Enterprise AI Has a Security Problem. Anthropic Thinks It Found the Fix.

Enterprise AI agents hit a wall two years ago and never climbed over it. The models got better. The benchmarks climbed. What stayed broken was the last mile: a $50,000 annual seat for Claude, and still no way to let it file an expense report, review a pull request, or query the HR system without handing a third-party AI company the keys to internal networks. Security teams said no. Compliance teams said no harder. And that is how the most powerful language models in the world ended up running proof-of-concept experiments on publicly available data while the enterprise software market pretended the problem did not exist.

Anthropic tried to answer that question on May 19, 2026, at the Code with Claude London conference. The fix was architectural. Anthropic splits the AI agent into two pieces: the part that decides what to do stays in Anthropic's cloud, while the part that actually does the work runs inside the customer's own infrastructure. Credentials — passwords, API tokens, database access — stay behind the customer's firewall. The agent loop never touches them. "The orchestration, context management, and error recovery stays on Anthropic infrastructure, while tool execution moves to your own configured environment," Anthropic explained in its blog post announcing the feature.

Eight months earlier, OpenAI released an Agents SDK with a similar sandbox feature built in. It took the opposite approach architecturally — the full agent runs on enterprise-controlled infrastructure rather than in the vendor's cloud — but the underlying problem both companies were trying to solve was identical: how to let AI agents execute real enterprise workflows without credentials crossing a trust boundary no compliance team would approve. The convergence was not coincidence. "The compliance team is the real bottleneck for production agents, not the model," an expert told InfoQ. "Self-hosted sandboxes and MCP tunnels are the layer that lets agents actually run inside the customer's perimeter instead of behind a sandbox the security team takes six weeks to clear."

The technical implementation Anthropic settled on supports four sandbox providers: Cloudflare runs lightweight microVMs with zero-trust isolation, Daytona provides stateful environments accessible over SSH, Modal runs AI workloads on configurable CPU and GPU allocation, and Vercel connects sandboxed execution to enterprise private networks via VPC peering. Security at the connection layer relies on mutual TLS encryption with an additional Anthropic wrapping layer, and customers manage their own keys — credentials do not pass through the agent loop itself. The architecture is real, the providers are named, and the security model is documented.

Early customers are beginning to surface. Rogo, an AI platform for institutional finance, is building an analyst agent on Managed Agents and Vercel Sandbox to handle proprietary data. Clay GTM's engineering agent, Sculptor, builds, tests, and monitors workflows autonomously using the same stack. Stacklok, a security tooling company, confirmed it is running three vMCP endpoints in production behind Anthropic MCP tunnels — shared connector, engineering connector, and marketing connector — all live. These are not demos. They are not press release quotes. They are production workloads on record.

The caveat is the one Anthropic's own announcement carries: self-hosted sandboxes are in public beta. MCP tunnels remain in research preview, not production-ready. An architecture that solves a problem in theory is not the same as one that has solved it at scale. The companies that matter — the banks, the retailers, the healthcare systems, the manufacturers with sprawling legacy ERP installations — have not yet disclosed a live deployment. Until one does, the compliance-team-unblock story is partially unproven. The shape of the solution is clear. The count of organizations that have actually deployed it remains small.

What the May 19 announcement confirmed is that this is not an Anthropic problem or an OpenAI problem. It is an enterprise IT problem that two of the largest AI labs in the world have independently concluded requires the same architectural fix. That convergence is itself a signal. When competitors arrive at the same unusual arrangement of cloud and customer infrastructure by separate paths, it usually means the problem they were solving is real and the solution is expensive enough that nobody solved it until the market forced their hand. The next meaningful data point will not be another blog post or conference demo. It will be a Fortune 500 company going on record about what they actually shipped.