Credentials, not models, are why enterprises have been slow to connect AI agents to internal APIs and databases. In most production deployments, an agent carries identification badges when making tool calls, which means that a compromised or misbehaving agent takes the keys with them.
Anthropic addresses this issue with two new capabilities Claude managed agents: self-hosted sandboxes that allow teams to manage tool execution within their own infrastructure perimeter, and MCP tunnels that connect agents to private MCP servers without exposing agent-context credentials. Together, they move credential control to the network boundary instead of leaving it inside the agent.
Currently in open beta for Claude Managed Agent users, self-hosted sandboxes are available while MCP tunnels are in research preview.
Anthropic isn’t the only model provider making this bet. OpenAI Added native execution to the Agents SDK in April in response to a similar demand. An architectural difference that Anthropic draws is partitioning: the agent loop runs on top of Anthropic’s infrastructure, while the tool execution runs on the enterprise’s own system—which existing sandbox approaches, including OpenAI’s, do not.
Architectural challenge in sandboxes and agents
MCP moved to enterprise production faster than the security architecture around it matured. In most deployments, credentials pass through the agent itself as it makes tool calls against internal systems—meaning that a compromised or misbehaving agent has everything it needs to do damage.
Self-hosted sandboxes, such as those offered at Claude Managed Agents, help keep files and packages within an enterprise’s infrastructure. Agency moves to the circuit—orchestration, context management, and error recovery—to the platform, and ideally, enterprises control computing resources.
This allows the agent to complete tool calls without saving the keys that unlock it.
A private network connection works the same way – an outbound-only lightweight gateway within the organization’s network, with no credentials from the agent.
Orchestral groups gain some control
For orchestration groups, the opportunities represent more than a security update; they help agents work better. But the first thing they need to understand is how this fragmented architecture can affect their deployment.
Since sandboxes define tool execution locations and agent exits, and MCP tunnels tell agents how to reach internal systems, these are separate concerns—separating them allows enterprises to more effectively map agent workflows.
A practical starting point for teams already at Claude Managed Agents is sandboxes – move the tool’s execution to your own infrastructure and test the boundary before touching the MCP tunnels that are still under research review. Teams evaluating a platform for the first time should approach the sandbox architecture as a key technical differentiator: it’s the part that changes the threat model, not just the deployment model.
