Anthropic just tightened the screws on data exposure risks for its fast-growing agent platform. On May 19, the company rolled out two features aimed squarely at enterprises wary of sending sensitive workloads into someone else’s cloud. The updates arrive barely a month after the initial launch of Claude Managed Agents and build on earlier May additions like multiagent orchestration.
Claude Managed Agents, introduced in early April, offload the heavy infrastructure work of running autonomous AI systems. Developers define tasks and tools. Anthropic handles sandboxed execution, persistent sessions, credential management and tracing. Yet for many large organizations, that still left too much inside Anthropic’s perimeter. The latest moves address exactly that hesitation.
New boundaries for execution and connectivity
Self-hosted sandboxes let companies run the actual tool execution layer inside their own infrastructure or with approved partners. The core agent loop — orchestration, context management, error recovery — stays on Anthropic’s systems. Tool execution moves out. Sensitive files, installed packages and local services never leave the customer’s controlled environment.
Companies can bring their own sandbox client or choose from partners that include Cloudflare, Daytona, Modal and Vercel. The setup supports compliance needs and data residency rules that many regulated sectors demand. And the separation matters. It keeps the brain and the hands distinct.
MCP tunnels take the connectivity question further. Agents gain access to internal databases, private APIs, knowledge bases and ticketing systems without those resources ever facing the public internet. A lightweight gateway deployed by the customer makes one outbound connection. No inbound firewall rules. No public endpoints. Traffic travels encrypted end to end.
“Both the sandbox where an agent executes tools and the services it reaches run within the established boundaries of your enterprise, under your security and runtime controls,” Anthropic says in the announcement reported by 9to5Mac.
The tunnels remain in limited research preview for now. Interested teams must request access. Self-hosted sandboxes rolled out in public beta. Both features reflect lessons learned from earlier agent designs.
In its April engineering post, Anthropic detailed the hazards of coupled architectures. Untrusted code generated by the model ran in the same container that held credentials. A successful prompt injection could simply read environment variables and walk away with tokens. Those tokens could then spawn new sessions with fewer restrictions. The company called this out directly.
“In the coupled design, any untrusted code that Claude generated was run in the same container as credentials—so a prompt injection only had to convince Claude to read its own environment,” the post states. “The structural fix was to make sure the tokens are never reachable from the sandbox where Claude’s generated code runs.” Anthropic Engineering Blog.
That philosophy carries forward. Credentials get bundled with resources during initialization or stored in external vaults. The sandbox never sees them. Git operations clone repositories upfront and wire credentials into local remotes. Custom tools route through proxies that fetch tokens on demand without exposing them to the agent harness.
Enterprises have taken notice. Discussions on X this week highlight the combination of self-hosted execution and private tunnels as a potential unlock for finance, healthcare and legal teams that previously kept agents at arm’s length. One post described the features as solving “the exact reason enterprises haven’t trusted AI agents with real workloads.”
Yet questions remain about adoption speed. MCP tunnels require deploying and managing that gateway. Self-hosted sandboxes shift operational responsibility for the execution environment back to the customer or partner. The convenience of fully managed infrastructure takes a partial step back in exchange for control.
Anthropic’s documentation emphasizes flexibility. Teams configure environments as either Anthropic-managed cloud containers or self-hosted sandboxes depending on requirements. Sessions persist. Users can interrupt agents mid-execution. Full event history stays available for review. These controls sit alongside the new perimeter features.
The timing feels deliberate. Claude Managed Agents launched into public beta on April 8. Early feedback from developers centered on infrastructure overhead and security concerns for production data. By mid-May the company had already shipped dreaming, outcomes and multiagent capabilities. Today’s privacy and security additions target the last major barrier for larger buyers.
Official docs now list self-hosted execution explicitly for compliance or data-residency needs. The platform supports long-running tasks that span minutes or hours, stateful filesystems and multiple tool calls within a single session. Built-in tools cover bash commands, file operations, web access and connections to MCP servers. Claude API Docs.
Industry observers point to broader trends. As models grow more capable, the risks of giving them broad tool access increase. Enterprises want the productivity gains without handing over the keys to their most sensitive systems. These updates give security teams clearer lines to draw.
But the features don’t eliminate every risk. Agents still process whatever data they receive. Enterprise contracts offer privacy commitments, yet the workload flows through Anthropic’s orchestration layer. Teams with the strictest requirements will combine self-hosted sandboxes with careful scoping of tools and data inputs.
So far the response from developers and security professionals mixes optimism with caution. Early X commentary praises the perimeter focus. Some ask which sector will move first. Others note that implementation details, especially around the research preview tunnels, will determine real-world uptake.
Anthropic continues to iterate quickly. The April launch decoupled the agent brain from execution environments to improve reliability and security. May brought coordination features. This week’s announcement sharpens the privacy edge. Each step appears aimed at making agents practical for larger, more regulated organizations.
Whether these controls prove sufficient will play out in the coming months. For now, the message is clear. Enterprises can keep more of their data and execution behind their own walls while still tapping Claude’s reasoning power. The balance between capability and control just shifted.
WebProNews is an iEntry Publication