidence

Audit logs are where most Claude Code deployments collapse under regulatory scrutiny. Provider-side logs report total tokens consumed and costs incurred, but they do not answer the questions auditors actually ask: which user invoked which model with which prompt, when, from which IP, and what was the response. Bifrost's audit logs capture all of that at the gateway, in append-only storage with cryptographic-hash verification.

Every Claude Code request produces an audit record that includes:

  • Identity context. Authenticated principal, virtual key, SSO user, team, and customer attribution.
  • Request payload. Provider, model, parameters, message contents, tool calls, and timestamps.
  • Response payload. Token counts (input, output, cache read, cache write), latency, finish reason, cost, and full response body.
  • Policy outcomes. Guardrail decisions, routing decisions, fallback events, and any redactions applied.

Logs are immutable and designed for SOC 2 Type II, GDPR, HIPAA, and ISO 27001 evidence retention. They export to existing SIEM platforms (Splunk, Elastic, Datadog), data lakes (BigQuery, S3), and OpenTelemetry collectors so security and compliance teams keep multi-year trails outside the gateway without custom instrumentation.

Identity, Access Control, and Virtual Keys

Audit logs are only meaningful when each request is tied to a real identity. Bifrost integrates with OpenID Connect identity providers including Okta and Microsoft Entra, so every Claude Code session is bound to a corporate SSO user rather than a shared key. Role-based access control with custom roles governs who can create virtual keys, modify budgets, view audit logs, and configure providers, separating platform administrators from developers consuming the gateway.

Each developer, team, or environment receives its own virtual key that encodes the applicable policy:

  • Spend limits. Hard caps per day, week, or month, enforced before requests reach the provider.
  • Model and provider access rules. A junior engineer might be limited to GPT-4o-mini; a senior engineer might have access to Claude Opus and frontier reasoning models.
  • MCP tool filters. Allow-listed tools per virtual key keep customer-data-touching tools off non-production keys.
  • Rate limits. Per-key token and request ceilings contain runaway Full Auto sessions before they exhaust shared quota.

When a virtual key is revoked, every workload using it loses access immediately, which is the access-control behavior most compliance frameworks expect of a credential-management system.

Compliance Patterns by Industry

Regulated industries share the same gateway pattern but layer different policy and evidence requirements on top:

  • Healthcare and life sciences. HIPAA-bound deployments rely on in-VPC isolation, PII redaction guardrails, and audit trails that satisfy §164.312 audit-controls standards. The Bifrost healthcare and life sciences page covers the full deployment pattern.
  • Financial services and banking. SOC 2 Type II, PCI DSS, and SR 11-7 model risk management apply on top of standard governance. Hierarchical budgets, vault-managed credentials, and tamper-evident audit logs are the load-bearing controls. The Bifrost financial services and banking page maps each capability to the relevant control.
  • Government and public sector. FedRAMP, FISMA, and data-residency requirements push deployments into air-gapped or sovereign-cloud environments. Bifrost's single-binary deployment model works in restricted networks where commercial SaaS gateways cannot run.

All three patterns share the same operational primitives: in-VPC deployment, SSO-bound virtual keys, immutable audit logs, vault-managed credentials, and policy enforcement that produces evidence by default rather than after the fact.

Get Started with Compliant Claude Code Deployment

Claude Code for regulated industries is not an Anthropic problem; it is an infrastructure problem. The default deployment cannot produce the identity attribution, network isolation, or audit evidence that healthcare, finance, and government auditors expect, and adding these controls per developer scales badly. The gateway pattern, where every Claude Code session routes through an in-VPC Bifrost instance with virtual-key authentication and immutable audit logs, solves all three concerns in one architectural decision. Bifrost ships these capabilities in an open-source core with an enterprise tier for SSO, RBAC, and compliance-grade logging. To walk through a regulated Claude Code deployment with the Bifrost team, book a demo.

Read next