[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"pack-detail-ai-legal-compliance-audit-es":3,"seo:pack:ai-legal-compliance-audit:es":97},{"code":4,"message":5,"data":6},200,"操作成功",{"pack":7},{"slug":8,"icon":9,"tone":10,"status":11,"status_label":12,"title":13,"description":14,"items":15,"install_cmd":96},"ai-legal-compliance-audit","🛡️","#1E3A8A","stable","Estable","Auditoría Legal + Compliance con IA","Diez picks para el compliance officer interno, el líder de prep SOC2 o el privacy officer corriendo un ciclo de auditoría enterprise. Intake → análisis de gap de políticas → risk register → mapeo de controles → log de evidencia → reporte. Andamiaje técnico, no asesoría legal: drafts confidenciales se redactan, el audit trail queda inmutable, y la IA no decide qué es materialidad.",[16,28,36,44,52,60,67,74,80,89],{"id":17,"uuid":18,"slug":19,"title":20,"description":21,"author_name":22,"view_count":23,"vote_count":24,"lang_type":25,"type":26,"type_label":27},4276,"7134a63a-436b-48b9-84df-c7fa20ca26e7","claude-code-agent-compliance-auditor-7134a63a","Claude Code Agent: Compliance Auditor","Use this agent when you need to achieve regulatory compliance, implement compliance controls, or prepare for audits across frameworks like GDPR, HIPAA, PCI DSS, SOC 2, and ISO stan","TokRepo精选",106,0,"en","skill","Skill",{"id":29,"uuid":30,"slug":31,"title":32,"description":33,"author_name":34,"view_count":35,"vote_count":24,"lang_type":25,"type":26,"type_label":27},57,"c01fc4a7-c031-4e5f-847e-3a490426eb39","claude-code-agent-compliance-auditor-regulatory-checks-c01fc4a7","Claude Code Agent: Compliance Auditor — Regulatory Checks","Claude Code agent for compliance auditing. GDPR, SOC 2, HIPAA checks on code, data handling, logging, and access controls.","Skill Factory",307,{"id":37,"uuid":38,"slug":39,"title":40,"description":41,"author_name":42,"view_count":43,"vote_count":24,"lang_type":25,"type":26,"type_label":27},3489,"bfd4f4dc-d93b-558a-850f-6e3c49c99cb7","agent-governance-toolkit-policy-guardrails-for-agents","Agent Governance Toolkit — Policy Guardrails for Agents","Microsoft's Agent Governance Toolkit adds policy checks, red-team scans, evidence verification, and runtime guardrails to autonomous agents.","Agent Toolkit",221,{"id":45,"uuid":46,"slug":47,"title":48,"description":49,"author_name":50,"view_count":51,"vote_count":24,"lang_type":25,"type":26,"type_label":27},1428,"4153bc1e-3900-11f1-9bc6-00163e2b0d79","open-policy-agent-opa-unified-policy-engine-cloud-native-4153bc1e","Open Policy Agent (OPA) — Unified Policy Engine for Cloud Native","CNCF graduated policy engine that decouples authorization and admission rules from your services. Write policies once in Rego, evaluate them anywhere.","AI Open Source",260,{"id":53,"uuid":54,"slug":55,"title":56,"description":57,"author_name":58,"view_count":59,"vote_count":24,"lang_type":25,"type":26,"type_label":27},1589,"a36fe8b8-3987-11f1-9bc6-00163e2b0d79","cloudquery-sync-cloud-infrastructure-sql-security-compliance-a36fe8b8","CloudQuery — Sync Cloud Infrastructure to SQL for Security and Compliance","CloudQuery is an open-source ELT framework that extracts configuration data from cloud APIs, SaaS platforms, and databases into PostgreSQL or data lakes for security, compliance, and asset visibility.","Script Depot",315,{"id":61,"uuid":62,"slug":63,"title":64,"description":65,"author_name":58,"view_count":66,"vote_count":24,"lang_type":25,"type":26,"type_label":27},3106,"d4d3e9a3-9494-4b05-bf05-74368b2ff338","presidio-detect-and-anonymize-pii","Presidio — Detect and Anonymize PII","Detect and anonymize PII in text with Microsoft Presidio, then feed sanitized inputs to LLMs to reduce leakage risk. Works via pip or Docker deployments.",134,{"id":68,"uuid":69,"slug":70,"title":71,"description":72,"author_name":50,"view_count":73,"vote_count":24,"lang_type":25,"type":26,"type_label":27},1382,"c2ce4716-38ce-11f1-9bc6-00163e2b0d79","wazuh-open-source-xdr-siem-security-platform-c2ce4716","Wazuh — Open Source XDR & SIEM Security Platform","Wazuh is a unified open-source security platform that combines SIEM, XDR, and cloud-security posture management, powered by a lightweight agent on every endpoint.",237,{"id":75,"uuid":76,"slug":77,"title":78,"description":79,"author_name":58,"view_count":23,"vote_count":24,"lang_type":25,"type":26,"type_label":27},1880,"69ecfc3a-3d3a-11f1-9bc6-00163e2b0d79","immudb-immutable-database-cryptographic-verification-69ecfc3a","Immudb — Immutable Database with Cryptographic Verification","Tamper-proof database built on a Merkle tree that provides cryptographic proof of data integrity for audit logs, financial records, and compliance workflows.",{"id":81,"uuid":82,"slug":83,"title":84,"description":85,"author_name":42,"view_count":86,"vote_count":24,"lang_type":25,"type":87,"type_label":88},3488,"4c5d8b93-08ae-5a4b-bda3-2d5d5db42d12","bernstein-audit-grade-orchestrator-for-cli-agents","Bernstein — Audit-Grade Orchestrator for CLI Agents","Bernstein coordinates CLI coding agents in parallel worktrees with signed audit chains, deterministic scheduling, and evidence trails.",203,"agent","Agent",{"id":90,"uuid":91,"slug":92,"title":93,"description":94,"author_name":42,"view_count":95,"vote_count":24,"lang_type":25,"type":26,"type_label":27},773,"ffbad589-cd32-4eca-9518-fdcf9167ca21","guardrails-ai-validate-llm-outputs-production-ffbad589","Guardrails AI — Validate LLM Outputs in Production","Add validation and guardrails to any LLM output. Guardrails AI checks for hallucination, toxicity, PII leakage, and format compliance with 50+ built-in validators.",396,"tokrepo install pack\u002Fai-legal-compliance-audit",{"pageType":98,"pageKey":8,"locale":25,"title":99,"metaDescription":100,"h1":101,"tldr":102,"bodyMarkdown":103,"faq":104,"schema":120,"internalLinks":126,"citations":139,"wordCount":152,"generatedAt":153},"pack","AI Legal + Compliance Audit — 10 Tools for SOC2, GDPR, and Enterprise Risk Programs","An enterprise compliance stack for the in-house officer prepping SOC2, mapping GDPR controls, or running a quarterly audit cycle: Claude Compliance Auditor agents, Agent Governance Toolkit, OPA, CloudQuery, Presidio, Wazuh, Immudb, Bernstein, Guardrails AI. Install in this order — intake to evidence to report.","AI Legal + Compliance Audit — The Enterprise Stack","Ten picks in deliberate order built around an audit cycle, not a single contract review. Intake your policies and evidence, run a structured gap analysis against a chosen framework, generate a risk register the agent can update, map each control to the system that produces evidence, capture every AI decision in an immutable log, and finish with a draft report a human still signs off on. Engineering scaffolding for the compliance team — not legal advice and not a substitute for an auditor's professional judgment.","## What's in this pack\n\nThis is the rig the in-house compliance officer, SOC2-prep lead, or privacy officer would assemble for an enterprise audit cycle — explicitly **not** the same problem a single lawyer faces when redlining one MSA. The audience here owns a recurring program: a risk register that gets updated quarterly, control mappings that have to survive an auditor walkthrough, evidence that has to be both collectable and tamper-evident, and a policy library that drifts the moment engineering ships something.\n\nThe whole stack is built around three principles that compliance work demands and consumer AI tools rarely deliver:\n\n1. **Document the AI's role, don't hide it.** Auditors increasingly ask how AI was used in evidence collection or control testing. Every pick here produces a record an auditor can read.\n2. **Sensitive material never leaks to a vendor.** Internal policies, draft risk assessments, and customer PII go through redaction or stay on infrastructure you control.\n3. **The AI proposes; the human decides.** Materiality, risk acceptance, and any judgment that lands in an opinion letter remain a human responsibility. The tooling drafts, extracts, and maps — it does not sign off.\n\nNothing in this kit is legal advice. None of it replaces a qualified compliance professional, external auditor, or counsel. These are infrastructure picks for the mechanical layer of compliance work so the humans can spend their hours on judgment.\n\n## Install in this order (intake → policy gap → risk register → control map → audit log → report)\n\n1. **Claude Code Agent: Compliance Auditor** — the orchestrator. A focused subagent profile that knows the language of GDPR, HIPAA, PCI DSS, SOC 2, and ISO 27001-family controls. Use it as the entry point: it asks what framework you're working against, what scope you're testing, and what evidence you've already collected. Treat its output as a senior analyst's first draft, not a final position.\n2. **Claude Code Agent: Compliance Auditor — Regulatory Checks** — a sibling agent oriented to *regulatory* checks rather than internal framework gap analysis. Run the two in tandem: the first scopes the audit, the second pressure-tests specific regulatory exposure (cross-border data, sectoral rules, breach-notification timelines). Two agents catch what one misses.\n3. **Agent Governance Toolkit — Policy Guardrails for Agents** — your policy gap analysis layer. Compliance teams are increasingly responsible for AI use across the business; this toolkit lets you write the guardrails (what models, what data classes, what regions) once and enforce them at the agent layer. Closes the most-asked SOC2 CC-series gap of 2026: how AI is governed inside the org.\n4. **Open Policy Agent (OPA)** — control-as-code. Once your policy decisions are written down in plain English, you encode the ones that can be automated as Rego policies. OPA lets you express \"production data may not flow to model X\" or \"no SSH access without an open ticket\" in a single language and enforce it across services. The audit evidence is the Rego file plus the decision log.\n5. **CloudQuery — Sync Cloud Infrastructure to SQL for Security and Compliance** — your control mapping evidence engine. CloudQuery pulls inventory and configuration state from AWS, Azure, GCP, Okta, GitHub, and dozens of other systems into a SQL database. Now your control \"S3 buckets must be private\" becomes a query you can re-run for the next audit. Auditors love SQL evidence; auto-generated screenshots they tolerate.\n6. **Presidio — Detect and Anonymize PII** — the DLP layer between sensitive content and any AI workflow. Microsoft's open-source PII detection and anonymisation library. Pipe risk-assessment narratives, customer support transcripts, or evidence excerpts through Presidio before sending them to a cloud model. Reduces the surface area on which a vendor incident becomes your incident.\n7. **Wazuh — Open Source XDR & SIEM Security Platform** — continuous monitoring (SOC 2 CC7) and incident detection in one open platform. The compliance team rarely operates Wazuh directly, but you need a SIEM whose audit evidence (alert dispositions, log retention, file-integrity records) you can export at audit time. Wazuh is the open-source option you can self-host so the evidence corpus stays under your control.\n8. **Immudb — Immutable Database with Cryptographic Verification** — your tamper-evident audit log. Compliance regimes increasingly demand that audit logs be append-only and cryptographically verifiable. Immudb writes every record with a Merkle-tree proof; you can show an auditor exactly what was logged when and that nothing has been silently edited since.\n9. **Bernstein — Audit-Grade Orchestrator for CLI Agents** — the wrapper that turns ad-hoc agent runs into auditable evidence. When the Compliance Auditor agent generates a draft gap analysis, Bernstein captures the prompt, the model, the inputs, the outputs, and a chain-of-custody trail. This is how you answer the auditor question \"how do you know the AI's analysis here is reproducible?\".\n10. **Guardrails AI — Validate LLM Outputs in Production** — the output validation layer for any AI-generated artifact you'll attach to evidence. Schema-validates LLM responses, blocks hallucinated control IDs, and refuses outputs that don't conform to the structure your audit workflow requires. Most compliance hallucinations are caught here, not in human review.\n\n## How they fit together\n\n```\n  Policy docs \u002F contracts \u002F evidence ─► Claude Compliance Auditor\n                                              │\n                                              ▼\n                       Regulatory-Checks Compliance Auditor (sibling)\n                                              │\n                                              ▼\n      ┌───────────── Bernstein wrapper (chain-of-custody) ─────────────┐\n      │                                                                 │\n      │   ┌─ Agent Governance Toolkit ──► policy gap analysis           │\n      │   ├─ OPA ───────────────────────► control-as-code               │\n      │   ├─ CloudQuery ────────────────► control map + evidence (SQL)  │\n      │   ├─ Presidio ──────────────────► PII redaction before any call │\n      │   └─ Wazuh ─────────────────────► continuous monitoring evidence│\n      │                                                                 │\n      └───────────────────┬─────────────────────────────────────────────┘\n                          ▼\n              Guardrails AI (schema-validate every AI output)\n                          │\n                          ▼\n                Immudb (immutable, cryptographically-verified log)\n                          │\n                          ▼\n               Human-signed draft report → auditor walkthrough\n```\n\n## Tradeoffs you'll hit\n\n- **One unified compliance suite vs this open stack.** A managed GRC platform (Vanta, Drata, Secureframe) is faster to stand up and includes pre-built control mappings. This pack wins on data sovereignty (your evidence stays where you control it), avoids per-seat lock-in, and lets you encode controls that don't fit a vendor's playbook. Most enterprises end up running both: the managed platform for the standard controls and an open stack like this for the long tail.\n- **AI-assisted gap analysis vs auditor-led.** A frontier model can read your policies and a framework's control catalog and surface plausible gaps in minutes. It will also fabricate plausible-sounding control IDs. Use the AI for the first pass; verify every cited control against the actual framework text; never let an AI-only analysis go to the auditor.\n- **Cloud frontier model vs local-only.** Some of these picks (Presidio, OPA, Wazuh, Immudb, CloudQuery) are entirely local infrastructure with no LLM. Others (the Compliance Auditor agents, Bernstein, Guardrails AI) presume an LLM. For the LLM-touching steps, the default posture is: redact PII via Presidio, send to your enterprise-contracted model (zero-retention terms), capture the trace via Bernstein. Consumer chatbot tabs do not appear anywhere in this workflow.\n- **Immutable audit log vs ordinary database.** Immudb is slower to write than Postgres and harder to operate. The reason to take that cost: when an auditor asks \"prove this log was not edited after the fact\", a regular database cannot answer the question. If your regime doesn't demand cryptographic verifiability, a normal append-only table is fine.\n\n## Common pitfalls\n\n- **Treating AI gap analysis as the gap analysis.** The agent will surface 40 plausible gaps. Some are real, some are paraphrases of the same gap, some don't apply because of a control you haven't told it about. The output is a starting point for the compliance team to triage, not the deliverable.\n- **Sending raw policy text to a consumer chatbot.** Internal policies frequently contain customer names, vendor terms, system topology, and IP. None of that belongs in a free chatbot tab. Presidio plus an enterprise-contracted model is the defensible default.\n- **Auto-generating control evidence with no human review.** \"CloudQuery says all S3 buckets are private\" is evidence only if a human checked the query and the scope. Auto-run, auto-attached evidence with no human in the loop is exactly the audit finding you want to avoid.\n- **Conflating AI hallucinations with controls.** When the model invents a SOC 2 control ID (\"CC-9.8.4\") that doesn't exist, downstream documents inherit the fiction. Guardrails AI plus a strict schema for control references catches this before it lands in the report.\n- **Mistaking this pack for a substitute for an auditor.** External auditors exist because independent assurance is the whole point of an audit. None of these tools — agents included — change that. They make the team's preparation cheaper, faster, and better documented; they do not produce the attestation.\n- **Letting the audit log become an afterthought.** Immudb has to be wired in *before* the agents start running, not retro-fitted at the end. If your chain-of-custody is \"we exported the chat afterward\", that is not chain-of-custody.",[105,108,111,114,117],{"q":106,"a":107},"Can this pack replace a SOC 2 readiness platform like Vanta or Drata?","Not as a one-to-one swap. Vanta-class platforms ship pre-built integrations, pre-mapped controls for SOC 2 and similar frameworks, and an opinionated workflow that gets a first-time team to audit-ready in months instead of quarters. This open stack wins where you need data sovereignty, custom controls that don't fit a vendor playbook, or per-seat pricing is untenable at scale. The pragmatic pattern most growing companies land on is to run a managed platform for the standard control set and an open stack like this for the long tail and for AI-governance controls the managed platforms haven't caught up on yet.",{"q":109,"a":110},"Is it safe to use a cloud LLM on internal policy documents at all?","It depends on the model contract, the data classification, and the regime you're working under. The defensible default is: assume consumer chatbot tiers may retain or train on input, treat that as a third-party disclosure, and only send policy text to a model under an enterprise contract with zero-retention terms — and only after sensitive entities (customer names, employee names, vendor identifiers, internal system names) have been redacted through something like Presidio. This pack is biased toward that posture precisely because it removes the harder version of the question entirely.",{"q":112,"a":113},"How does this differ from the Lawyer's AI Contract Review Kit on TokRepo?","Different audience and different unit of work. The Contract Review Kit is for a single lawyer redlining one MSA or NDA at a time — clause libraries, local LLM redlining, e-sign. This Compliance + Audit pack is for a recurring enterprise audit cycle: a quarterly risk register, control-to-evidence mappings, immutable audit logs, and policy gap analysis across a framework. There is intentional design separation in the tools chosen (no clause-library RAG here; no SIEM in the lawyer pack) because the workflows are different. Compliance officers can still benefit from the lawyer pack for one-off contract review; lawyers running an in-house compliance program can pair both.",{"q":115,"a":116},"Do I need every pick, or can I start small?","Start with three: Claude Code Agent Compliance Auditor (4276) as the orchestrator, Bernstein as the chain-of-custody wrapper, and Immudb as the immutable log. That gives you AI-assisted gap analysis where every step is captured and the log can be shown to an auditor. Add Presidio next so sensitive content never leaks. CloudQuery, OPA, and Wazuh follow once you know which controls you most need automated evidence for. Guardrails AI is the last layer once you trust the workflow enough that the bottleneck becomes output quality.",{"q":118,"a":119},"How do I evidence the AI itself to an auditor — won't they push back on agent-generated analysis?","They will, and that's the point of the Bernstein + Immudb + Guardrails AI subset. The auditor question is some variant of \"how do you know this analysis is reproducible, attributable, and not invented\". The defensible answer chains: Bernstein recorded the prompt, model version, inputs, and outputs; Guardrails AI validated the output against a schema so hallucinated control IDs were rejected; Immudb wrote each record with a Merkle proof so nothing has been silently edited; and a named human reviewed every AI output before it became evidence. Any one of those links missing and the auditor's pushback is correct.",{"@context":121,"@type":122,"name":123,"description":124,"numberOfItems":125,"inLanguage":25},"https:\u002F\u002Fschema.org","ItemList","AI Legal + Compliance Audit","Ten tools for in-house compliance officers, SOC2-prep leads, and privacy officers running an enterprise audit cycle — intake to policy gap to risk register to control mapping to immutable evidence log.",10,[127,131,135],{"url":128,"anchor":129,"reason":130},"\u002Fen\u002Fpacks\u002Flawyer-ai-contract-kit","Lawyer's AI Contract Review Kit","The single-attorney contract redline counterpart to this enterprise compliance pack — pair the two for in-house teams that span both workflows",{"url":132,"anchor":133,"reason":134},"\u002Fen\u002Fai-tools-for\u002Fprivacy","Privacy-first AI tools","Compliance work assumes a privacy-aware posture; the broader privacy catalog covers picks beyond the ten in this pack",{"url":136,"anchor":137,"reason":138},"\u002Fen\u002Ffeatured","Featured assets on TokRepo","These ten compliance picks live in the larger curated catalog of agent-ready assets",[140,144,148],{"claim":141,"source_name":142,"source_url":143},"CloudQuery syncs cloud infrastructure inventory into SQL for security and compliance queries","CloudQuery official site","https:\u002F\u002Fwww.cloudquery.io\u002F",{"claim":145,"source_name":146,"source_url":147},"Presidio is Microsoft's open-source library for detecting and anonymising personal data","Microsoft Presidio on GitHub","https:\u002F\u002Fgithub.com\u002Fmicrosoft\u002Fpresidio",{"claim":149,"source_name":150,"source_url":151},"Open Policy Agent is a unified open-source policy engine governed under the CNCF","Open Policy Agent project site","https:\u002F\u002Fwww.openpolicyagent.org\u002F",1470,"2026-05-22T13:00:00Z"]