Twelve months ago, Anthropic would have rejected any deployment giving Claude enough access to take down an internal service. Today that access is routine. That shift frames everything in this post from Anthropic engineering.
The core insight is simple and worth internalizing: as agents grow more capable, the blast radius of a failure grows too. Risk has two components, likelihood and damage potential. Better safeguards and model training reduce likelihood. Damage potential only grows as access expands. At some point, the productivity gains tip the risk-reward calculation toward deployment, but only if you can bound the damage.
Two approaches exist. The first is human-in-the-loop supervision. Claude Code originally required user approval at each step. In practice, users approved roughly 93% of prompts. The more prompts they saw, the less attention they paid. Approval fatigue is real, and it degrades your safety model over time. Anthropic's response was Claude Code auto mode, which automates safer approvals to reduce fatigue. But any probabilistic defense has a non-zero miss rate. Human oversight alone is not enough.
The second approach is containment: controlling what the agent can do rather than watching what it does. This means sandboxes, virtual machines, and egress controls. Anthropic calls this the focus of most of their engineering effort on agentic products, and also the area where the most surprising security failures have occurred.
Not everything ships. Claude Mythos Preview is an example of a model Anthropic judged too high-blast-radius to release in April 2026. The expectation is that broader release becomes appropriate as defenders harden critical systems and safeguards mature, but some residual risk always remains. That is a candid and useful framing for any team evaluating a new agent deployment.
The practical takeaway for builders: stop treating permission prompts as your primary safety layer. Prompt fatigue will erode them. Instead, design your agent's environment so that the worst-case action is bounded by architecture, not by user attention. Concretely, that means scoping credentials to the minimum required surface, routing agent network traffic through egress controls, and running execution in isolated environments from the start. Add human review for high-stakes actions, but do not rely on it for routine ones. Build containment in before you scale access out.