[Bug][aup] False block on auditing cloud IAM and SSO config for compromise during incident response (req_011Cbwu6JeHCGCkTkdJNijfD)

Open 💬 1 comment Opened Jun 25, 2026 by sworrl

Type: AUP / Usage-Policy block (false positive) · Work domain (heuristic): cloud-iam

Why this is a false positive

This safety block triggered on a routine, authorized incident-response task: auditing an organization's own web servers and container infrastructure for compromise after a confirmed identity-provider breach, scoped to assets the operator owns and administers. The request was defensive in nature — verifying whether existing systems were affected and checking the integrity of an SSO/cloud-IAM dispatch chain — and contained no offensive payload, exploit code, or instructions for attacking third-party systems. Defensive auditing of one's own infrastructure following a known compromise is core in-scope security work, and blocking it under the violative-cyber-content restriction is a false positive that obstructs legitimate breach response.

A server-side safety/policy block fired during authorized, in-scope work in Claude Code.
Filing as a false positive. Recurred across 1
session(s); first seen 2026-06-11T17:52:50.999Z.

Request IDs (lookup-able server-side)

  • req_011Cbwu6JeHCGCkTkdJNijfD (2026-06-11T17:52:50.999Z)

In-scope justification

False positive — in-scope, authorized security work; not out of scope. Filed automatically by claudit.

Block message

API Error: Claude Code is unable to respond to this request, which appears to violate our Usage Policy (https://www.anthropic.com/legal/aup). This request triggered restrictions on violative cyber content and was blocked under Anthropic's Usage Policy. To learn more, provide feedback, or request an exemption based on how you use Claude, visit our help center: https://support.claude.com/en/articles/14604842-real-time-cyber-safeguards-on-claude. Please double press esc to edit your last message or

Environment: Claude Code, Linux. · Work domain: cloud-iam

---
<sub>🔎 Filed automatically by ClAudit v2.0.21 — a FOSS tool for reporting false-positive Claude Code blocks.</sub>

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗