The reason why enterprises have been slow to connect AI agents to internal APIs and databases isn’t the model – it’s credibility. In most production deployments, the agent carries the authentication token with it when executing the tool call, meaning a compromised or misbehaving agent takes the keys with them.
Anthropic Cloud is addressing that problem with two new capabilities for managed agents: self-hosted sandboxes, which let teams run tool executions inside their own infrastructure perimeter, and MCP tunnels, which connect agents to private MCP servers without exposing credentials to the agent’s context. Together they move credential control to the network edge rather than leaving it inside the agent.
Right now, self-hosted sandboxes are available to cloud managed agent users in public beta, while MCP tunnels are currently in research preview.
Anthropic isn’t the only model provider making this bet. OpenAI added local execution to its Agent SDK in April in response to similar demand. The architectural distinction Anthropic draws is a separation: the agent loop runs on Anthropic’s infrastructure, while the tool execution runs on the enterprise’s own systems – a separation that existing sandbox approaches, including OpenAI, do not create.
Architecture problem in sandbox and agents
MCP moved to enterprise production faster than the security architecture around it matured. In most deployments, credentials travel through the agent itself as it executes tool calls against internal systems – meaning a compromised or misbehaving agent has everything they need to cause harm.
Self-hosted sandboxes, such as those offered on cloud managed agents, help keep files and packages within an enterprise’s infrastructure. The agentic loop—orchestration, context management, and error recovery—moves to the platform, and ideally, the enterprises control the compute resources.
This allows the agent to complete tool calls without holding the unlocking keys.
Private network connectivity works similarly – a lightweight outbound-only gateway inside the organization’s network, with no credentials passing through the agent.
Orchestral teams get some control
For orchestration teams, capabilities represent more than just a security update; They help agents run better. But the first thing they need to understand is how this fragmented architecture can impact their deployments.
Since sandbox tools determine execution locations and access to resource agents, and MCP tunnels dictate how agents access internal systems, these are separate concerns – dividing them enables enterprises to map agents’ workflows more effectively.
For teams already on cloud managed agents, the practical starting point is the sandbox – move the tool execution to your infrastructure and test the limits before touching MCP tunnels, which are still in research preview. Teams evaluating platforms for the first time should consider the sandbox architecture as the primary technical differentiator: it’s the piece that changes the threat model, not just the deployment model.
<a href