Enterprise Security Becomes the Default for Agentic Workflows
Anthropic’s May 19, 2026 update to Claude Managed Agents marks a pivotal shift in how enterprises can deploy autonomous AI agents. The announcement introduces two capabilities — self-hosted sandboxes (public beta) and MCP tunnels (research preview) — that together solve a fundamental tension: how to give agents the power to execute tools and access services while keeping sensitive data and infrastructure firmly inside the organization’s security perimeter.
The agent loop — the orchestration layer that handles planning, context management, and error recovery — continues to run on Anthropic’s infrastructure. But tool execution and service connectivity now move to environments the user controls. This split architecture means security teams can apply existing network policies, audit logging, and runtime restrictions without constraining the agent’s ability to act.
For regulated industries — finance, legal, healthcare — this is not a nice-to-have. It is the prerequisite for any production deployment. The update signals that the platform is maturing from experimental tool use to enterprise-grade agent hosting.
Self-Hosted Sandboxes: How the Execution Boundary Works
Self-hosted sandboxes decouple the agent’s reasoning from its actions. When a Managed Agent decides to run a tool — executing code, installing a package, reading a file — that execution is dispatched to a sandbox running on the user’s own infrastructure or with a managed provider. The files, repositories, and packages never leave that environment.
Users retain full compute control. They define the resource sizing, the runtime image, and the capacity allocated. This matters for workloads that are not trivial: long-running builds, image generation pipelines, or data processing that requires substantial CPU and memory.
The security model is straightforward but powerful. Sensitive assets stay inside the user’s perimeter. Existing security tooling — network policies, egress controls, audit logging — applies without modification. The agent becomes a managed tenant within an environment the organization already trusts and monitors.
MCP Tunnels: Private Service Connectivity Without Public Exposure
The Model Context Protocol (MCP) lets agents call external tools — databases, APIs, knowledge bases, ticketing systems. But exposing those services to the public internet is a non-starter for most enterprises. MCP tunnels solve this by creating an encrypted, outbound-only connection from inside the private network to the agent infrastructure.
A lightweight gateway deployed by the user initiates a single outbound connection. No inbound firewall rules are required. No public endpoints are created. Traffic is encrypted end to end, and internal services remain invisible to the broader internet.
This capability extends across both Managed Agents and the Messages API. Organization admins manage tunnels from workspace settings in the Claude Console. The research preview status means access is by request, but the architectural direction is clear: agents will connect to enterprise systems the same way existing internal services do — securely and privately.
The Provider Ecosystem: Four Approaches to Sandbox Infrastructure
Anthropic does not mandate a single sandbox provider. Users can bring any sandbox client, but four partners are highlighted with deep integrations, each offering a distinct technical philosophy.
Cloudflare runs sandboxes at scale using microVMs and lightweight isolates. Its differentiator is network control: zero-trust secrets injection, customizable egress proxies that can audit or modify outbound requests, and the ability to connect to internal services over Cloudflare’s network. Amplitude is using this stack to build Design Agent, an internal tool for on-brand UI and marketing design, valuing the observability and control.
Daytona provides full composable computers that are long-running and stateful. The same primitive handles quick bursts or agents that work for hours. Sessions remain accessible over SSH or authenticated preview URLs and can be paused and restored with full state preserved. Clay’s GTM engineering agent, Sculptor, uses this to build, test, and monitor workflows autonomously.
Modal is a cloud platform purpose-built for AI workloads. Its sandboxes share foundations with Modal’s functions, storage, and networking primitives. Sub-second startup on any image, scaling to hundreds of thousands of concurrent sandboxes, and on-demand CPU and GPU resources make it suited for compute-intensive agent tasks.
Vercel combines VM security with VPC peering and millisecond startup times. Its firewall injects credentials at the network boundary so they never enter the sandbox itself. Rogo, an AI platform for institutional finance, is building an analyst agent on this stack to handle proprietary data securely.
Voices from the Field: What Early Adopters Are Building
The customer statements reveal a consistent pattern: teams are using Managed Agents to replace fragile local agent setups with cloud-grade reliability while retaining infrastructure control.
“Claude Managed Agents let us replicate the power of a local agent with the reliability, versioning, and background execution of a cloud agent. And running it with our sandboxes, like Daytona, gives us control over the filesystem, so we can mount external file stores and install packages on the fly.” — Ryan Chang, AI Engineering at Clay
“Claude Managed Agents handles the agent loop, Vercel’s sandboxes give us an environment we can configure for our workloads. This gives us the option to leverage best-in-class infrastructure while we focus on what compounds for a financial AI platform.” — Strib Walker, Head of Product at Rogo
“Modal’s sandbox gives us the security boundary our enterprise customers need, and combining it with Claude Managed Agents gives us a powerful harness without hand-rolling extra complexity. We had a working version up in under a week.” — Sai Yandapalli, CTO
The speed of initial deployment is a recurring theme. Amplitude’s Will Newton notes their design agent was running “in two days on infrastructure we already know and trust.” This suggests the integration surface between Managed Agents and these sandbox providers is already production-pragmatic.
Practical Implications and the Road Ahead
The update reshapes the build-versus-buy calculus for agent infrastructure. Teams previously had to choose between fully managed agents with limited security controls and self-built orchestrators that demanded significant engineering investment. The new capabilities offer a middle path: the agent loop is managed, but execution and connectivity stay within enterprise boundaries.
Several open questions remain. The MCP tunnels feature is in research preview, and its performance characteristics under load, latency profiles for high-frequency tool calls, and the full management surface for administrators are not yet documented. The sandbox provider ecosystem, while diverse, may create fragmentation in operational practices — each provider has different logging, monitoring, and state management patterns.
Still, the direction is unambiguous. Agentic AI in the enterprise is moving toward a model where reasoning is centralized but action is distributed and locally controlled. The May 19 announcement makes that architecture available as a product, not just a white paper.
