The credential problem was the real moat between agents and production, and Anthropic just gave enterprises a door through it.
The Summary
- Anthropic launched self-hosted sandboxes and MCP tunnels for Claude Managed Agents, moving credential control to the network boundary instead of embedding it in agent context
- The split: agent orchestration runs on Anthropic's cloud, tool execution runs inside the enterprise perimeter
- This solves the core adoption blocker: today's agents carry authentication tokens with them, so a compromised agent becomes a compromised everything
The Signal
Enterprise AI adoption has been stuck at the credential checkpoint. The models work. The use cases are clear. But connecting agents to actual systems, the ones that hold customer data, financial records, or inventory systems, requires handing those agents the keys. And if the agent hallucinates, gets jailbroken, or just makes a mistake, it takes those keys with it into the error.
Anthropic's new architecture splits the problem. The agent loop (the part that decides what to do next, manages context, handles retries) stays on Anthropic's infrastructure. The tool execution (the part that actually touches your database or calls your internal API) happens inside your network. Credentials never cross the boundary. The agent asks for work to be done. Your system does it. The agent sees the result, not the key.
"In most production deployments, the agent carries authentication tokens with it as it executes tool calls, which means a compromised or misbehaving agent takes the keys with it."
Self-hosted sandboxes are in public beta now. MCP tunnels are in research preview. The timing matters because Model Context Protocol moved into production before the security architecture around it caught up. Companies started connecting agents to internal tools because MCP made it easy, then hit the wall when security teams asked the obvious question: what happens when the agent does something it shouldn't?
OpenAI shipped local execution in its Agents SDK in April for the same reason. But Anthropic's split is different. OpenAI's approach keeps orchestration and execution together. Anthropic separates them. The agent brain stays centralized and gets model updates, fine-tuning, and Anthropic's scaling. The execution happens where your data lives.
Key differences in approach:
- OpenAI: Local execution, but orchestration moves with it
- Anthropic: Cloud orchestration, edge execution
- Anthropic's bet: Enterprises want model updates without infrastructure lock-in
This isn't just about security. It's about what kind of agent architecture becomes default. If orchestration and execution run together, every enterprise needs to host their own agent runtime and keep it current. If they split, enterprises control the execution boundary but Anthropic (or whoever) keeps improving the brain. That's a different scaling model, and it makes agent deployment look more like API consumption than on-prem software.
The Implication
Watch what enterprises do with this. If self-hosted sandboxes become table stakes, the credential problem stops being an adoption blocker and becomes an architecture question: who controls the orchestration layer? Anthropic is betting enterprises will trade some control for continuous model improvement. If they're right, the agent deployment pattern shifts from "we host everything" to "we control the perimeter, you improve the model."
For companies building on Claude, this opens internal tool integration that was too risky before. The question now is velocity: how fast can you connect agents to systems that matter, and what do you build once the credential wall comes down?