Anthropic Builds Private Agent Sandboxes for Banks

The biggest blocker to enterprise AI agents was never intelligence. It was that no bank, hospital, or government would let an autonomous agent touch its private data through someone else's cloud. Anthropic just removed that blocker. Claude Managed Agents can now run their tool calls inside infrastructure the customer fully controls and reach private systems through encrypted tunnels that never expose anything to the public internet.

What Actually Happened

At its Code with Claude developer conference in London, Anthropic launched two features for Claude Managed Agents: self-hosted sandboxes and MCP tunnels. Self-hosted sandboxes let companies run an agent's tool calls on their own infrastructure or through managed providers including Cloudflare, Daytona, Modal, and Vercel. The orchestration brain, meaning the agent loop that manages context, plans steps, and recovers from errors, stays on Anthropic's infrastructure, while the actual execution of tools moves into the customer's environment. The split is the whole point: thinking stays rented, doing stays home.

The second feature, MCP tunnels, connects agents to Model Context Protocol servers sitting on a private network without exposing those servers to the open internet. A lightweight gateway opens a single outbound, end-to-end encrypted connection, requiring no inbound firewall rules and no public endpoints. In plain terms, the agent can read internal databases and call internal tools as though it were a service running inside the company, while the company opens nothing to the outside world. Self-hosted sandboxes shipped in public beta and MCP tunnels in research preview with access available by request, which tells you Anthropic considers the sandbox layer ready for production and the tunnel layer still hardening.

Anthropic's flagship example is Rogo, which delivers an analyst agent to financial institutions on this infrastructure. For a bank that already runs its own virtual private cloud on AWS, the fact that Vercel can peer with that VPC means the agent sees internal databases as if it were a native service inside the organization, with traffic never leaving the shared AWS perimeter. Clay, an AI engineering builder, added that the setup let it replicate the power of a local agent with the reliability, versioning, and background execution of a cloud agent, mounting external file stores and installing packages on the fly through a sandbox like Daytona.

Claude Managed Agents is the product that lets companies run long-lived, autonomous agents that Anthropic operates and scales on their behalf, rather than thin wrappers a developer has to babysit. The two new features extend that managed service into the one place enterprises previously could not follow: behind their own firewall. Before this release, using Managed Agents on sensitive workloads meant either routing private data through Anthropic infrastructure or giving up on agents entirely. The update collapses that false choice, letting a company keep the managed convenience of a hosted agent while satisfying the data boundary its auditors demand, which is the combination enterprises have been asking for since the agent wave began.

Why This Matters More Than People Think

Enterprise AI has a dirty secret: the demos are spectacular and the deployments are tiny. The reason is rarely model capability. It is that security, compliance, and data-residency teams will not approve sending regulated data to a third-party cloud, no matter how good the model. By splitting the agent so the reasoning stays with Anthropic but the data and tool execution stay with the customer, Anthropic directly attacks the single objection that kills most enterprise agent projects before they reach production. The bottleneck was never the model's IQ, it was the procurement review, and this release is aimed squarely at that review.

This is an architectural answer to a political problem. A chief information security officer cannot sign off on an agent that pulls customer records into an external sandbox. But an agent whose tool calls run inside the company's own VPC, reaching data through an outbound-only encrypted tunnel, fits the security model these teams already trust for their own microservices. Anthropic is not asking the enterprise to relax its rules. It is reshaping the product to pass the rules unchanged, which is a far easier sale than asking a bank to make an exception, because exceptions require sign-off from people whose entire job is to say no.

The time-to-production gain is the part finance teams will notice. Most enterprise agent pilots die not in a technical review but in a security queue, where they wait months for an exception that never arrives. An architecture that fits existing controls skips that queue entirely, turning a multi-quarter approval slog into a configuration task. For a buyer, the value is not just that the agent is more secure, it is that the agent can ship this quarter instead of next year, and shipping speed is what separates the companies that compound an AI advantage from the ones still circulating memos about whether to start.

The choice of launch partners reveals the strategy. Cloudflare, Daytona, Modal, and Vercel are the infrastructure layer developers already use, so Anthropic is meeting enterprises where their stacks live rather than forcing a migration. The Rogo example is deliberately a bank, the hardest possible buyer, because if the architecture satisfies a regulated financial institution, it satisfies almost everyone below that bar. Anthropic is using its most paranoid customers as the proof that unlocks the long tail of merely cautious ones, the same way enterprise software vendors have always led with the marquee logo that makes every later deal easier to close.

The Competitive Landscape

OpenAI, Google, and Microsoft are all racing to make agents enterprise-ready, but they approach it from different angles. Microsoft leans on its existing Azure and compliance footprint, arguing that enterprises already trust Redmond with their data. Google is building managed agent sandboxes inside its own cloud. Anthropic's bet is subtly different: rather than asking enterprises to trust its cloud, it lets them keep the data on infrastructure they already trust, including rival clouds like AWS. That cloud-neutral stance is a wedge against competitors who want to pull the workload onto their own platform, and it appeals most to the buyers who refuse to pick a single cloud winner.

The historical parallel is the rise of the VPC and on-premise hybrid models in early cloud computing. The first wave of cloud adoption stalled on the same fear, that sensitive data should not leave the building, and the unlock was hybrid architectures that let companies keep control while still using cloud services. Anthropic is running the same play one layer up the stack: hybrid agents, where the intelligence is rented and the data stays home. The companies that won the cloud era were the ones that solved trust, not the ones with the most raw compute, and the same lesson is about to repeat in the agent era.

There is a standards dimension as well. By building tunnels around the Model Context Protocol, the open standard Anthropic introduced and which rivals have adopted, the company is reinforcing MCP as the connective tissue of enterprise AI. Every enterprise that wires its internal tools to agents through MCP tunnels deepens its commitment to the protocol Anthropic shepherds. The risk for competitors is that MCP becomes the default integration layer, and whoever defines the default earns leverage over the entire ecosystem, the way HTTP and SQL shaped the eras that followed them. Owning the model is valuable, but owning the protocol that connects every model to every tool is a deeper kind of moat.

The looming alternative is fully open-weight models that enterprises run entirely on their own hardware, with no dependence on any lab at all. Meta, DeepSeek, and a wave of open releases have pushed open models close enough to the frontier that some security-maximalist buyers will choose total ownership over rented cognition. Anthropic is betting that the gap in capability, and in the operational burden of running a frontier model in house, is wide enough that most enterprises will prefer its hybrid path: keep the data, rent the brain, and skip the cost of staffing an internal model team. That bet holds only as long as open models stay a step behind and self-hosting stays genuinely hard, and both of those conditions are eroding every quarter.

Hidden Insight: Anthropic Is Selling Control, Not Intelligence

The non-obvious read is that this launch is barely about Claude's intelligence at all. Anthropic is competing on deployment architecture, which is a tacit admission that at the frontier, model quality is converging and the real battleground has moved to who can actually get agents into production inside regulated industries. When every lab has a capable model, the winner is the one whose product clears the compliance review, and Anthropic is optimizing hard for that review rather than for another benchmark point. The marketing has quietly shifted from how smart the model is to how safely you can deploy it.

The bear case, however, deserves a fair hearing. Critics argue that splitting the agent across two infrastructures adds latency, operational complexity, and new failure modes, and that many enterprises will balk at the engineering effort of peering VPCs and running self-hosted sandboxes. The promise of secure agents is attractive, but the implementation burden falls on already-stretched platform teams. The risk is that this remains a feature only the most sophisticated customers, the Rogos and Clays of the world, can actually operationalize, while the median enterprise stays stuck in the same pilot purgatory the release was meant to end.

Skeptics point out a second tension: keeping the orchestration loop on Anthropic's side means the customer still depends on Anthropic for the part that matters most, the reasoning. Data residency is solved, but vendor lock-in to Anthropic's agent runtime is not. A bank gets to keep its data at home while becoming structurally dependent on a single AI lab for the cognition that drives its agents. For some buyers that trade is fine. For others, particularly governments and sovereign institutions, partial control may not be enough, and they will push for fully self-hosted models instead, which is the one thing this architecture does not give them.

The deepest signal is what this says about where margins will sit. If the data and execution stay with the customer and only the reasoning is rented, Anthropic is positioning itself as the high-margin cognition layer while commoditizing the infrastructure around it. That mirrors how the most durable platform companies capture the valuable layer and let partners fight over the rest. The Cloudflares and Vercels of this arrangement provide the plumbing, while Anthropic keeps the brain, and the brain is where pricing power lives. It is a quietly aggressive bid to own the most defensible position in the entire enterprise AI stack.

What to Watch Next

In the next 30 to 90 days, watch how quickly MCP tunnels move from research preview to general availability, since that gating is the real constraint on adoption right now. Watch for named enterprise deployments beyond Rogo and Clay, especially in healthcare and government, which would prove the architecture clears the most demanding compliance bars. Track whether OpenAI and Google respond with their own cloud-neutral deployment options, which would validate Anthropic's read of the market and turn deployment architecture into the new competitive front.

Over 90 to 180 days, the leading indicator is latency and reliability data from production deployments, because the split-architecture bear case lives or dies on whether the engineering overhead is tolerable at scale. Watch whether additional sandbox providers join Cloudflare, Daytona, Modal, and Vercel, which would signal the pattern is becoming a standard rather than a bespoke integration. Watch MCP adoption metrics as well, since every new tunnel deepens the protocol's lock-in and Anthropic's leverage over the connective layer of enterprise AI.

The question that matters most is whether secure deployment, not raw capability, becomes the axis enterprises buy on. If procurement decisions start hinging on data-control architecture rather than benchmark scores, Anthropic will have changed the rules of the enterprise AI contest to favor exactly the ground it just claimed. If buyers keep chasing the smartest model regardless of deployment, this becomes a useful feature rather than a decisive moat, and the race resets on capability once more. The next year of enterprise contracts will reveal which of those two worlds we actually live in.

Anthropic stopped trying to win the benchmark war and started winning the compliance review, which is where enterprise AI is actually decided.

---