The primary impediment to enterprises integrating AI agents with their internal APIs and databases has not been the sophistication of the AI models, but rather the management of authentication credentials. In typical production environments, these agents operate with embedded authentication tokens as they execute tool calls. This setup poses a significant security risk: a compromised or malfunctioning agent effectively walks away with the keys to the kingdom.
Anthropic is addressing this critical vulnerability with two new features for Claude Managed Agents: self-hosted sandboxes and MCP tunnels. Self-hosted sandboxes allow organizations to run tool execution within their own controlled infrastructure, thereby maintaining perimeter security. MCP tunnels enable agents to connect to private MCP servers without embedding sensitive credentials directly into the agent’s operational context. Collectively, these innovations shift the locus of credential control from the agent itself to the network boundary.
Currently, self-hosted sandboxes are accessible to Claude Managed Agent users through a public beta program. MCP tunnels are under active development and are available as a research preview.
Anthropic is not alone in recognizing this architectural challenge. OpenAI, in response to similar market demands, introduced local execution capabilities into its Agents SDK in April. Anthropic’s architectural approach, however, introduces a distinct separation: the core agent loop, responsible for orchestration and decision-making, resides on Anthropic’s infrastructure, while the actual execution of tools occurs within the enterprise’s own environment. This contrasts with existing sandbox solutions, including OpenAI’s, which often do not provide this level of architectural decoupling.
Addressing Architectural Challenges in Agent Sandboxes
The initial rollout of managed AI services, such as MCP, often outpaced the maturation of the surrounding security architectures. In many existing deployments, credentials are inherently bound to the agent as it interfaces with internal systems. This direct integration means that any security breach or operational error within the agent can grant unauthorized access to sensitive resources.
The introduction of self-hosted sandboxes, a feature within Claude Managed Agents, ensures that files and software packages remain within the secure confines of an enterprise’s network perimeter. This architecture separates the agent’s operational loop—encompassing orchestration, context management, and error handling—onto the cloud platform, while granting enterprises granular control over their compute resources.
This fundamental shift allows agents to execute their tool-calling functions without needing to possess or manage the sensitive credentials that grant access to internal systems. Similarly, private network connectivity is established via a streamlined, outbound-only gateway deployed within the organization’s network. Critically, no credentials traverse the agent in this process.
Empowering Orchestration Teams with Enhanced Control
For orchestration teams, these new capabilities represent more than a security enhancement; they contribute to more robust and efficient agent performance. However, a crucial first step is understanding how this decoupled architecture impacts existing deployment strategies. By clearly separating concerns—sandboxes dictating tool execution locations and resource access, while MCP tunnels define pathways to internal systems—enterprises can achieve more effective mapping of agent workflows and associated risks.
For organizations already utilizing Claude Managed Agents, implementing self-hosted sandboxes is the recommended initial step. This allows for the migration of tool execution to a controlled internal infrastructure, enabling thorough testing of security boundaries before engaging with MCP tunnels, which remain in a research preview phase. New adopters of the platform should view the sandbox architecture as a primary technical differentiator, as it fundamentally alters the threat model rather than merely modifying the deployment paradigm.
Business Style Takeaway: Anthropic’s advancements in AI agent security, particularly self-hosted sandboxes and MCP tunnels, directly address enterprise concerns about credential management and data exposure. This innovation is crucial for unlocking broader adoption of AI agents in sensitive corporate environments, shifting the risk from the agent to the network perimeter and enabling more secure integration with internal systems.
According to the portal: venturebeat.com