Anthropic is adding a more enterprise-friendly deployment option to Claude Managed Agents: self-hosted sandboxes and MCP tunnels. The change matters because it shifts the place where agent tool execution happens. Instead of running those calls entirely in Anthropic’s environment, companies can now run them inside their own infrastructure while Anthropic keeps the agent orchestration layer on its side.

That split architecture is the key technical detail. In Anthropic’s framing, the agent loop remains centrally managed, but the work done by tools — the actions that touch files, repositories, databases, and internal APIs — can be pulled into a customer-controlled runtime. For enterprise teams, that looks less like a standard SaaS integration and more like an on-prem-style control plane wrapped around a managed agent service.

What changed: on-prem-style tool execution arrives

The new capability is aimed at giving organizations more control over where Claude’s agents execute tools and what systems they can reach. Anthropic says self-hosted sandboxes let companies run tool calls on their own infrastructure, while MCP tunnels create encrypted connections into internal databases and APIs.

The distinction is important. Anthropic is not handing over the full agent stack; it is relocating execution boundaries. The orchestration remains centralized, but the operational touchpoints that matter most to security teams — code execution, file access, service connectivity — can be kept inside the customer environment.

How the flow works in practice

The practical outcome is a more contained data path. With self-hosted sandboxes, files and repositories stay inside the environment. That means the agent can work against local assets without requiring those assets to leave the customer’s boundary.

MCP tunnels extend that model to internal systems. Anthropic describes them as encrypted channels that connect agents to databases and APIs. In other words, the model doesn’t need broad network exposure to reach enterprise systems; the tunnel becomes the controlled path.

For teams designing deployments, the architecture breaks into three layers:

  • Anthropic-managed orchestration for agent behavior and coordination
  • Customer-owned runtime for tool execution in self-hosted sandboxes
  • Encrypted MCP tunnels for access to internal services

That is a cleaner separation than many enterprise AI setups, but it also creates a new integration burden. Customers have to provision the runtime, align network policy, and decide how the sandbox fits into existing access controls and observability tooling.

Security, governance, and the tradeoff curve

The obvious benefit is data residency. If files and repositories never leave the customer environment, security and compliance teams get a stronger story for policy enforcement and auditability. Existing network controls, audit logging, and enterprise security tools can remain in the path rather than being bypassed by a remote execution service.

But that control comes with operational responsibility. Self-hosted sandboxes are only as strong as the environment around them: image management, runtime hardening, secrets handling, network segmentation, and logging all become part of the deployment surface. MCP tunnels reduce exposure, but they still need to be monitored, authenticated, and governed like any other privileged connection into internal systems.

Anthropic says both features are in early testing, which is a useful signal for buyers. It suggests the controls exist, but the feature set is not yet the same thing as production maturity at enterprise scale. Teams evaluating adoption will want to look closely at how policy enforcement works, what telemetry is exposed, and how much manual work is required to keep the sandbox aligned with internal security baselines.

Market positioning and ecosystem implications

Anthropic is also making a positioning move here. The company says users can choose their own CPU, memory, and runtime for the sandbox, or use managed providers such as Cloudflare, Daytona, Modal, and Vercel. That gives enterprises a choice between running the stack themselves and delegating parts of the infrastructure to a provider that specializes in it.

That flexibility matters because enterprise AI deployments are becoming increasingly hybrid. Some workloads will stay in a controlled internal environment; others will move to managed execution layers if the governance model is acceptable. Anthropic’s approach seems designed for exactly that fragmentation: centralized model orchestration, but multiple options for where the surrounding runtime lives.

It also nudges the company into a different part of the procurement conversation. Instead of competing only on model quality, Anthropic is competing on deployment architecture — a space where data residency, auditability, and integration effort can matter as much as benchmark performance.

What enterprise teams should watch next

For now, the main watchpoint is still the same one that usually separates promising enterprise features from broadly usable ones: maturity. Both self-hosted sandboxes and MCP tunnels are still in early testing, so buyers should assume there will be integration friction and incomplete operational guidance.

The immediate questions are straightforward:

  • How much security and network configuration is required to stand up the sandbox?
  • What audit data is exposed for compliance and incident response?
  • How does performance compare when tool execution runs in customer infrastructure rather than in a fully managed environment?
  • How easily can the setup fit into existing governance requirements and identity controls?

Anthropic’s move is notable less because it introduces a novel agent capability than because it redraws the boundary of control. The company is preserving centralized orchestration while pushing execution closer to enterprise systems of record. For buyers, that may be exactly the point. For operators, it means the burden shifts as well: more control, but also more integration work, more policy design, and more responsibility for making the whole stack behave like production software rather than a demo.