Back to all posts

Anthropic Moves AI Agents Inside the Enterprise Perimeter: MCP Tunnels and Self-Hosted Sandboxes Solve the Last Security Blocker

Published on May 27, 20265 min read
AI AgentsMCPDeveloper ToolsGenAI

The most common objection to deploying AI agents in enterprise settings isn't cost, capability, or reliability. It is security. Regulated industries — finance, healthcare, legal, government — operate under strict data residency and network perimeter requirements. Before May 19, 2026, deploying Claude Managed Agents meant routing tool execution through Anthropic's cloud infrastructure: an architectural necessity that kept sensitive files, internal APIs, and private databases outside the enterprise security boundary. At Code with Claude London, Anthropic removed that constraint. Two new capabilities — self-hosted sandboxes in public beta and MCP tunnels in research preview — allow agent tool execution and private network access to stay entirely within the customer's own infrastructure perimeter. This is not a feature update. It is an architectural reclassification of where Claude agents live.

The Split Architecture: Orchestration at Anthropic, Execution at You

Understanding what changed requires understanding what was there before. Claude Managed Agents previously operated as a unified cloud service: the orchestration loop, context management, error recovery, and tool execution all ran on Anthropic's infrastructure. This was efficient but created a fundamental compliance problem — every tool call, file read, and API invocation crossed the customer's network boundary. The new architecture divides this model precisely at the right seam. The agent loop — the intelligence layer responsible for orchestration, planning, context management, and error recovery — stays on Anthropic's infrastructure. Tool execution, the part of the system that actually reads files, calls APIs, and runs code, moves to the customer's configured environment. Think of it as a general on Anthropic's side directing field operations on your side. The intelligence stays outside; the actions happen inside your perimeter.

MCP Tunnels: Private Network Access Without Public Exposure

MCP tunnels solve a problem that has blocked enterprise agentic workflows entirely: how do you give an AI agent access to an internal database, a private API, or a corporate knowledge base without putting those systems on the public internet? The traditional answers — VPN integration, IP allowlisting, public API proxies — each carry significant security overhead and enterprise approval latency measured in months, not days. Anthropic's tunnel architecture is elegant. A lightweight gateway is deployed by the customer inside their private network. It makes a single outbound connection to Anthropic's tunnel infrastructure — no inbound firewall rules, no public endpoints, no changes to corporate network policy required. Traffic is encrypted end-to-end. The agent, running its orchestration loop in Anthropic's cloud, reaches the internal MCP server through the tunnel as if it were a local service. Internal databases, ticketing systems, private knowledge bases, proprietary APIs, and legacy on-premise systems become callable tools for the agent — without crossing the enterprise network boundary.

Self-Hosted Sandboxes: Where Tool Execution Now Lives

Self-hosted sandboxes address the second perimeter problem: where does the agent's file system, package execution, and code running actually happen? Previously, this occurred in Anthropic-managed cloud VMs. With self-hosted sandboxes, customers configure tool execution to run on their own infrastructure, or through a curated set of managed sandbox providers: Cloudflare, Daytona, Modal, and Vercel. The practical effect is concrete: sensitive files, proprietary packages, internal services, and code artifacts never leave the customer's environment. The agent's decision-making — what to do, in what order, how to recover from errors — remains on Anthropic's infrastructure. But the work itself happens inside the customer's boundary. For industries where data residency is a legal requirement, not a preference, this distinction converts Claude Managed Agents from an interesting pilot into a deployable production system that can pass a compliance review.

Why Enterprise Security Was the Real Adoption Ceiling

The AI coding agent market in 2026 has a well-documented demand curve: enterprise engineering teams consistently report significant productivity gains in pilot settings. The deployment conversion rate tells a different story. Regulated industries — which account for a disproportionate share of engineering headcount and software spend globally — have been largely unable to move from evaluation to production at scale. The reason is almost always the same: data sovereignty. When agent tool execution touches internal code, credentials, customer records, or proprietary algorithms in a cloud environment outside the customer's control, it triggers compliance review cycles that can extend for quarters. Security teams block it. Legal escalates. Procurement stalls. Self-hosted sandboxes and MCP tunnels directly dissolve this blocker. By keeping tool execution and private network access within the customer perimeter, Anthropic has changed the compliance conversation from 'can this be approved in principle' to 'what does the deployment checklist look like.' That is a categorically different conversation to be in.

The Strategic Picture: Anthropic's Two-Layer Infrastructure Model

Viewed in context, Code with Claude London reveals a consistent infrastructure strategy Anthropic has been executing across 2026. The Stainless acquisition secured SDK generation infrastructure that makes MCP server creation frictionless for any API. The Managed Agents platform launch brought production-grade agent primitives — dreaming (transcript-based memory consolidation), outcomes (rubric-graded task completion), and multi-agent orchestration — accessible via a single API call. Now, self-hosted sandboxes and MCP tunnels extend that infrastructure into the customer's own environment. The pattern is a deliberate two-layer model: Anthropic owns the control plane (orchestration, context, intelligence, reliability guarantees), and customers own the execution plane (tool runs, data access, network boundary). This mirrors the architecture by which enterprise software platforms have historically won regulated markets — Salesforce's data residency tiers, AWS GovCloud, Azure Government — by decoupling platform intelligence from data custody. Anthropic is executing the same strategy for AI agents. It is not a coincidence. It is a playbook.

What Enterprise Teams Should Do This Week

The practical path forward is clear. Self-hosted sandboxes are in public beta and available now — engineering teams in regulated industries can begin infrastructure provisioning and compliance evaluation immediately. The supported providers (Cloudflare, Daytona, Modal, Vercel) cover the major enterprise deployment patterns: serverless, containerized, and dedicated compute. MCP tunnels are in research preview and require an access request — teams with immediate private network requirements should apply now, as preview capacity tends to be limited and early access correlates with faster production deployment timelines. For teams outside regulated industries, the strategic signal matters regardless: the boundary between what runs inside and outside your infrastructure is now configurable, not architecturally fixed. That configurability will matter as agent capabilities expand and the sensitivity of what agents can access increases. The architecture of trust in AI agent systems is being defined right now, in the decisions teams make about how and where agents run. The organizations that design their deployment models carefully today will not need to rebuild them when the stakes get higher.