Claude Managed Agents and the customer-controlled sandbox tier — when the lab gives up the data plane

Anthropic's announcement that Claude Managed Agents now operate inside customer-controlled sandboxes and connect to private MCP servers is the architectural answer to enterprise-governance demands that Microsoft Agent 365 staked out first. The substantive shift is that Anthropic is giving up the data plane to the customer while keeping only the model and runtime — a structurally different bet from Microsoft's SASE-wrapped surface.

The architectural difference matters more than the announcement headline suggests. Anthropic's customer-controlled sandbox tier places the sandbox boundary inside the customer's network, with the MCP server endpoints also under the customer's control. The lab sees model-API calls from the sandbox and returns model outputs; it does not see the integration traffic, does not see the customer-data flowing between the agent and the customer's internal systems, does not see the tool-call payloads. The diagram is exactly the one regulated-industry procurement asks for — and it is structurally different from how the agent-as-a-service offerings worked through 2025.

The Microsoft Agent 365 architecture sits on a different point in the design space. Microsoft's SASE-for-agents wraps customer agent traffic in the company's existing identity-and-network-security stack — the customer's IT department keeps the policy controls, but the data plane runs through Microsoft. That works extremely well for customers already in the Microsoft 365 / Defender / Entra ecosystem; it works worse for customers in regulated industries with strict data-residency requirements or sovereign-cloud deployments. The two architectures are competing for partially-overlapping but materially-different customer segments, and the procurement decision now follows the data-plane question rather than the capability question.

The MCP-private-server piece is what makes the Anthropic architecture credible operationally. Through 2025 every frontier-lab agent-as-a-service offering required the agent runtime to call out to the lab's own integration endpoints — which broke the data-residency story even when the rest of the deployment was clean. The Model Context Protocol design that Anthropic open-sourced in 2024 specifically anticipated this requirement: MCP servers are customer-deployable infrastructure, and the protocol assumes the lab does not own the integration endpoints. The Managed Agents announcement is the production-side fulfillment of that architectural commitment — finally aligning the deployment surface with the protocol's design intent.

For independent agent-platform startups, the Anthropic move is competitively consequential. Through 2024-2025 the differentiator for independent platforms (LangGraph, Modal Labs' agentic-workload pivot, the various enterprise-targeted vendors) was "we let you self-host the data plane, the labs don't." The Anthropic sandbox tier removes that differentiator at Anthropic specifically, which means independent platforms now have to compete on different axes — model-portability across labs, IDE integration, ecosystem reach. Some platforms have those differentiators; others were primarily competing on the data-plane question and now face a harder positioning problem.

The Project Glasswing expansion in the same cycle is the parallel enterprise move. Claude Security public beta and cyber-verification tools for eligible security teams bring Claude into the SOC tooling that regulated security teams already operate. Combined with the sandbox tier, the Anthropic enterprise stack now covers identity-bounded deployment, integration-bounded data flow, and security-team-bounded threat surface — three of the four checklist items enterprise procurement cares about (the fourth being explicit audit-and-attestation surface, which is likely the next milestone).

The longer-arc question is whether the customer-controlled sandbox pattern becomes the default for managed-agent offerings industry-wide or whether the Microsoft data-plane-wrapped pattern wins on developer ergonomics and existing-bundling moats. The historical pattern in adjacent markets (CRM, identity-as-a-service, enterprise-security tooling) is that the bundling-moat pattern wins for the broadest customer segments while the customer-controlled-data pattern wins for regulated and sovereign segments. If that pattern holds in agent platforms, Anthropic captures the high-margin regulated-industry segment while Microsoft captures the high-volume mid-market segment.

The line: managed agents used to mean the lab owned everything. In mid-2026 they mean the lab owns the model and the customer owns the rest.

Anthropic — Claude Managed Agents announcement May 2026 → · Model Context Protocol — MCP specification and private-server pattern → · Microsoft 365 Blog — Microsoft Agent 365 GA and SASE-for-agents →