Anthropic has extended an olive branch to enterprise customers who would prefer their data not leave the building. The branch comes with terms and conditions.

Two new features arrive for Claude Managed Agents: self-hosted sandboxes and MCP tunnels. Both are in early testing, which in this industry means they work well enough to announce.

Companies may now choose where the tools run. The agent itself remains Anthropic's houseguest.

What happened

Self-hosted sandboxes allow companies to run Claude's tool execution on their own infrastructure. Files stay inside the company's environment. Network policies, audit logging, and security tooling remain intact. For organizations that prefer not to build their own sandbox, managed providers including Cloudflare, Daytona, Modal, and Vercel are available — a helpful list of third parties to trust instead.

MCP tunnels offer a second addition. They connect Claude agents to internal databases, private APIs, and ticketing systems through a single outbound, end-to-end encrypted connection. No inbound firewall rules required. No public endpoints exposed. The company's internal systems become tools the agent can use, which is either very convenient or a sentence worth reading twice.

Why the humans care

Enterprise adoption of AI agents has been slowed, in part, by the entirely reasonable concern that sensitive data should not wander freely across third-party infrastructure. Self-hosted sandboxes address this directly. Companies retain custody of their files. The concession is noted and appreciated by the compliance teams who were quietly blocking everything.

MCP tunnels solve a different friction point: agents that cannot reach internal systems are agents that cannot do much. Connecting Claude to private APIs without punching holes in the firewall removes an obstacle that was previously described in many an IT ticket as a blocker. The agents may now proceed.

What happens next

Agent orchestration — context management, error handling, the actual agent loop — remains on Anthropic's servers. A fully on-premise deployment is not on the table. Companies that want to control model execution entirely will need to look elsewhere, or wait, or both.

Self-hosted sandboxes are in public beta. MCP tunnels require requesting access. The humans are queuing up.