TL;DR

Regulatory compliance – SOC 2, GDPR, HIPAA, PCI DSS, ISO 27001 – looks impenetrable from the outside. Hundreds of controls, dozens of policy documents, auditor-specific jargon, and no clear starting point. Before you hire a $300/hour consultant or drop $50K on a GRC platform, you can use Claude to do the initial heavy lifting: map which frameworks apply to your business, identify your biggest gaps, draft policies that match your actual infrastructure, build a prioritized remediation plan, and prepare for your first auditor conversation. This post walks through the process I used, with real prompts and outputs, to go from “we probably need SOC 2” to a concrete compliance roadmap in a single afternoon.

The Problem with Starting

The compliance industry has a gatekeeping problem. Every framework publishes its requirements in language designed for auditors, not engineers. SOC 2’s Trust Services Criteria reads like a legal document because it is one. GDPR’s 99 articles reference each other in circles. PCI DSS v4.0 has 264 requirements across 12 sections. The sheer volume creates paralysis.

Most teams respond in one of three ways:

  1. Ignore it until a customer or investor forces the conversation
  2. Hire a consultant who tells you what you already suspected but charges five figures to write it down
  3. Buy a GRC platform (Vanta, Drata, Secureframe) that automates evidence collection but still requires you to understand what you are collecting evidence for

Option 3 is the right long-term answer for most companies. But signing a $15K/year contract before you understand your own compliance posture is like buying a gym membership before you know which muscles are weak. You need a gap assessment first. Claude is remarkably good at this.

Step 1: Figure Out Which Frameworks Apply

The first question is not “how do we become compliant.” It is “compliant with what.” This depends on your industry, your customers, the data you handle, and where your users are located.

Here is the prompt I used:

I run a B2B SaaS platform that processes financial data for US-based
small businesses. We store names, email addresses, bank account numbers,
and transaction histories. We have 200 customers, $2M ARR, and 8
employees. Our infrastructure runs on AWS (us-east-1 and us-west-2).
We are based in Delaware.

Which regulatory and compliance frameworks apply to us? For each one,
tell me: (1) whether it is legally required or market-expected,
(2) the consequence of non-compliance, and (3) the typical timeline
to achieve initial compliance.

Claude returned a structured breakdown:

FrameworkRequired?ConsequenceTimeline
SOC 2 Type IIMarket-expectedLosing enterprise deals, failing vendor security reviews6-12 months
PCI DSSLegally required (if processing card data)Fines from card networks, loss of processing ability3-6 months (SAQ), 6-12 months (full)
GLBA/Safeguards RuleLegally required (financial data)FTC enforcement, state AG action3-6 months
State privacy laws (CCPA, etc.)Legally required (if CA customers)$7,500/violation (CCPA), state AG enforcement1-3 months
GDPRNot applicable (US-only customers)N/AN/A

The key insight was GLBA. Most SaaS founders know they need SOC 2 because customers ask for it. Fewer realize that the Gramm-Leach-Bliley Act’s Safeguards Rule applies to any company handling consumer financial data – and it has been enforced by the FTC since the 2023 updated rule. Claude flagged this because I described the data we store, not because I asked about GLBA specifically. A consultant would have flagged it too, but at $300/hour instead of $0.

Step 2: Map Your Current State

Before you can plan remediation, you need to know where you stand. Claude cannot scan your infrastructure (it does not have access), but it can generate a comprehensive self-assessment questionnaire tailored to your specific frameworks.

Based on the frameworks above (SOC 2, GLBA Safeguards Rule, and state
privacy laws), generate a gap assessment questionnaire organized by
control domain. For each question, include:
- The specific control it maps to
- What "good" looks like (the target state)
- Common gaps you see at companies our size

Focus on the controls most likely to fail at an 8-person startup
running on AWS.

Claude generated 47 questions across 8 domains. Here are a few that hit hardest:

Access Management

  • Do all employees use SSO with MFA for AWS console access? (SOC 2 CC6.1, GLBA 314.4(c))
    • Target: SSO via Okta/Google Workspace with hardware keys or TOTP. No shared credentials.
    • Common gap: Founder’s personal AWS root account still active with SMS-based MFA.

Encryption

  • Is data encrypted at rest and in transit for all datastores containing PII or financial data? (SOC 2 CC6.7, GLBA 314.4(c))
    • Target: AES-256 at rest (RDS encryption, S3 SSE-KMS), TLS 1.2+ in transit.
    • Common gap: Internal service-to-service traffic not encrypted. RDS parameter groups allowing unencrypted connections.

Incident Response

  • Do you have a documented incident response plan that has been tested in the last 12 months? (SOC 2 CC7.3, GLBA 314.4(h))
    • Target: Written IRP with roles, communication templates, regulatory notification timelines. Tabletop exercise conducted annually.
    • Common gap: No written plan. “We would figure it out” is the actual incident response strategy.

Vendor Management

  • Do you maintain an inventory of third-party vendors with access to customer data, with security assessments for each? (SOC 2 CC9.2, GLBA 314.4(f))
    • Target: Vendor register with data classification, SOC 2 report collection, annual review.
    • Common gap: No vendor inventory. Stripe, AWS, Datadog, and 15 other vendors have data access with no formal assessment on file.

I answered each question honestly and fed the responses back to Claude for gap analysis. This is where it gets useful.

Step 3: Prioritize the Gaps

Not all compliance gaps carry equal risk. A missing incident response plan is a finding on every SOC 2 audit. A missing vendor inventory is a finding too, but it is lower severity. Claude can rank your gaps by audit impact, legal exposure, and remediation effort.

Here are my gap assessment answers: [pasted 47 responses]

Prioritize these gaps into three tiers:
1. Critical: Would cause audit failure or regulatory enforcement
2. High: Would be flagged as a finding but not a deal-breaker
3. Medium: Best practice gaps that improve posture but are not audit-blocking

For each gap, estimate the remediation effort (hours) and whether it
requires tooling, policy changes, or both.

The output was a prioritized remediation backlog. Critical items included:

GapFrameworkEffortFix Type
No MFA on AWS root accountSOC 2, GLBA1 hourConfig change
No incident response planSOC 2, GLBA8 hoursPolicy document
No data retention/deletion policySOC 2, CCPA, GLBA4 hoursPolicy + code
Unencrypted internal trafficSOC 2, GLBA16 hoursInfrastructure
No access reviews (quarterly)SOC 22 hours/quarterProcess

The 1-hour items are obvious wins. Enable MFA on root, rotate the access keys, done. The policy documents are where Claude really shines.

Step 4: Draft the Policies

Every compliance framework requires documented policies. SOC 2 alone typically needs 8-12 policy documents. Writing these from scratch is miserable. Buying templates is $500-2,000 and they still need heavy customization.

Claude can draft policies that reflect your actual infrastructure and team size, not generic enterprise boilerplate.

Write an Incident Response Plan for our company. Here is our context:
- 8 employees, no dedicated security team
- Infrastructure on AWS (ECS, RDS PostgreSQL, S3, CloudFront)
- Communication via Slack, email via Google Workspace
- On-call rotation via PagerDuty
- Customer data: names, emails, bank account numbers, transactions
- Regulatory obligations: GLBA Safeguards Rule, SOC 2

The plan should be realistic for a team our size. Do not include
enterprise processes we cannot actually follow. Include:
- Severity classification
- Roles and responsibilities (map to actual team roles, not
  dedicated security titles)
- Communication templates (internal, customer, regulatory)
- Post-incident review process
- Regulatory notification timelines (GLBA, state breach laws)

The output was a 12-page plan that I could actually use. It assigned the CTO as incident commander (realistic at 8 people), included Slack channel naming conventions for incident coordination, had pre-written customer notification email templates with the right legal language for state breach notification laws, and included GLBA’s 30-day notification requirement to the FTC.

Compare this to a purchased template that assumes you have a CISO, a dedicated SOC, and a legal department. Those templates require more customization effort than writing from scratch.

I followed the same process for:

  • Information Security Policy – the umbrella policy covering acceptable use, access management, and data classification
  • Data Retention and Deletion Policy – mapped to CCPA’s “right to delete” and GLBA’s data minimization requirements
  • Vendor Management Policy – including a vendor risk assessment template
  • Change Management Policy – mapped to our actual CI/CD pipeline (GitHub Actions, staging environment, approval process)
  • Business Continuity Plan – based on our actual AWS multi-region setup

Six policy documents in an afternoon. Each one tailored to our infrastructure, our team size, and our regulatory obligations.

Step 5: Build the Roadmap

With gaps prioritized and policies drafted, the last step is a timeline. Claude can generate a week-by-week implementation plan that accounts for your team’s capacity.

Based on the prioritized gaps and drafted policies, create a 12-week
compliance roadmap. Constraints:
- 1 engineer can dedicate 10 hours/week to compliance work
- We want to engage a SOC 2 auditor at week 12
- Quick wins first, then infrastructure changes, then process rollout
- Flag any items that require external vendors or purchases

The output was a Gantt-style plan:

Weeks 1-2: Quick Wins

  • Enable MFA everywhere (AWS root, all IAM users, Google Workspace)
  • Enable AWS CloudTrail in all regions
  • Enable RDS encryption at rest (if not already)
  • Create a vendor inventory spreadsheet
  • Publish the Information Security Policy internally

Weeks 3-4: Policy Rollout

  • Finalize and distribute all 6 policy documents
  • Conduct the first quarterly access review
  • Set up AWS Config rules for compliance monitoring
  • Configure S3 bucket policies to enforce encryption

Weeks 5-8: Infrastructure Hardening

  • Implement internal TLS (service-to-service encryption)
  • Set up centralized logging (CloudWatch Logs → S3 with retention)
  • Implement automated vulnerability scanning (Dependabot, ECR scanning)
  • Build the data deletion pipeline (CCPA right-to-delete endpoint)

Weeks 9-10: Process Validation

  • Run a tabletop incident response exercise
  • Conduct the first vendor security assessment (Stripe, AWS)
  • Document the change management process with evidence from recent deploys

Weeks 11-12: Audit Prep

  • Collect evidence artifacts for each SOC 2 control
  • Prepare a readiness assessment document for the auditor
  • Schedule the Type I audit engagement

This is not a finished compliance program. It is a starting point that lets you walk into the auditor’s office with documentation, evidence of implemented controls, and a clear narrative about your security posture. The auditor will find gaps you missed. That is expected. But you will be starting from a position of competence, not confusion.

What Claude Gets Right

Framework mapping is excellent. Claude knows the control structures of SOC 2, GDPR, HIPAA, PCI DSS, ISO 27001, NIST CSF, and most industry-specific frameworks. It can cross-reference controls across frameworks (SOC 2 CC6.1 maps to ISO 27001 A.9.2.1 maps to NIST AC-2). This cross-mapping is tedious and error-prone when done manually.

Policy drafting saves weeks. The policies Claude generates are not perfect first drafts, but they are 80% there. The remaining 20% is customization that requires human judgment – legal review, team-specific workflow details, and regulatory nuance that depends on your jurisdiction. Starting from an 80% draft is categorically different from starting from a blank page.

Gap prioritization is practical. Claude correctly identifies that MFA and logging are week-one items, while vendor management and business continuity are month-two items. The prioritization reflects real audit expectations – auditors understand that startups are building the plane while flying it, and they look for evidence of a reasonable timeline, not perfection.

What Claude Gets Wrong

It is not a lawyer. Claude can identify that GLBA’s Safeguards Rule applies to your business, but it cannot tell you whether your specific data handling practices satisfy the “reasonable security” standard. That determination requires legal counsel who understands both the regulation and your business. Use Claude for the technical mapping, then validate the legal interpretation with an attorney.

It does not know your infrastructure. Claude’s gap assessment is based on what you tell it. If you forget to mention that your staging environment has a copy of production data with no encryption, that gap will not appear. The self-assessment is only as good as your honesty and completeness.

Control evidence is your job. Claude can tell you that SOC 2 CC6.1 requires access controls with periodic reviews. It cannot pull your AWS IAM access analyzer report, screenshot your MFA configuration, or export your quarterly access review log. Evidence collection is the tedious core of compliance, and it requires either manual work or a GRC platform.

Framework versions change. PCI DSS v4.0 replaced v3.2.1 with significant changes to authentication requirements and targeted risk analysis. Claude’s training data has a cutoff. Always verify that you are working against the current version of any framework. Check the issuing body’s website, not the AI’s memory.

When to Bring in the Professionals

Claude is a starting tool, not a finishing tool. You should engage external help when:

  • You need a formal audit opinion – only a licensed CPA firm (SOC 2) or Qualified Security Assessor (PCI DSS) can issue one
  • Legal interpretation is required – GLBA’s “reasonable security” standard, CCPA’s “business purpose” definition, and HIPAA’s “minimum necessary” rule all require legal analysis
  • Your risk profile is high – if you handle health records, process payments directly, or serve regulated industries (banking, defense), the stakes justify professional guidance from day one
  • Customers require specific attestations – some enterprise customers will not accept self-assessed compliance; they need a SOC 2 Type II report from a recognized firm

The right sequence: Claude for the first pass (free to $100/month), then a GRC platform for ongoing evidence collection ($15-30K/year), then an auditor for the formal opinion ($20-50K for Type II). Claude replaces the $10-30K you would otherwise spend on a consultant to tell you what you need to do before you engage the auditor.

The Prompting Pattern That Works

After running this process twice (once for a SaaS product, once for the homelab infrastructure), the pattern that produces the best results is:

  1. Start with your data inventory. Tell Claude exactly what data you collect, store, process, and share. Be specific about data types (PII, PHI, financial, biometric) and storage locations (AWS region, database engine, backup locations).

  2. Describe your team and infrastructure. Claude’s recommendations should match your actual capacity. An 8-person team cannot run the same compliance program as a 200-person company. Your policies should reflect the controls you can actually sustain.

  3. Ask for framework mapping before gap assessment. Identify which frameworks apply before you start checking controls. Otherwise you waste effort on frameworks that are irrelevant to your business.

  4. Feed answers back iteratively. Give Claude your gap assessment answers and ask it to reprioritize. The second pass is always better than the first because it accounts for your specific weaknesses.

  5. Request realistic outputs. Explicitly tell Claude not to generate enterprise boilerplate. Policies for an 8-person startup should look different from policies for a Fortune 500.

Bottom Line

Compliance is not optional for companies handling financial, health, or personal data. But the starting cost does not have to be five figures. Claude can map your regulatory landscape, identify your gaps, draft your policies, and build your roadmap in an afternoon. The output is not audit-ready – it is audit-preparatory. It gets you from “we should probably think about SOC 2” to “here is our 12-week plan, here are our drafted policies, and here is what we need from an auditor” in a single session.

The alternative is spending three months in paralysis, then paying a consultant to tell you the same things Claude would have told you for free.

Start the conversation. The wall is not as high as it looks.