The CISO’s Field Manual for Claude Cowork Security

Claude Cowork is Anthropic’s enterprise-focused entry into the new wave of autonomous AI agents for end-users popularized by tools like OpenClaw and Hermes. Unlike assistants that just generate answers or summarize, Cowork is designed to operate. For example, the  Computer Use feature allows it to interact with browsers, desktop apps, files, and enterprise tools directly on behalf of the user.

That changes the security conversation.
The question is no longer just "Can employees paste sensitive data into AI?" but "What happens when AI gains continuous operational access to enterprise environments?"

Anthropic clearly designed Cowork with security in mind: VM sandboxing, permission prompts, network controls, and enterprise administration capabilities provide a strong foundation. But these protections still require proper configuration and governance, and various Cowork capabilities introduce different levels of risk and visibility challenges.

Anthropic couldn’t have phrase it better themselves:
‍“Desktop extensions (MCPs) and plugins expand what Claude can do, but each one introduces new ways for attacks to reach Claude.”

Organizations that understand where the real risks are, and which features require additional controls, will be able to adopt agentic AI safely and move faster than their competitors.

TL;DR

• Claude Cowork introduces agentic AI capabilities into enterprise environments.
• Features like Computer Use and Browser Use significantly expand the potential attack surface.
• Anthropic provides strong built-in protections including sandboxing, RBAC, network controls, and permission prompts.
• MCPs, plugins, and browser-integrated workflows create new operational and supply-chain risks.
• Traditional endpoint security tools are not sufficient for monitoring and evaluating AI-driven actions.
• Organizations should treat AI agents like privileged operational identities.

We strongly recommend continuously reviewing Anthropic’s enterprise controls and applying clear governance guidelines before and after broad rollout.

How Claude Cowork Changes Enterprise AI Security

Unlike developer-focused agents like Claude Code or Codex, Cowork is built for a much broader set of enterprise use cases and less technical users, which significantly expands both its capabilities and its potential risk surface.

Instead of focusing mainly on developer workflows, Cowork can interact with browsers, control desktop applications, work across files and documents, use enterprise tools and MCP integrations, and even operate the computer directly through features like Computer Use and Browser Use.

The Cowork Capabilities That Matter

Several unique Cowork capabilities materially change the enterprise risk model:

Computer use

Computer use is arguably the most powerful and highest-risk capability. Instead of interacting through APIs alone, Cowork can directly navigate the computer by taking screenshots, clicking buttons, typing, and interacting with applications visually. This introduces several important implications:

• The AI can potentially see any sensitive information visible on screen
• Human users might over-trust the AI’s actions (and are likely to do so with time)
• The AI can operate across systems that do not have explicit AI integrations
• Existing approval boundaries could weaken

Unlike other Cowork tools that require explicit permission prompts, computer use can operate more fluidly once enabled. For enterprises, this means visibility and governance become far more important than simple application allowlists.

Browser use

As part of its computer use capabilities, Cowork can leverage the user’s authenticated browser sessions to interact with SaaS platforms and enterprise applications. From a security perspective, this is important because the AI inherits the trust and permissions already granted to the user’s browser session. In practice, the AI may gain indirect access to:

• Internal dashboards.
• Corporate SaaS platforms.
• Development systems.
• Ticketing systems.
• Documentation portals.
• Cloud consoles.

The risk is not necessarily credential theft. The risk is operational misuse or unintended actions executed through an already-authenticated session, leading to potential data exposure, or interactions that might damage business reputation and outcomes.

Microsoft 365 apps add-ins

Cowork supports integrations with desktop applications like Excel, PowerPoint and Outlook. This is one of the clearest examples of how agentic AI differs from traditional copilots. Cowork can move context between applications as part of completing a task. For example:

1. Analyze data in Excel.
2. Generate charts.
3. Insert them into a presentation.
4. Summarize findings.
5. Modify slides automatically.
6. Draft an email in Outlook summarizing the presentation.

While extremely useful, this also weakens traditional assumptions around data separation between applications.

MCPs, connectors and Skills

MCPs and plugins significantly expand what Cowork can do by connecting it to external systems and enterprise tooling. The challenge is that every integration becomes part of the AI trust boundary.

For example, integrations connected to GitHub, Jira, Slack, internal APIs, databases, or cloud infrastructure effectively extend the AI’s operational reach into those systems. This creates a new category of attack surface where prompt injections, malicious content, or unintended instructions can propagate through connected tools.

In addition, unofficial MCPs and community-provided skills can introduce supply chain risks, especially when organizations allow employees to install or connect unverified extensions without governance or review.

Mobile “Dispatch” (Beta) / “Remote-control”

Anthropic’s Dispatch capability allows users to interact with Cowork remotely from their phones while Cowork operates on the desktop machine.

Operationally, this is powerful. From a security standpoint, it means the mobile device effectively becomes a remote control for enterprise desktop resources, including:

• Browser sessions.
• Mounted files.
• Plugins.
• MCP tools.
• Enterprise applications.

This shifts some of the security focus away from the endpoint itself and toward identity security and mobile device trust.

Access to host resources

Cowork can interact with mounted files and folders to complete tasks. Instead of simply summarizing uploaded documents, it can analyze project directories, manipulate files, and execute workflows using local resources.

The good news is that this risk is largely mitigated by Anthropic’s sandbox architecture. Cowork operates inside an isolated VM environment that separates the agent from the host filesystem and only grants access to explicitly mounted project files and directories. This significantly reduces exposure to sensitive host data, limits persistence opportunities, and constrains lateral movement across the endpoint.

Capabilities per subscription tier and Claude agent

Some of the above capabilities are only available in specific Cowork tiers, while others are also supported in developer-focused tools like Claude Code with a different “flavor” like remote-control in claude code and “Dispatch” in Cowork , which are often overlooked by security teams. Additionally, the capabilities and features depend on their phased rollout - some were available to teams only in beta, and became generally available a few months later to all tiers. Our recommendation is to review the admin settings and make sure you enable/disable the capabilities based on your need and risk appetite. 

Anthropic's Built-In Security Controls

To Anthropic’s credit, Cowork includes several security mechanisms designed to reduce enterprise risk. These controls meaningfully reduce many traditional risks associated with autonomous software, but it is important to understand both where they help and where their protections stop.

VM sandbox isolation

One of the strongest security controls in Cowork is its VM sandbox architecture. Instead of operating directly on the host operating system, Cowork performs actions inside an isolated virtualized environment with access limited to explicitly mounted project files and directories. This significantly reduces exposure to the full host filesystem, isolates credentials outside mounted paths, and lowers the risk of persistence or lateral movement across the endpoint. In practice, Cowork behaves less like unrestricted malware and more like a constrained workload operating inside a controlled environment, which is an important distinction for enterprise security teams.

Network egress controls

Anthropic also provides configurable network egress controls that can restrict outbound access from the sandboxed environment, helping enterprises limit accessible destinations, reduce exfiltration paths, and apply corporate networking policies.

However, organizations should avoid assuming these controls fully contain the agent. Certain Cowork capabilities can still interact with external systems through browser-based actions, MCP integrations, connected applications, and other approved tools, extending the AI’s operational reach beyond what traditional egress controls alone can govern.

AI guardrails and permission controls

Anthropic also built safeguards directly into Claude’s behavior and harness layer, including model training against malicious instructions, classifiers for suspicious content, and permission prompts for sensitive actions like file deletion or application access. These controls provide an important security baseline and add useful friction to high-risk operations.

However, they should not be treated as a complete security solution. Prompt injection is ultimately a cat-and-mouse game, with attackers constantly finding new ways to bypass protections and manipulate agent behavior. Enterprises should assume some attacks will eventually succeed and build additional governance, monitoring, and access controls accordingly.
‍

‍Example enterprise workflow

Consider a common Cowork workflow: an employee asks Claude to prepare a quarterly business presentation. Cowork may retrieve data from Excel, access authenticated SaaS dashboards through Browser Use, collect Jira metrics through MCP integrations, generate charts, and automatically update PowerPoint slides.
From a productivity perspective, this is extremely powerful. From a security perspective, it means the AI agent may operate across multiple enterprise systems, browser sessions, applications, and data sources within a single workflow.

Where The Protections Stop

The important nuance is that Cowork’s security model focuses primarily on containment and risk reduction, not on complete prevention. Features like sandboxing and permission controls significantly reduce traditional threats such as host compromise, credential theft, persistence, and lateral movement.

But agentic AI introduces a different category of risk that these protections do not fully address, including:

• Sensitive data exposure.
• Cross-application data movement.
• Plugin abuse.
• Browser session misuse.
• Overprivileged workflows.
• Excessive trust delegation.

Anthropic itself acknowledges part of this challenge:
“Desktop extensions (MCPs) and plugins expand what Claude can do, but each one introduces new ways for attacks to reach Claude.” Source

There are also several governance areas that would require extraneous organizational processes today:

• Skill review and approval: there is currently no built-in workflow for submitting, reviewing, and approving Skills. Organizations that want governance around custom Skills need to build their own review and approval process outside of Cowork.
• Per-group connector governance: connectors are currently managed mostly at the organization level. Organizations that require different connector policies for different teams may need additional operational controls or separate environments.
• Sharing governance: sharing controls are primarily organization-wide rather than granular per-group policies, which may require additional internal governance processes.

As a result, the security challenge shifts from preventing malware-like compromise to governing AI operations. Enterprises need visibility into what the AI can access, what actions it can perform, how those actions are monitored, and whether employees understand the operational implications of using autonomous agents. That is the core security transition introduced by agentic AI. Now let’s flesh out the best practices for implementing it.

Claude Cowork Security Best Practices

1. Configure Anthropic admin level controls

Anthropic provides several enterprise controls that organizations should configure before broad Cowork rollout. According to Anthropic’s enterprise administration guidance, security teams can:

• Enforce SSO and role-based access controls (RBAC).
• Configure approved organization-wide connectors.
• Restrict network egress destinations.
• Limit mounted directories and file access.
• Configure desktop extension and plugin allowlists.
• Control Cowork availability for users and groups on supported enterprise plans.

Anthropic also provides governance around plugins, desktop extensions, connectors, and observability features, helping organizations reduce unnecessary AI access and operational blast radius.

Capabilities such as Computer Use, Browser Use, Dispatch, and MCP integrations should receive additional review before rollout because they significantly expand the AI agent’s operational reach inside enterprise environments.

2. Enforce network level tenant restrictions

Enterprise controls are only effective if employees actually use the managed enterprise tenant. Without tenant restrictions, employees can still use personal Claude tenants to access corporate data outside organizational governance and monitoring.

Anthropic supports network-level tenant restrictions, allowing organizations to limit Claude access to approved enterprise tenants only. Security teams should strongly consider enforcing these controls on managed corporate networks and devices.

3. Export Cowork telemetry to your SIEM (advanced)

Traditional endpoint visibility may not fully capture Cowork activity because many operations occur inside the sandboxed environment. Anthropic supports exporting Cowork telemetry through OTEL integrations into SIEM or observability platforms.

Organizations should monitor:

• MCP and connector usage.
• Browser automation activity.
• High-risk workflows.
• File operations.
• Unusual access patterns.
• Repeated permission approvals.

‍4. Create dedicated detections for AI-driven operations

If organizations choose to enable higher-risk capabilities such as Computer Use and the Chrome integration, they should create dedicated detections for AI-driven browser automation, unusual cross-application workflows, high-risk MCP usage, mass file operations, and repeated permission approvals, and integrate them into existing SIEM, DLP, identity, and endpoint monitoring pipelines.

Because many agentic AI risks stem from legitimate but overprivileged access, organizations should also apply least privilege principles to Browser Use, MCPs, plugins, and connected enterprise systems, while defining clear governance around cross-application data movement and sensitive workflows.

5. Don’t overlook Claude Code, Codex, and other agents

While Cowork has broader enterprise adoption and more operational integrations, developer-focused agents like Claude Code and Codex are often overlooked by security teams.

These tools typically operate directly inside developer environments, source repositories, terminals, and cloud workflows, sometimes with fewer isolation controls than Cowork’s sandboxed model. In practice, they may have access to production credentials, infrastructure tooling, proprietary source code, and sensitive development workflows.

Organizations should apply the same governance principles across all agentic AI tools, not just enterprise productivity-focused assistants like Cowork, and developer workstations especially deserve a deeper approach because the potential blast radius is larger.

‍The Future of Agentic AI Endpoint Security

Claude Cowork represents a major shift in enterprise AI. Organizations are no longer deploying tools that simply answer questions - they are deploying systems that can take actions across browsers, applications, enterprise tools, and operational workflows.

Anthropic provides a good security foundation through sandboxing, RBAC, permission controls, plugin governance, and observability integrations. But built-in protections alone are neither sufficient on their own, nor guaranteed to work when not configured and maintained properly and continuously. Enterprises still need governance around what AI agents can access, which capabilities are enabled, which integrations are approved, and how autonomous actions are monitored.

The organizations that succeed with agentic AI will not be the ones that avoid it, but the ones that learn how to govern autonomous AI operations safely first.