Anthropic today announced two new capabilities for its Claude Managed Agents platform—self-hosted sandboxes and MCP tunnels—that fundamentally change how enterprise credentials are handled during AI agent operations. The move addresses a critical vulnerability: previously, authentication tokens traveled inside the agent itself, meaning any compromised or misbehaving model could expose sensitive keys.

"For the first time, enterprises can run tool execution inside their own infrastructure while the agent orchestration stays on our platform," said an Anthropic spokesperson. "This split architecture ensures credentials never pass through the agent's context."

Background: The Credential Problem That Slowed AI Adoption

Enterprises have been hesitant to connect AI agents to internal APIs and databases—not because the models aren't capable, but because of security risks. In most production deployments, the agent carries authentication tokens as it executes tool calls. A compromised agent then holds the keys to sensitive systems.

"The industry standard has been to put credentials inside the agent loop, which is like handing your house key to a stranger and hoping they don't copy it," explained Dr. Elena Torres, a cybersecurity researcher at Stanford. "Anthropic's approach moves credential control to the network boundary, dramatically reducing the blast radius."

Anthropic is not alone in recognizing this need. OpenAI added local execution to its Agents SDK in April 2025. However, Anthropic's architectural distinction is a clear split: the agent loop—orchestration, context management, error recovery—runs on Anthropic's infrastructure, while tool execution executes on the enterprise's own systems.

New Capabilities: Self-Hosted Sandboxes and MCP Tunnels

Self-hosted sandboxes, now in public beta for Claude Managed Agent users, let enterprises run tool execution within their own infrastructure perimeter. Files and packages stay inside the corporate network, and the agent completes tool calls without ever holding the keys.

MCP tunnels, currently in research preview, enable agents to connect to private MCP servers without exposing credentials in the agent's context. A lightweight outbound-only gateway sits inside the organization's network, with no credentials passing through the agent itself.

"These are separate concerns—sandboxes determine where tool execution happens and what resources agents access, while MCP tunnels tell agents how to reach internal systems," noted an Anthropic engineering lead. "Splitting them up allows enterprises to map workflows more effectively."

What This Means for Enterprises and Orchestration Teams

For organizations already using Claude Managed Agents, the immediate practical step is to deploy self-hosted sandboxes. Move tool execution onto your own infrastructure and test the security boundary before touching MCP tunnels, which remain in research preview.

"This is more than a security patch—it improves agent performance by reducing latency and giving teams direct control over compute resources," said an industry analyst at Gartner. "Orchestration teams can now enforce fine-grained permissions at the network boundary rather than trusting the agent model itself."

Teams evaluating the platform for the first time should treat the split architecture as a core design principle. By keeping credentials out of the agent's context, enterprises can safely connect AI agents to sensitive internal systems—a major hurdle that has slowed enterprise AI adoption until now.

The capabilities are rolling out immediately: self-hosted sandboxes in public beta, MCP tunnels in research preview. More details are available in Anthropic's official documentation and security whitepaper.