Anthropic Just Shipped Claude for Legal. And It's Good News for Waivern

Anthropic released Claude for Legal on 12 May 2026, with over 20 MCP connectors for Westlaw, Box, OneDrive, DocuSign, iManage, Relativity, and a dozen others, plus 12 practice-area plugins covering everything from M&A diligence to AI governance counsel.

More than 20,000 legal professionals registered for the webinar about it.

Predictably, the takes started flying. "AI compliance tools are dead." "Anthropic is going to eat the GRC market." "Why would anyone pay for [pick a vendor] when Claude can just do it?"

We're a startup building AI-enabled compliance automation. We watched the announcement carefully. And our reaction was Finally.

This is going to make life easier for anyone who builds honest products.

To explain why, we need to look at how compliance automation works, and what approaches various players in this market take.

The five things every compliance tool has to handle

Whether the framework is ISO 27001, SOC 2, DORA, GDPR, or the EU AI Act - whatever the regulation, every compliance workflow requires (conceptually):

  1. Connectors - reach into the customer's systems to get the data
  2. Evidence gathering and mapping - extract the relevant signals and align them against the regulation
  3. Making compliance decisions - make the regulatory judgement calls
  4. Outputs - produce the deliverables a regulator or auditor will accept
  5. Continuous compliance - keep all the above current as the business and the law evolve

Let's have a look at how each player handles these tasks.

Matrix comparing how compliance tooling vendors automate connectors, evidence gathering, compliance decisions, outputs, and continuous compliance

Reading the diagram

A few things worth unpacking.

The bottom of the stack has converged

Every serious player now has automated connectors and AI-assisted evidence work.

A year ago, this was a real differentiator. Today, it's table stakes. Whatever you read in vendor marketing about "AI-powered evidence collection" - they all do it. The real question is what's built on top.

Every one says they use "AI" with "humans-in-the-loop"

OneTrust calls itself an "AI-Ready Governance Platform." Vanta calls itself an "Agentic Trust Platform." Drata is "AI-native." We use AI too. So do the wrappers. The marketing vocabulary has converged completely. But the architecture hasn't - and it is what matters the most.

Compliance decisions are what matters the most

That's where the players actually diverge. And where things get really interesting under the surface. Because it is where real compliance work happens.

The Compliance decisions problem

The reason this layer matters is that compliance decisions have a property that makes them genuinely different from most LLM use cases: being wrong creates legal liability that can't be retracted with a polite apology.

If an LLM hallucinates a restaurant recommendation, you have a bad lunch.

If an LLM hallucinates that transferring your data to a US sub-processor is GDPR-compliant when it's not, you have a regulator on the phone and a 4%-of-global-turnover problem.

The legal profession is already living through this. Judges have been issuing sanctions to lawyers who submit briefs containing AI-generated citations to cases that never existed. Bar associations have issued warnings. The Fortune piece on Anthropic's release noted explicitly that hallucinations are still showing up in legal filings even as Big Law goes all-in on AI.

That's the legal profession - where the practitioners themselves are trained to spot the problem and personally on the hook for it.

When a non-lawyer founder trying to close their first enterprise deal, and the regulator who eventually shows up is the ICO or the CNIL or the EU AI Office. The asymmetry is much worse.

This is why the Vanta-style players deliberately don't put AI at the decision layer. They built a multi-billion-dollar business on the architecturally honest position: we automate evidence collection, the auditor decides whether the evidence is sufficient.

The Vanta playbook works because they don't mark their own homework. Compliance decisions belong to the company's leadership - that's not a limitation, it's the entire reason it's defensible.

The AI wrapper category ignores that constraint. Pipe customer data into a foundation model, prompt it to "assess GDPR compliance," generate outputs, ship to customer. The output exists. It can't be defended, it can't be relied on, and the customer's regulatory exposure is precisely the same as if they'd produced nothing at all.

The architecture isn't a shortcut; it's a delusion.

Where Anthropic's release actually lands

Look at what Anthropic shipped. MCP connectors to Box, OneDrive, Westlaw, DocuSign, iManage, NetDocuments, Relativity, Everlaw, Consilio, Datasite, Midpage, Trellis, Legal Data Hunter. Integration with Microsoft 365. Practice-area plugins for research, drafting, deposition prep, contract review.

That's the connector layer and parts of evidence gathering. Spectacular work at the connector layer, frankly - they've commoditised an ecosystem that was genuinely messy engineering work twelve months ago. And their practice-area plugins accelerate parts of evidence work, particularly for legal-adjacent tasks like contract review and case law research.

What did they explicitly not ship? A tool that makes regulatory decisions on behalf of a lawyer. Every review of Claude for Legal we've read, including the reviews from people who clearly love it, contains some version of: this is a powerful first-draft accelerator, but every output requires human review before it leaves the firm. Anthropic knows where the decision layer sits. They're not pretending to automate it.

Anthropic didn't kill AI compliance. They commoditised the infrastructure layer and reminded the market that judgement still belongs to humans. Both of those are good for anyone doing this honestly.

For anyone building compliance tools honestly - including Waivern - this is unambiguously good news.

  1. The expensive infrastructure work at the connector layer just got dramatically cheaper for everyone who isn't competing at the foundation model layer.
  2. The market education around "AI can help, but humans still decide" just got a massive boost from the most credible AI company in the world.
  3. The AI wrappers claiming to automate the full stack just lost their cover. The actual model provider is publicly saying: no, you need humans at the decision layer.

There's a deeper point worth saying directly:

Any 'solution' sitting too close to foundation models is structurally exposed when model providers expand their own capabilities. Last week's "AI for legal" superstar is this week's redundant prompts. The only defensible position is to treat foundation models as commodity and build value at the layers above. We made that architectural decision early. The wrappers can't easily make it now.

What this means for buyers

The vocabulary has converged. Every compliance vendor in 2026 says "AI, agents, humans in the loop." That sentence has become so universal it's lost meaning.

The buyer's job is now to separate the marketing from the architecture. There's one question that does it:

"Where in your pipeline does a regulatory decision get made, and by whom?"

  • "By our AI." Be very, very careful.
  • "By the GRC consultants and auditors we partner with and, later, by someone in your organisation who may or may not understand what they're signing off." That's the Vanta model. It works for the frameworks where there's a real human with skin in the game.
  • "By a human expert in our managed service, augmented by AI on the routine parts." That's the model we believe is right for the regulations where there's no traditional auditor - GDPR, EU AI Act, DORA, NIS2.
  • "…" - vendor can't clearly answer. Find a different vendor.

The agentic vendors are betting that more autonomy is what buyers want. We're betting that more transparency about where autonomy stops is what regulators are going to demand. We think the second bet ages better.

That's the first half of the argument. In part 2, we'll walk through how we've actually built our architecture to make this work - including why we open-sourced the Waivern Compliance Framework, why our legal rulesets are in YAML rather than locked in a black box, and what "continuous compliance" actually looks like when you treat compliance as code.

Based on publicly available product information as of May 2026. Vendor capabilities evolve rapidly; characterisations reflect category-level patterns rather than specific product feature lists. The lines blur faster than diagrams can keep up with - Vanta and OneTrust have both added AI capabilities, and the established players are not standing still. What stays stable is the architectural choice about where AI sits relative to human judgement, which is the actual subject of this post.

I'm CTO and co-founder of Waivern, one of the companies in the category discussed above.