The biggest blocker for enterprise artificial intelligence adoption has never been model capability. The real bottleneck has always been security. When your autonomous agents need access to internal databases, proprietary internal APIs, and highly sensitive customer data, sending that context to external infrastructure is an absolute non-starter for most security and compliance teams.
At the recent "Code with Claude" conference in London on May 19, 2026, Anthropic completely changed the narrative around enterprise security in artificial intelligence. By introducing two groundbreaking features to their Claude Managed Agents platform, they removed the primary objection stopping enterprises from shipping autonomous agents into production. These two features are self-hosted sandboxes (currently in public beta) and MCP tunnels (currently in research preview).
Together, these capabilities fundamentally change how organizations deploy intelligent agents by splitting the workload into a cloud-based intelligence layer and an internally hosted execution layer. This post provides a comprehensive technical breakdown of how these systems work, why they represent a massive paradigm shift in artificial intelligence infrastructure, and how you can architect a completely secure, data-compliant autonomous agent stack today.
The Enterprise Security Dilemma in Agentic AI
Before these updates, the standard industry approach to building an artificial intelligence agent looked fairly uniform across providers. You would define a model, equip it with a set of tools, and unleash it inside a managed cloud container. By default, Claude Managed Agents executes tools and code inside Anthropic-managed cloud sandboxes.
This model works flawlessly for side projects, public data processing, and lightweight automation. However, if you are building an application for the healthcare sector, the financial industry, or any enterprise with strict compliance and audit requirements, this default architecture blocks you from going to production. Your organization's security posture dictates that proprietary code, customer records, and internal credentials must never leave your protected network environment.
If a cloud-hosted agent needs to execute an internal database query or parse a local file system, the traditional method requires opening inbound firewall ports or copying the sensitive data to external servers. This exposes your internal services to the public internet and violates basic data residency principles. Engineering teams found themselves trapped in an endless loop of building incredible prototypes that their internal security review boards would immediately reject.
The Architectural Paradigm Shift: Separating the Brain and the Hands
To solve this problem, Anthropic introduced a brilliant architectural split that separates the system into a Control Plane and a Data Plane.
In this new model, the orchestration layer represents the brain of the operation. This includes context management, error recovery, complex reasoning, and the continuous agent loop. This intelligent orchestration stays securely on Anthropic's cloud infrastructure.
The execution layer represents the hands of the operation. This is where the actual work gets done. It includes tool execution, filesystem access, process spawning, and network egress. With the new updates, this execution layer moves entirely into infrastructure that you control.
This split architecture means that when your agent decides to write a Python script to analyze a massive proprietary dataset, the model simply reasons about the code it needs to write. The actual execution of that Python script happens inside your own firewall. The files the agent reads, the processes it spawns, and the internal services it reaches are fully bound by your internal network policies and audit logging. The sensitive data never touches Anthropic's infrastructure. You get the incredible reliability and iteration speed of a managed cloud intelligence platform without ever compromising on your strict data residency requirements.
Deep Dive: Self-Hosted Sandboxes
The first major component of this release is the self-hosted sandbox, available right now in public beta. When you enable this feature, you keep sensitive files, proprietary software packages, and backend services completely inside your own infrastructure or within a trusted managed sandbox provider.
Tool inputs and outputs still flow back to the Anthropic control plane so the Claude model can see the results of its actions and determine the next logical step, but the actual compute environment is yours. You deploy an environment worker that actively polls a work queue. When Claude determines that a tool needs to be called, it routes the request to your localized worker. The worker executes the task locally and returns only the final result to the model.
This architecture provides ultimate control over your runtime configuration. Because you own the environment, you dictate the exact runtime image, the pre-installed dependencies, and the available system packages. You also control the resource sizing. If your agent is running compute-heavy workloads like compiling massive codebases or generating complex images, you can allocate the exact CPU, memory, and GPU capacity required for the task.
Anthropic partnered with several managed providers at launch to give developers flexibility based on their specific workload patterns:
Cloudflare runs isolated sandboxes at incredible scale using microVMs and lightweight isolates. This option is perfect for stateless tasks where you need highly granular control over outbound network requests. You get zero-trust secrets injection and customizable proxies to audit, reroute, or modify network egress on the fly.
Daytona takes a different approach by providing full composable computers that are long-running and fully stateful. If your agent needs an environment that persists over multiple days, requires an active SSH connection, or needs to maintain complex background processes, Daytona provides a robust solution.
Modal focuses heavily on workloads that require massive computational power. If your enterprise is building artificial intelligence agents that need to rapidly scale up CPU or GPU allocation for heavy data science tasks, Modal provides an optimized infrastructure layer.
Vercel rounds out the supported partners by combining secure sandbox isolation with rapid execution environments, making it incredibly easy to integrate intelligent agents into modern web applications.
Of course, developers are not locked into these providers. The platform allows you to bring any custom sandbox client you want. You can deploy the environment worker directly onto a virtual machine or a bare metal Kubernetes cluster deep within your own protected data center.
Deep Dive: MCP Tunnels
While self-hosted sandboxes control where the agent executes its code, the second major feature tackles a different networking challenge. The Model Context Protocol is a standardized protocol that allows developers to expose internal systems, APIs, and databases as tools that intelligent agents can call.
The problem arises when these internal MCP servers live on private enterprise networks that absolutely cannot be exposed to the public internet. Traditionally, connecting a cloud-based agent to a private network required network administrators to open inbound firewall rules and allowlist specific IP ranges. Every open inbound port is a potential attack vector, making this approach a massive security liability.
Anthropic solved this beautifully with the introduction of MCP tunnels, currently available in research preview. This feature completely flips the traditional connection model. Instead of configuring your firewall to let Anthropic in, you deploy a lightweight software gateway inside your private network. This gateway relies on Cloudflare's open-source tunnel connector to initiate a secure, outbound-only connection to the tunnel edge.
Because the connection originates from inside your network and points outward, you do not need to open a single inbound firewall port. You do not need to expose any services to the public internet. The lightweight gateway carries encrypted traffic directly from the Anthropic routing proxy to your internal servers.
When you expose an internal tool through this method, it receives a secure hostname under your designated tunnel domain. You simply attach these hostnames to a session in the console or pass them programmatically through the application programming interface. The MCP tunnels ensure that your private resources remain private while still being completely accessible to your authorized autonomous agents.
However, connecting the network is only half the battle. Enterprises in highly regulated industries face additional challenges regarding access control and identity management. A tunnel connects the infrastructure, but it does not inherently govern which employees are allowed to use which tools. This is where the enterprise community has stepped up. Platforms like Stacklok are already providing the essential client-side governance layers. By deploying an identity management layer behind your tunnel, you can integrate directly with Microsoft Entra ID or Google Workspace. This ensures that when a product manager uses an agent, they only have access to tools like Jira or Google Drive, while a senior engineer using the exact same agent automatically gains access to GitHub and Datadog.
The Ultimate Secure Agent Architecture
The true power of this release becomes obvious when you combine these two independent features into a unified architecture.
Imagine you are building a financial auditing agent for a major bank. The agent needs to analyze highly confidential transaction logs, cross-reference them against internal compliance documentation, and execute specialized Python scripts to detect fraudulent patterns.
By utilizing a self-hosted sandbox, you ensure that the complex Python scripts run exclusively on a secure server sitting inside the bank's local data center. The proprietary transaction logs never leave the premises.
By utilizing MCP tunnels, you allow the agent to securely query the bank's internal SQL databases and retrieve compliance rules from a localized internal wiki. The agent communicates with these resources through an outbound encrypted stream, meaning the bank's network security team does not have to alter their strict firewall policies.
The Claude model acts purely as the intelligent coordinator. It receives the prompt, understands the objective, requests data through the secure tunnel, writes a script to analyze the data, and sends the script to the local sandbox for execution. The bank maintains absolute control over data residency, access control, and auditability, while simultaneously leveraging the most advanced reasoning model on the market.
The Bigger Picture: Where the True AI Moat Lies
Beyond the immediate technical benefits, this update from Anthropic reveals a massive shift in the underlying economics of artificial intelligence infrastructure. For the past few years, the industry assumption was that the core value of artificial intelligence lay within the model itself and the computational power required to run it.
By actively pushing the execution layer back onto the customer, Anthropic is signaling that raw execution and localized sandboxing are rapidly becoming commoditized. Running a Python script securely inside a container is a solved problem. The real proprietary advantage, the true economic moat, exists within the orchestration layer.
The future winners in the artificial intelligence space will not just be the companies with the smartest base models. The ultimate winners will be the platforms that master orchestration, institutional memory, verification patterns, and lifecycle management. By offloading the operational burden of the execution environment to the user, Anthropic can focus all of its engineering resources on making the control plane smarter, faster, and more resilient.
When you use the Claude Managed Agents platform, your code executes locally, but the accumulated intelligence, the workflow optimizations, and the complex agent loop logic remain safely within Anthropic's ecosystem. This creates a compounding platform advantage. As developers build more complex workflows, the orchestration layer becomes increasingly indispensable. It represents a brilliant strategic move that mirrors the platform strategies of massive infrastructure giants like Amazon Web Services and Stripe.
Conclusion
The simultaneous release of self-hosted sandboxes and MCP tunnels is one of the most important architectural milestones in the recent history of enterprise artificial intelligence. Anthropic has actively listened to the concerns of security engineers, network administrators, and compliance officers, and they have delivered a framework that satisfies the strictest data residency requirements.
By cleanly separating the intelligent orchestration layer from the physical execution environment, enterprises can finally move their experimental prototypes out of the testing phase and into heavily governed production environments. Developers no longer have to compromise between accessing world-class reasoning capabilities and maintaining strict internal network security.
If your team has been holding back on deploying autonomous agents due to compliance concerns, the barrier to entry has officially been removed. The tools to build highly secure, fully governed, and incredibly powerful localized agents are now freely available. The era of enterprise-grade autonomous workflows is officially here.
Top comments (0)