There is a security problem sitting inside almost every enterprise AI deployment, and most teams have been quietly living with it for years.

When you integrate Claude into a production workflow, you generate an API key. That key is a long string that starts with sk-ant-. It never expires. If it leaks, anyone with the key can call the API as if they were you. You paste it into your CI pipeline, store it in a secrets manager, share it among your team, and hope it never shows up in a log file or a committed repository.

Anthropic has now shipped a fix. Workload Identity Federation (WIF) is generally available on the Claude Platform as of June 17, 2026, and it removes static API keys from the picture entirely for production workloads.

What WIF Actually Does

Instead of a permanent secret your workload carries, WIF lets your infrastructure authenticate to Claude using the identity it already has. Your AWS Lambda function uses its IAM role. Your Kubernetes pod uses its service account token. Your GitHub Actions workflow uses the OIDC token Actions already generates for every job run.

The flow is simple: your workload presents a signed token from its identity provider (its existing AWS, GCP, Azure, GitHub, or Kubernetes credentials). Anthropic validates it against trust rules you configure once in the Claude Console, then returns a short-lived Anthropic access token that expires in minutes. Your workload uses that token to call the API, and the SDK refreshes it automatically before it runs out.

No long-lived secret to store. No rotation schedule to maintain. No blast radius if a token is intercepted, because it is already expired by the time anyone acts on it.

Supported identity providers at launch: AWS IAM, Google Cloud, Microsoft Entra ID, GitHub Actions, Kubernetes, SPIFFE, and Okta. Any other OIDC-compliant provider works through a custom configuration.

Service Accounts Make Auditing Possible

The second piece of the release is service accounts. Instead of a single API key shared across your entire deployment, each workload gets its own named identity inside your Anthropic organization. A service account is not a human user. It has no password, no Console login, and no email. It is a non-human principal with its own roles, workspace memberships, and audit trail.

This matters in regulated environments. When something goes wrong, you want to know which workload made which API call. With a shared API key, you get a timestamp and a cost. With service accounts, you get a named identity tied to a specific system.

It also makes access removal clean. Decommissioning a workload is now as simple as removing its service account, rather than rotating a shared key and hoping every system that uses it gets updated.

What This Means for Business

If you are building AI workflows on Claude in any industry that takes compliance seriously, this changes what your security team needs to approve.

Static API keys are the leading point of failure in API-based software. They get committed to repositories. They appear in error logs. They get copied into Slack messages. They live far beyond the project they were created for. Every SOC 2 audit, every pen test, and every security review flags them.

WIF removes that class of risk. It makes AI deployments auditable the way the rest of your infrastructure already is, using the same identity systems you use for cloud access, CI pipelines, and Kubernetes workloads.

For teams building on the Claude Platform through services like Omni, this is the feature that makes moving AI from prototype to production governance-ready. The security argument for AI deployment gets significantly easier when you are not carrying permanent credentials in your stack.

The migration path is non-disruptive. Anthropic’s documentation provides a step-by-step walkthrough for switching existing workloads from API keys to federated authentication without downtime. The SDK handles all token exchange and refresh logic automatically, so application code stays exactly the same.

---

Enterprise DNA helps businesses deploy AI into production systems with the governance and security frameworks that regulated industries require. If you are working through an AI deployment and need help navigating security, compliance, and architecture decisions, talk to us.