The reason companies have been slow to connect AI agents to internal APIs and databases is not models, but credentials. In most production deployments, the agent carries authentication tokens with it while executing tool calls, meaning that a compromised or misbehaving agent takes the keys with it.
Anthropic is addressing that problem with two new capabilities to Agents managed by Claude– Self-hosted sandboxes, which allow teams to run tools within their own infrastructure perimeter, and MCP tunnels, which connect agents to private MCP servers without exposing credentials in the context of the agent. Together they move credential control to the edge of the network rather than leaving it within the agent.
Right now, self-hosted sandboxes are available to Claude Managed Agent users in public beta, while MCP tunnels are currently in research preview.
Anthropic is not the only model provider making this bet. OpenAI added local execution to your agents SDK in April in response to a similar lawsuit. The architectural distinction that Anthropic draws is a division: the agent loop runs on Anthropic’s infrastructure, while the tool execution runs on the company’s own system, a separation that existing sandbox approaches, including OpenAI’s, do not make.
The problem of architecture in sandboxes and agents
MCP moved into enterprise production faster than the security architecture around it matured. In most implementations, credentials travel through the agent itself as it executes calls to tools on internal systems, meaning that a compromised or misbehaving agent has everything it needs to cause damage.
Self-hosted sandbox environments, like those offered by Claude Managed Agents, help maintain files and packages within a company’s infrastructure. The agent loop (orchestration, context management and error recovery) is moved to the platform and, ideally, companies control the computing resources.
This allows the agent to complete tool calls without holding down the keys that unlock the tool.
Private network connectivity works in a similar way: a lightweight egress-only gateway within the organization’s network, without credentials passing through the agent.
Orchestration teams gain some control
For orchestration teams, capabilities represent more than just a security upgrade; They help agents perform better. But the first thing you need to understand is how this split architecture can affect your implementation.
Since sandboxes determine the tool execution locations and resources that agents access, and MCP tunnels tell agents how to reach internal systems, these are separate concerns: splitting them allows companies to map agent workflows more effectively.
For teams already using Claude Managed Agents, the practical starting point is sandboxes: move the tool run to your own infrastructure and test the limits before touching the MCP tunnels, which are still in research preview. Teams evaluating the platform for the first time should treat the sandbox architecture as the main technical differentiator: it’s the piece that changes the threat model, not just the deployment model.
