Compliance Officer Role & Permissions

​

Description

The Compliance Officer role provides read-only access to all workspace data, with specialized permissions for compliance activities, including data export, compliance report generation, and risk-level review, without the ability to modify prompts or system settings. This role exists to ensure separation of duties for regulatory compliance, allowing oversight teams to monitor AI systems, verify compliance status, and prepare audit reports without the ability to alter operational configurations. Compliance Officers have identical base permissions to Viewer roles but with additional capabilities for compliance-specific workflows such as generating EU AI Act reports, exporting filtered request data for audits, reviewing and validating automated risk classifications, and accessing compliance monitoring dashboards. The role is designed to support regulatory oversight requirements while preventing conflicts of interest between operational teams and compliance functions. It is primarily used by internal compliance teams, legal counsel, external auditors, and data protection officers.

​

Example

A newly invited Compliance Officer logs in to PromptMetrics and discovers she can review all request logs, examine prompt versions and their change history, generate compliance reports with full access to risk classifications and audit trails, and export data for regulatory submissions. However, when she attempts to modify a production prompt after identifying a compliance concern, the system prevents the action and directs her to contact a workspace Admin or Member, ensuring proper separation of duties for regulatory compliance and preventing unauthorized modifications to operational AI systems.

---

​

Role Permissions Overview

​

What Compliance Officers Can Do

Compliance Officers have full read access and specialized compliance capabilities:

• View all request logs with complete details (prompts, responses, metadata, compliance fields)
• Access request history with advanced filtering by risk level, date range, and compliance status
• Generate compliance reports for EU AI Act and GDPR regulatory submissions
• Export data to CSV/JSON for external audits and regulatory filings
• Review risk classifications and validate automated risk level assignments
• Access compliance monitoring dashboard with real-time metrics and alerts
• Verify cryptographic integrity of immutable audit trails using hash chain verification
• View prompt templates and their complete version history with change logs
• Review workspace settings including team members, roles, and activity logs
• Access data sovereignty dashboard to verify 100% EU data residency
• Track transparency disclosure status for high-risk AI interactions
• Share request URLs with permission-controlled links for collaboration

​

What Compliance Officers Cannot Do

Compliance Officers have restricted access to operational modifications:

• Cannot create or edit prompts or prompt templates
• Cannot modify production configurations or deployment labels
• Cannot change workspace settings including team members or roles
• Cannot delete or archive prompts, datasets, or evaluations
• Cannot run evaluations or A/B tests (read-only access to results)
• Cannot modify risk classifications (can only review and flag for Admin review)
• Cannot access billing information or change subscription plans
• Cannot invite new team members or modify existing member roles
• Cannot execute prompts in playground (read-only access to execution history)
• Cannot modify compliance metadata on requests (e.g., manually marking as compliant)

---

​

Comparison with Other Roles

​

Compliance Officer vs Viewer

Similarities:

• Both have read-only access to workspace data
• Both can export data
• Both cannot modify prompts or settings

Key Differences:

• Compliance Officers can generate structured compliance reports (EU AI Act, GDPR format)
• Compliance Officers can access compliance-specific dashboards and monitoring tools
• Compliance Officers can review and validate risk classifications with audit trail logging
• Viewers have general read access without specialized compliance tooling

​

Compliance Officer vs Member

Members have operational capabilities that Compliance Officers lack:

• Members can create, edit, and delete prompts
• Members can execute prompts in the playground and run evaluations
• Members can modify prompt metadata and compliance annotations
• Compliance Officers have read-only access, but specialized compliance reporting

Use Case Distinction:

• Members: Prompt engineers, developers, and AI operations teams
• Compliance Officers: Regulatory oversight, legal counsel, and auditors

​

Compliance Officer vs Admin

Admins have full workspace control that Compliance Officers lack:

• Admins can manage team members, roles, and invitations
• Admins can access billing and subscription settings
• Admins can modify all workspace settings and configurations
• Compliance Officers have oversight capabilities without administrative control

Separation of Duties: This distinction ensures compliance teams can monitor and report on AI systems without the ability to modify operational configurations, supporting regulatory requirements for independent oversight.

---

​

Inviting Compliance Officers

​

Invitation Process

1. Navigate to Settings → Team
2. Click “Invite User” button
3. Enter the email address of the compliance officer
4. Select “Compliance Officer” from the role dropdown
5. Click “Send Invitation”
6. The invited user receives an email with a signup/login link
7. After accepting, the user automatically gains Compliance Officer access

​

Team Size Restrictions

• Free Plan: Cannot invite team members (feature disabled)
• Pro Plan: Unlimited team member invitations, including Compliance Officers

---

​

Best Practices for Role Assignment

​

When to Usethe Compliance Officer Role

Assign the Compliance Officer role to:

• Internal compliance teams responsible for AI governance
• Legal counsel reviewing AI system compliance
• Data protection officers (DPOs) overseeing GDPR compliance
• External auditors conducting regulatory assessments
• Risk management teams monitoring high-risk AI systems

​

When NOT to Use the Compliance Officer Role

Do not assign the Compliance Officer role to:

• Prompt engineers who need to create/edit prompts (use Member role)
• Developers who need playground access (use Member role)
• Administrators who need to manage workspace (use Admin role)
• External stakeholders who only need specific report access (share reports via links instead)

​

Multiple Compliance Officers

Organizations can assign multiple Compliance Officers for:

• Separation of duties: Different officers for different compliance domains (GDPR, EU AI Act, internal policies)
• Regional coverage: Multiple officers covering different operational regions
• Redundancy: Backup compliance officers during leave or audits
• Specialization: Dedicated officers for high-risk system oversight vs. general compliance

---

​

Audit Trail for Compliance Activities

All Compliance Officer actions are logged in the workspace audit trail:

• Report generation with timestamp and filters applied
• Data exports including date range and record count
• Risk classification reviews with validation decisions
• Request detail views for investigation tracking
• Compliance dashboard access for monitoring activity

These logs support regulatory requirements for demonstrating ongoing oversight and compliance verification activities.

---

​

Getting Started as a Compliance Officer

---

​

Related Documentation