TOKREPO · Arsenal IA
Stable

Audit Légal + Conformité Assisté par IA

Dix choix pour le compliance officer interne, le pilote SOC2 ou le délégué à la protection des données menant un cycle d'audit en entreprise. Intake → analyse de gaps de politique → registre de risques → mapping de contrôles → journal de preuves → rapport. Plomberie d'ingénieur, pas du conseil juridique : brouillons confidentiels redactés, audit trail immuable, l'IA ne tranche jamais la matérialité.

10 ressources

What's in this pack

This is the rig the in-house compliance officer, SOC2-prep lead, or privacy officer would assemble for an enterprise audit cycle — explicitly not the same problem a single lawyer faces when redlining one MSA. The audience here owns a recurring program: a risk register that gets updated quarterly, control mappings that have to survive an auditor walkthrough, evidence that has to be both collectable and tamper-evident, and a policy library that drifts the moment engineering ships something.

The whole stack is built around three principles that compliance work demands and consumer AI tools rarely deliver:

  1. Document the AI's role, don't hide it. Auditors increasingly ask how AI was used in evidence collection or control testing. Every pick here produces a record an auditor can read.
  2. Sensitive material never leaks to a vendor. Internal policies, draft risk assessments, and customer PII go through redaction or stay on infrastructure you control.
  3. The AI proposes; the human decides. Materiality, risk acceptance, and any judgment that lands in an opinion letter remain a human responsibility. The tooling drafts, extracts, and maps — it does not sign off.

Nothing in this kit is legal advice. None of it replaces a qualified compliance professional, external auditor, or counsel. These are infrastructure picks for the mechanical layer of compliance work so the humans can spend their hours on judgment.

Install in this order (intake → policy gap → risk register → control map → audit log → report)

  1. Claude Code Agent: Compliance Auditor — the orchestrator. A focused subagent profile that knows the language of GDPR, HIPAA, PCI DSS, SOC 2, and ISO 27001-family controls. Use it as the entry point: it asks what framework you're working against, what scope you're testing, and what evidence you've already collected. Treat its output as a senior analyst's first draft, not a final position.
  2. Claude Code Agent: Compliance Auditor — Regulatory Checks — a sibling agent oriented to regulatory checks rather than internal framework gap analysis. Run the two in tandem: the first scopes the audit, the second pressure-tests specific regulatory exposure (cross-border data, sectoral rules, breach-notification timelines). Two agents catch what one misses.
  3. Agent Governance Toolkit — Policy Guardrails for Agents — your policy gap analysis layer. Compliance teams are increasingly responsible for AI use across the business; this toolkit lets you write the guardrails (what models, what data classes, what regions) once and enforce them at the agent layer. Closes the most-asked SOC2 CC-series gap of 2026: how AI is governed inside the org.
  4. Open Policy Agent (OPA) — control-as-code. Once your policy decisions are written down in plain English, you encode the ones that can be automated as Rego policies. OPA lets you express "production data may not flow to model X" or "no SSH access without an open ticket" in a single language and enforce it across services. The audit evidence is the Rego file plus the decision log.
  5. CloudQuery — Sync Cloud Infrastructure to SQL for Security and Compliance — your control mapping evidence engine. CloudQuery pulls inventory and configuration state from AWS, Azure, GCP, Okta, GitHub, and dozens of other systems into a SQL database. Now your control "S3 buckets must be private" becomes a query you can re-run for the next audit. Auditors love SQL evidence; auto-generated screenshots they tolerate.
  6. Presidio — Detect and Anonymize PII — the DLP layer between sensitive content and any AI workflow. Microsoft's open-source PII detection and anonymisation library. Pipe risk-assessment narratives, customer support transcripts, or evidence excerpts through Presidio before sending them to a cloud model. Reduces the surface area on which a vendor incident becomes your incident.
  7. Wazuh — Open Source XDR & SIEM Security Platform — continuous monitoring (SOC 2 CC7) and incident detection in one open platform. The compliance team rarely operates Wazuh directly, but you need a SIEM whose audit evidence (alert dispositions, log retention, file-integrity records) you can export at audit time. Wazuh is the open-source option you can self-host so the evidence corpus stays under your control.
  8. Immudb — Immutable Database with Cryptographic Verification — your tamper-evident audit log. Compliance regimes increasingly demand that audit logs be append-only and cryptographically verifiable. Immudb writes every record with a Merkle-tree proof; you can show an auditor exactly what was logged when and that nothing has been silently edited since.
  9. Bernstein — Audit-Grade Orchestrator for CLI Agents — the wrapper that turns ad-hoc agent runs into auditable evidence. When the Compliance Auditor agent generates a draft gap analysis, Bernstein captures the prompt, the model, the inputs, the outputs, and a chain-of-custody trail. This is how you answer the auditor question "how do you know the AI's analysis here is reproducible?".
  10. Guardrails AI — Validate LLM Outputs in Production — the output validation layer for any AI-generated artifact you'll attach to evidence. Schema-validates LLM responses, blocks hallucinated control IDs, and refuses outputs that don't conform to the structure your audit workflow requires. Most compliance hallucinations are caught here, not in human review.

How they fit together

  Policy docs / contracts / evidence ─► Claude Compliance Auditor
                                              │
                                              ▼
                       Regulatory-Checks Compliance Auditor (sibling)
                                              │
                                              ▼
      ┌───────────── Bernstein wrapper (chain-of-custody) ─────────────┐
      │                                                                 │
      │   ┌─ Agent Governance Toolkit ──► policy gap analysis           │
      │   ├─ OPA ───────────────────────► control-as-code               │
      │   ├─ CloudQuery ────────────────► control map + evidence (SQL)  │
      │   ├─ Presidio ──────────────────► PII redaction before any call │
      │   └─ Wazuh ─────────────────────► continuous monitoring evidence│
      │                                                                 │
      └───────────────────┬─────────────────────────────────────────────┘
                          ▼
              Guardrails AI (schema-validate every AI output)
                          │
                          ▼
                Immudb (immutable, cryptographically-verified log)
                          │
                          ▼
               Human-signed draft report → auditor walkthrough

Tradeoffs you'll hit

  • One unified compliance suite vs this open stack. A managed GRC platform (Vanta, Drata, Secureframe) is faster to stand up and includes pre-built control mappings. This pack wins on data sovereignty (your evidence stays where you control it), avoids per-seat lock-in, and lets you encode controls that don't fit a vendor's playbook. Most enterprises end up running both: the managed platform for the standard controls and an open stack like this for the long tail.
  • AI-assisted gap analysis vs auditor-led. A frontier model can read your policies and a framework's control catalog and surface plausible gaps in minutes. It will also fabricate plausible-sounding control IDs. Use the AI for the first pass; verify every cited control against the actual framework text; never let an AI-only analysis go to the auditor.
  • Cloud frontier model vs local-only. Some of these picks (Presidio, OPA, Wazuh, Immudb, CloudQuery) are entirely local infrastructure with no LLM. Others (the Compliance Auditor agents, Bernstein, Guardrails AI) presume an LLM. For the LLM-touching steps, the default posture is: redact PII via Presidio, send to your enterprise-contracted model (zero-retention terms), capture the trace via Bernstein. Consumer chatbot tabs do not appear anywhere in this workflow.
  • Immutable audit log vs ordinary database. Immudb is slower to write than Postgres and harder to operate. The reason to take that cost: when an auditor asks "prove this log was not edited after the fact", a regular database cannot answer the question. If your regime doesn't demand cryptographic verifiability, a normal append-only table is fine.

Common pitfalls

  • Treating AI gap analysis as the gap analysis. The agent will surface 40 plausible gaps. Some are real, some are paraphrases of the same gap, some don't apply because of a control you haven't told it about. The output is a starting point for the compliance team to triage, not the deliverable.
  • Sending raw policy text to a consumer chatbot. Internal policies frequently contain customer names, vendor terms, system topology, and IP. None of that belongs in a free chatbot tab. Presidio plus an enterprise-contracted model is the defensible default.
  • Auto-generating control evidence with no human review. "CloudQuery says all S3 buckets are private" is evidence only if a human checked the query and the scope. Auto-run, auto-attached evidence with no human in the loop is exactly the audit finding you want to avoid.
  • Conflating AI hallucinations with controls. When the model invents a SOC 2 control ID ("CC-9.8.4") that doesn't exist, downstream documents inherit the fiction. Guardrails AI plus a strict schema for control references catches this before it lands in the report.
  • Mistaking this pack for a substitute for an auditor. External auditors exist because independent assurance is the whole point of an audit. None of these tools — agents included — change that. They make the team's preparation cheaper, faster, and better documented; they do not produce the attestation.
  • Letting the audit log become an afterthought. Immudb has to be wired in before the agents start running, not retro-fitted at the end. If your chain-of-custody is "we exported the chat afterward", that is not chain-of-custody.
INSTALLER · UNE COMMANDE
$ tokrepo install pack/ai-legal-compliance-audit
passez-la à votre agent — ou collez-la dans votre terminal
Ce qu'il contient

10 ressources prêtes à installer

Skill#01
Claude Code Agent: Compliance Auditor

Use this agent when you need to achieve regulatory compliance, implement compliance controls, or prepare for audits across frameworks like GDPR, HIPAA, PCI DSS, SOC 2, and ISO stan

by TokRepo精选·91 views
$ tokrepo install claude-code-agent-compliance-auditor-7134a63a
Skill#02
Claude Code Agent: Compliance Auditor — Regulatory Checks

Claude Code agent for compliance auditing. GDPR, SOC 2, HIPAA checks on code, data handling, logging, and access controls.

by Skill Factory·291 views
$ tokrepo install claude-code-agent-compliance-auditor-regulatory-checks-c01fc4a7
Skill#03
Agent Governance Toolkit — Policy Guardrails for Agents

Microsoft's Agent Governance Toolkit adds policy checks, red-team scans, evidence verification, and runtime guardrails to autonomous agents.

by Agent Toolkit·208 views
$ tokrepo install agent-governance-toolkit-policy-guardrails-for-agents
Skill#04
Open Policy Agent (OPA) — Unified Policy Engine for Cloud Native

CNCF graduated policy engine that decouples authorization and admission rules from your services. Write policies once in Rego, evaluate them anywhere.

by AI Open Source·251 views
$ tokrepo install open-policy-agent-opa-unified-policy-engine-cloud-native-4153bc1e
Skill#05
CloudQuery — Sync Cloud Infrastructure to SQL for Security and Compliance

CloudQuery is an open-source ELT framework that extracts configuration data from cloud APIs, SaaS platforms, and databases into PostgreSQL or data lakes for security, compliance, and asset visibility.

by Script Depot·298 views
$ tokrepo install cloudquery-sync-cloud-infrastructure-sql-security-compliance-a36fe8b8
Skill#06
Presidio — Detect and Anonymize PII

Detect and anonymize PII in text with Microsoft Presidio, then feed sanitized inputs to LLMs to reduce leakage risk. Works via pip or Docker deployments.

by Script Depot·128 views
$ tokrepo install presidio-detect-and-anonymize-pii
Skill#07
Wazuh — Open Source XDR & SIEM Security Platform

Wazuh is a unified open-source security platform that combines SIEM, XDR, and cloud-security posture management, powered by a lightweight agent on every endpoint.

by AI Open Source·230 views
$ tokrepo install wazuh-open-source-xdr-siem-security-platform-c2ce4716
Skill#08
Immudb — Immutable Database with Cryptographic Verification

Tamper-proof database built on a Merkle tree that provides cryptographic proof of data integrity for audit logs, financial records, and compliance workflows.

by Script Depot·96 views
$ tokrepo install immudb-immutable-database-cryptographic-verification-69ecfc3a
Agent#09
Bernstein — Audit-Grade Orchestrator for CLI Agents

Bernstein coordinates CLI coding agents in parallel worktrees with signed audit chains, deterministic scheduling, and evidence trails.

by Agent Toolkit·197 views
$ tokrepo install bernstein-audit-grade-orchestrator-for-cli-agents
Skill#10
Guardrails AI — Validate LLM Outputs in Production

Add validation and guardrails to any LLM output. Guardrails AI checks for hallucination, toxicity, PII leakage, and format compliance with 50+ built-in validators.

by Agent Toolkit·386 views
$ tokrepo install guardrails-ai-validate-llm-outputs-production-ffbad589
Questions fréquentes

Questions fréquentes

Can this pack replace a SOC 2 readiness platform like Vanta or Drata?

Not as a one-to-one swap. Vanta-class platforms ship pre-built integrations, pre-mapped controls for SOC 2 and similar frameworks, and an opinionated workflow that gets a first-time team to audit-ready in months instead of quarters. This open stack wins where you need data sovereignty, custom controls that don't fit a vendor playbook, or per-seat pricing is untenable at scale. The pragmatic pattern most growing companies land on is to run a managed platform for the standard control set and an open stack like this for the long tail and for AI-governance controls the managed platforms haven't caught up on yet.

Is it safe to use a cloud LLM on internal policy documents at all?

It depends on the model contract, the data classification, and the regime you're working under. The defensible default is: assume consumer chatbot tiers may retain or train on input, treat that as a third-party disclosure, and only send policy text to a model under an enterprise contract with zero-retention terms — and only after sensitive entities (customer names, employee names, vendor identifiers, internal system names) have been redacted through something like Presidio. This pack is biased toward that posture precisely because it removes the harder version of the question entirely.

How does this differ from the Lawyer's AI Contract Review Kit on TokRepo?

Different audience and different unit of work. The Contract Review Kit is for a single lawyer redlining one MSA or NDA at a time — clause libraries, local LLM redlining, e-sign. This Compliance + Audit pack is for a recurring enterprise audit cycle: a quarterly risk register, control-to-evidence mappings, immutable audit logs, and policy gap analysis across a framework. There is intentional design separation in the tools chosen (no clause-library RAG here; no SIEM in the lawyer pack) because the workflows are different. Compliance officers can still benefit from the lawyer pack for one-off contract review; lawyers running an in-house compliance program can pair both.

Do I need every pick, or can I start small?

Start with three: Claude Code Agent Compliance Auditor (4276) as the orchestrator, Bernstein as the chain-of-custody wrapper, and Immudb as the immutable log. That gives you AI-assisted gap analysis where every step is captured and the log can be shown to an auditor. Add Presidio next so sensitive content never leaks. CloudQuery, OPA, and Wazuh follow once you know which controls you most need automated evidence for. Guardrails AI is the last layer once you trust the workflow enough that the bottleneck becomes output quality.

How do I evidence the AI itself to an auditor — won't they push back on agent-generated analysis?

They will, and that's the point of the Bernstein + Immudb + Guardrails AI subset. The auditor question is some variant of "how do you know this analysis is reproducible, attributable, and not invented". The defensible answer chains: Bernstein recorded the prompt, model version, inputs, and outputs; Guardrails AI validated the output against a schema so hallucinated control IDs were rejected; Immudb wrote each record with a Merkle proof so nothing has been silently edited; and a named human reviewed every AI output before it became evidence. Any one of those links missing and the auditor's pushback is correct.

PLUS DANS L'ARSENAL

12 packs · 80+ ressources sélectionnées

Découvrez tous les packs curatés sur la page d'accueil

Retour à tous les packs