Enterprise DNA

Omni by Enterprise DNA

Enterprise DNA Resources

Latest AI and industry news. Practical AI operating-system thinking for owners, operators, and teams doing real work.

220k+

Data professionals

Omni

AI agents and apps

Audit

Map the manual work

News Breaking Product

Anthropic Brings AI Agent Execution Into Enterprise Walls

Anthropic ships self-hosted sandboxes and MCP tunnels for Claude Managed Agents, removing the biggest blocker for enterprise AI deployment.

Enterprise DNA | | via Anthropic Platform Release Notes
Anthropic Brings AI Agent Execution Into Enterprise Walls

The number one reason enterprises stall on AI agent deployments is not cost. It is not complexity either. It is a three-word concern that keeps showing up in every vendor evaluation: data leaving perimeter.

Anthropic just removed that blocker.

On May 19, 2026, at the Code with Claude developer conference in London, Anthropic shipped two new infrastructure options for Claude Managed Agents: self-hosted sandboxes (now in public beta) and MCP tunnels (now in research preview). Together, they let enterprises run AI agents while keeping sensitive data, tool execution, and internal system access entirely within their own security perimeter.

What Was Announced

Self-Hosted Sandboxes (Public Beta)

Until now, when a Claude Managed Agent executed a tool, that execution happened inside Anthropic’s infrastructure. For many companies, that was fine. For regulated industries, large enterprises with strict data residency requirements, or teams handling confidential code and files, it was a dealbreaker.

Self-hosted sandboxes flip the model. Tool execution now runs on infrastructure you control, either your own environment or a managed provider you choose (Cloudflare, Daytona, Modal, and Vercel are all supported out of the box). Files, repositories, and data stay in your environment. Your network policies, audit logging, and existing security tooling stay active. You can also control compute sizing and runtime images for resource-intensive workloads like long-running builds or image processing.

The agent orchestration layer stays on Anthropic’s side. That means Anthropic still handles context management, the agent loop, error recovery, and multi-step coordination. You get the reliability of Claude’s managed infrastructure for the coordination work, while keeping execution within your own walls.

MCP Tunnels (Research Preview)

The second announcement solves a related but distinct problem: how do you let an AI agent call internal tools without punching holes in your firewall?

MCP tunnels answer that by reversing the connection direction. Instead of opening inbound firewall rules or publishing internal APIs to the public internet, you deploy a lightweight gateway inside your network. That gateway opens a single outbound encrypted connection back to Anthropic’s infrastructure. End-to-end encrypted. No inbound rules. No public endpoints required.

Once the tunnel is active, your agents can treat internal databases, private APIs, knowledge bases, ticketing systems, and internal reporting tools as callable tools. A CRM system that has never touched the public internet becomes available to your agent without exposing it.

MCP tunnels are currently gated, meaning you need to request access, but the research preview is open to Claude Managed Agents customers.

The Architecture This Creates

These two features combine into a hybrid that splits responsibility cleanly:

  • Anthropic’s infrastructure: Agent loop, context, orchestration, error handling
  • Your infrastructure: Tool execution, file handling, data processing (via self-hosted sandboxes)
  • Private network access: Internal systems, databases, APIs (via MCP tunnels)

This architecture is significant because it matches how most enterprise security teams actually think about risk. The concern is not usually “we don’t want Anthropic running the agent,” it is “we don’t want our customer data, internal files, or private APIs leaving our environment.” The hybrid model addresses that precisely.

What This Means for Business

For companies already piloting AI agents: If data residency was the reason you were running limited, carefully scoped pilots rather than full deployments, you now have an enterprise-grade path forward. The public beta is available now, no waitlist required.

For regulated industries: Finance, healthcare, legal, and government organizations face the most friction when vendor agreements conflict with data handling requirements. Self-hosted sandboxes let AI agents work with regulated data without your vendor having access to it. MCP tunnels mean internal systems required by compliance workflows are reachable without network exposure.

For IT and security teams: The self-hosted model does not eliminate vendor dependency, it redistributes it. Anthropic still handles model inference and orchestration. But execution and data handling move to infrastructure you own and can audit. That is a cleaner separation for most enterprise security policies.

For teams building custom AI workflows: The ability to update MCP server configurations mid-session (also shipped May 19) means you can reconfigure what tools an agent has access to without restarting. Combined with large-output file spilling (outputs over 100K tokens now automatically write to a file rather than bloating the context window), these are meaningful quality-of-life improvements for complex agent deployments.

Why the Timing Matters

Enterprise AI agent adoption has been accelerating, but the production deployment numbers remain frustratingly low relative to the pilot numbers. Deloitte found that 80 percent of organizations piloting AI agents cited security and compliance as the leading obstacle. Gartner’s recent surveys show similar patterns.

Anthropic’s Managed Agents platform has been shipping steadily since the public beta launch in April: memory in late April, outcomes and multiagent orchestration in early May, and now self-hosted sandboxes and MCP tunnels. The trajectory is clearly toward production-readiness for enterprise deployments, not just developer experiments.

The announcement comes the same week Google shipped Gemini 3.5 Flash and Gemini Spark at Google I/O. Both companies are clearly racing to own the enterprise agent infrastructure layer, not just the model.

What to Do Next

If you are evaluating AI agent platforms and data residency has been the objection, the self-hosted sandbox public beta is worth testing now. The Anthropic platform documentation covers the integration at platform.claude.com.

If you are already running Claude Managed Agents and have internal systems you want agents to reach, the MCP tunnels research preview is worth requesting access to. The architecture is lightweight enough that a proof of concept in a test environment is a realistic project for an afternoon.

Enterprise DNA’s Omni Apps team builds on this kind of infrastructure when deploying custom AI agents for clients. If you want to understand what a production-grade agent deployment looks like inside your environment, start with a discovery call and we can walk through the architecture together.

Source

Anthropic Platform Release Notes