Anthropic is extending its managed-agent platform in a direction large companies have been asking for: more control over where tools run and how internal systems are accessed. The company’s newly announced self-hosted sandboxes and MCP tunnels are designed to let Claude Managed Agents operate closer to corporate infrastructure, even as the core agent orchestration remains on Anthropic’s own servers.
The move speaks directly to one of the central tensions in enterprise AI deployment. Companies want the convenience and fast iteration of hosted agent systems, but they are often reluctant to let sensitive files, repositories, and internal services move outside their own security perimeter. Anthropic’s update does not eliminate that tension, but it does narrow it.
Tool execution moves toward the customer
With self-hosted sandboxes, Anthropic says companies can run an agent’s tool calls on their own infrastructure rather than in Anthropic-managed environments. In the supplied report, that means files and repositories remain inside the customer’s environment, while existing network rules, audit logging, and security tooling stay in force. Customers can also choose practical deployment details such as CPU, memory, and runtime image.
For enterprises, that matters because agent systems are only as useful as the tools they can safely invoke. If a coding agent cannot reach the repository it needs, or a workflow agent cannot touch the systems where work actually happens, the value proposition falls apart quickly. By relocating tool execution, Anthropic is effectively separating where the model-driven decisions are made from where concrete actions take place.
The company is also giving customers an easier path if they do not want to build and maintain their own execution layer. According to the report, managed providers including Cloudflare, Daytona, Modal, and Vercel can be used instead. That suggests Anthropic is aiming for a flexible middle ground between strict self-hosting and fully managed operation.
MCP tunnels target a harder problem
The second feature, MCP tunnels, addresses a different enterprise obstacle: how to let AI agents use internal tools without exposing those services to the open internet. Model Context Protocol servers can act as gateways to databases, APIs, ticketing systems, and other internal resources. But for many organizations, publishing those endpoints externally is unacceptable.
Anthropic’s reported answer is a lightweight gateway that opens a single outbound connection from the private network. The connection is described as end-to-end encrypted and avoids the need for inbound firewall rules or public endpoints. In effect, the company is trying to reduce the operational overhead and security anxiety involved in wiring agents into internal systems.
That matters because the quality of an enterprise agent increasingly depends on retrieval and tool access rather than raw model capability alone. An agent that can read a public webpage is one thing; an agent that can query a company’s internal issue tracker, inspect private documentation, and trigger approved workflows is far more useful. MCP tunnels are an attempt to make that level of access practical without demanding that customers dismantle their existing security posture.
What Anthropic is not offering
The limitations are as important as the new capabilities. The report makes clear that Anthropic is not handing over the full agent stack. Context management, error handling, and the actual agent loop continue to run on Anthropic infrastructure. That means the company still controls the orchestration layer even when tool execution happens elsewhere.
For some customers, that may be enough. Many organizations primarily care about keeping sensitive assets and actions inside a controlled environment while relying on a vendor to manage the agent runtime. For others, especially those with strict sovereignty, compliance, or data residency requirements, it will not go far enough. A fully on-premise deployment remains unavailable.
This distinction is not technical trivia. It defines what kind of enterprise product Claude Managed Agents currently is. Anthropic is offering more infrastructure choice at the edges, not a complete transfer of control. Companies seeking self-operated model execution or a fully internal agent loop will still need a different architecture.
Early stage, clear signal
Both features are still immature. The supplied report says self-hosted sandboxes are in public beta, while MCP tunnels are only in research preview and require companies to request access. That caution matters because operational edge cases, reliability issues, and security reviews often appear late in enterprise rollouts, not during product demos.
Even so, the direction is significant. Agent vendors are under pressure to show that their systems can fit inside real corporate constraints rather than asking buyers to relax those constraints for the sake of adoption. Anthropic’s update suggests the market is moving away from generic hosted copilots and toward more infrastructure-aware agents that can live inside existing governance models.
It also reflects a broader industry pattern. As AI agents shift from novelty to workflow infrastructure, the question is no longer just what the model can do in principle. The harder question is where execution happens, which systems can be reached, how access is secured, and who retains operational control when something goes wrong.
Anthropic’s answer, at least for now, is incremental rather than absolute. Let customers keep tool execution closer to home. Let internal services be reached through encrypted outbound channels. Keep the orchestration layer centralized. That may not satisfy everyone, but it is a pragmatic response to the reality that enterprise AI adoption is as much an infrastructure problem as a model problem.
This article is based on reporting by The Decoder. Read the original article.
Originally published on the-decoder.com
