The biggest blocker for enterprise AI agent adoption has never been model capability. It is security. When your agents need access to internal databases, proprietary APIs, and sensitive customer data, sending that context to external infrastructure is a non-starter for most security teams. Anthropic just removed that objection.

At their Code with Claude conference on May 19, 2026, Anthropic announced two features that fundamentally change how enterprises deploy AI agents: self-hosted sandboxes in public beta and MCP tunnels in research preview. Together, they let you keep sensitive data and tool execution inside your infrastructure while still leveraging Anthropic’s orchestration layer.

Feature	Status	What It Solves
Self-hosted sandboxes	Public beta	Tool execution leaves your perimeter
MCP tunnels	Research preview	Agents cannot reach private services

The Architecture Split That Makes This Work

The key insight behind these features is separating what needs to run where. Claude Managed Agents now splits into two distinct layers: the orchestration layer (context management, error recovery, the agent loop itself) stays on Anthropic’s infrastructure, while tool execution moves to an environment you control.

This means when your agent runs a database query, processes a file, or calls an internal API, that work happens in your infrastructure. The sensitive data never leaves your perimeter. Anthropic handles the coordination and intelligence, but your security team controls the execution environment.

For engineers who have built production agent systems, this solves a fundamental tension. You want the reliability and iteration speed of managed infrastructure, but you cannot compromise on data residency requirements. The split architecture gives you both.

Self-Hosted Sandbox Providers

Anthropic partnered with four managed providers at launch, each suited to different workload patterns:

Cloudflare operates using microVMs and isolates, offering zero-trust secrets injection and customizable proxies for egress control. If your team already uses Cloudflare for infrastructure, the integration path is straightforward. Amplitude is building their design agent on this stack.

Daytona provides long-running stateful sandboxes accessible over SSH or authenticated preview URLs. Sessions can be paused and restored with full state preservation. This matters for agents that work over hours rather than seconds. Clay uses Daytona for their GTM engineering agent that autonomously builds, tests, and monitors workflows.

Modal specializes in AI workloads, delivering sub-second startup on any container image and scaling to hundreds of thousands of concurrent sandboxes. CPU and GPU resources are available on demand. DoorDash is evaluating this for agentic commerce at scale.

Vercel combines VM security with VPC peering and brings-your-own-cloud capabilities. Their firewall injects credentials at the network boundary so secrets never enter the sandbox itself. Rogo runs their AI analyst agent for institutional finance on this infrastructure.

You can also run sandboxes on your own infrastructure without using a managed provider. The architecture supports fully independent deployments.

MCP Tunnels for Private Service Access

Self-hosted sandboxes solve where tools execute. MCP tunnels solve how agents reach private services.

The Model Context Protocol (MCP) lets you expose internal systems as tools your agents can call. The problem: those MCP servers often run on private networks that cannot be exposed to the public internet. Opening inbound firewall rules for every agent connection is a security nightmare.

MCP tunnels flip the connection model. You deploy a lightweight gateway in your network that makes a single outbound connection to Anthropic. The agent reaches your private MCP servers through that encrypted tunnel. No inbound firewall rules. No public endpoints. Traffic encrypted end to end.

This matters for real enterprise use cases. Your agents can query internal databases, hit private APIs, access knowledge bases, and interact with ticketing systems. All without exposing those services to the internet.

The tunnel transport runs on Cloudflare’s network, but the inner TLS terminates using a certificate only you hold. Cloudflare cannot read request or response payloads. The architecture maintains the security boundary your compliance team requires.

What This Changes for Production Agent Teams

If you have been waiting to deploy Claude agents because of security concerns, these features remove the primary objections. The practical implications for production agent systems are significant.

Data residency becomes achievable. Sensitive files, customer data, and proprietary information stay in your infrastructure. You can satisfy data localization requirements while still using Claude’s orchestration capabilities.

Existing security tooling keeps working. Network policies, audit logging, and monitoring tools you already deploy continue to work. The agent execution happens where your security stack can observe it.

Compliance conversations get easier. When security teams ask where the data goes, you can point to infrastructure you control. That changes the risk calculus for enterprise deployments.

Development iteration stays fast. You get the managed infrastructure experience for the orchestration layer while owning the execution environment. Building agent tool integrations does not require reinventing the orchestration wheel.

The Limitation to Understand

One constraint worth noting: the agent orchestration loop itself still runs on Anthropic’s infrastructure. Context management, error recovery, and the core agent logic execute on their servers. You control tool execution and service access, not the brain of the agent.

For most enterprise use cases, this is acceptable. The sensitive data stays on your side. But if you need fully on-premises agent deployment with no external dependencies, this architecture does not solve that. Organizations in air-gapped environments or with the strictest data handling requirements will need to wait for different solutions.

How to Evaluate This for Your Team

If you are building AI agents for enterprise environments, evaluate self-hosted sandboxes against your specific requirements:

Check your provider ecosystem. If you already use Cloudflare, Vercel, Modal, or Daytona, integration is straightforward. Evaluate the security primitives each offers. Credential injection, egress control, and audit capabilities vary.

Map your MCP server requirements. Which internal services do your agents need? Databases, APIs, ticketing systems, knowledge bases? MCP tunnels are in research preview, so request access now if private service connectivity matters for your use case.

Understand the orchestration boundary. The agent loop runs on Anthropic infrastructure. Review what context passes to their servers during orchestration. Work with your security team to evaluate whether this fits your risk model.

The announcement changes the deployment calculus for enterprises that have been cautious about AI agents. Security was the excuse. Now the question is what you will build when that excuse is gone.

Getting Started

Self-hosted sandboxes are available now in public beta. The platform documentation covers setup for each provider, and cookbooks provide implementation examples.

MCP tunnels require requesting access through the research preview. Organization admins manage tunnel configuration from workspace settings in the Claude Console.

Recommended Reading

• Claude Managed Agents Production Deployment Guide
• Why 78% of AI Agent Pilots Never Reach Production
• AI Agents as the New Insider Threat for Enterprises
• Agentic AI Foundation and MCP Developer Guide

Sources

• New in Claude Managed Agents: self-hosted sandboxes and MCP tunnels

To see how these enterprise security features fit into a complete AI agent architecture, watch the full tutorial on YouTube.

If you are building production AI agents and want direct help navigating enterprise deployments, join the AI Engineering community where members follow 25+ hours of exclusive AI courses, get weekly live coaching, and work toward $200K+ AI careers. Inside the community, you will find engineers who have deployed agents at scale and can share real implementation experience.