The rationale enterprises have been sluggish to attach AI brokers to inside APIs and databases isn't the fashions — it's the credentials. In most manufacturing deployments, the agent carries authentication tokens with it because it executes software calls, which implies a compromised or misbehaving agent takes the keys with it.
Anthropic is addressing that drawback with two new capabilities for Claude Managed Agents: self-hosted sandboxes, which let groups run software execution inside their very own infrastructure perimeter, and MCP tunnels, which join brokers to non-public MCP servers with out exposing credentials within the agent's context. Collectively they transfer credential management to the community boundary slightly than leaving it contained in the agent.
Proper now, self-hosted sandboxes can be found to Claude Managed Agent customers in public beta, whereas MCP tunnels are at present in analysis preview.
Anthropic isn't the one mannequin supplier making this wager. OpenAI added local execution to its Agents SDK in April in response to related demand. The architectural distinction Anthropic attracts is a break up: the agent loop runs on Anthropic's infrastructure, whereas software execution runs on the enterprise's personal system — a separation that current sandbox approaches, together with OpenAI's, don't make.
The structure drawback in sandboxes and brokers
MCP moved to enterprise manufacturing quicker than the safety structure round it matured. In most deployments, credentials journey via the agent itself because it executes software calls in opposition to inside programs — which means a compromised or misbehaving agent has every little thing it must trigger injury.
Self-hosted sandboxes, corresponding to these provided on Claude Managed Brokers, assist hold recordsdata and packages inside an enterprise's infrastructure. The agentic loop—orchestration, context administration and error restoration—strikes to the platform, and ideally, enterprises management compute assets.
This permits the agent to finish software calls with out holding the keys that unlock it.
Non-public community connectivity works equally — a light-weight outbound-only gateway contained in the group's community, with no credentials passing via the agent.
Orchestration groups get some management
For orchestration groups, the capabilities characterize greater than only a safety replace; they assist brokers run higher. However the very first thing they should perceive is how this break up structure can have an effect on their deployment.
Since sandboxes decide software execution areas and the assets brokers entry, and MCP tunnels inform brokers how you can attain inside programs, these are separate issues—splitting them up allows enterprises to map brokers' workflows extra successfully.
For groups already on Claude Managed Brokers, the sensible start line is sandboxes — transfer software execution onto your individual infrastructure and check the boundary earlier than touching MCP tunnels, that are nonetheless in analysis preview. Groups evaluating the platform for the primary time ought to deal with the sandbox structure as the first technical differentiator: it's the piece that modifications the menace mannequin, not simply the deployment mannequin.