After months of preview, Anthropic made Cowork generally available. But generally available doesn’t mean generally secure. “We won’t let a few silly security settings stop us from being productive,” said every business ever, as their security teams sigh and get to work securing it.

The question is, how?

Cowork is the future of how work will get done. Quite simply, it’s a task assistant. Instead of just answering questions for you, like a Chatbot (which is so 2025), it will execute tasks for you. Link up different tools and data sources, ask it to do something, and it does it. Under the hood, it combines Claude AI (the chatbot) with Claude Code (the agent harness that helps developers code). That means every Cowork user effectively has a developer-grade agent on their machine, whether they code or not.

Let’s start with the risks. You have to understand the weaknesses so you can address them.

Excessive Connectors: In Cowork speak, connectors are MCPs. The risks come in MCPs that interact with the local endpoint (Desktop Connectors) and external MCPs (Web Connectors).

Think of the risk as a hub-and-spoke model. Cowork orchestrates at the center. Every MCP is a spoke. The more spokes you add, the more access Cowork has. The more access Cowork has, the greater the risk. Suddenly, you have one choke point that can access all of your meeting records, emails, Slack messages, CRM, financial information…the list goes on.

Overly Permissive Tools: Each of those Connectors has unique permissions that must be configured. This is personal to the user or organization if they opt to enforce specific permissions. It includes three options: “Always Allow,” “Needs [Human] Approval,” and “Block.”

Agent Skills: These are a powerful addition that give agents fine-tuned capabilities. When used with good intent, they’re amazing. The challenge here is that, when configured to be open, users can build their own or download Skills from the Internet. Suddenly, those Skills can influence agent behavior, execute scripts, and access data all under the user’s permissions.

Approval Fatigue: Spoiler alert: everyone is going to flip to “Always Allow.” And for actions gated behind “Needs Approval,” humans are clicking through that with no more attention paid to the details than to the calories in that delicious-looking chocolate chip cookie that’s been calling your name.

We spent decades saying “humans were the weakest link” in security. Why are we suddenly thinking that the human will reliably keep the agent in check? Hope and good intent aren’t security solutions.

Limited Visibility, No Detection, No Blocking: Cowork enables you to send OpenTelemetry (OTel) logs to a logging server or SIEM (note: this is only available for Team/Enterprise plans). With the switch to general availability, this now includes user prompt content and tool details by default. So it’s better, but there’s still a major gap.

No detections. It enables basic analysis, such as analyzing tool usage patterns. But most of the telemetry is focused on cost and performance monitoring. Helpful for managing operational aspects of agents, but not as helpful for securing them.

Not to mention, you can’t block actions from happening in real-time. “Agents operate at machine speed” is a favorite catch phrase for every security vendor. If you can’t operate in real-time, you’ve already missed the start of the race.

With the risks established, let’s dig into the controls you should use to give you the warm and fuzzies that your users are on a productivity rocket ship, and you’ve minimized the chances of a “rapid unscheduled disassembly.”

Manage Connectors & Agent Skills: The degree to which you want to manage is a business decision. On one end, some companies opt for a fully managed approach. This requires an allow-list of every MCP (Connector) and Agent Skill. This means someone has to review and approve them before they can be added to the trusted list. It’s the safe path, but it slows users down.

The other end is user freedom. Give users access to Anthropic’s marketplace, allow organization-controlled access, and enable them to download or load their own MCPs and Skills, or create their own. That takes a bit more trust.

Either approach you take will still require you to do the next control.

Manage Connectors & Agent Skills Permissions: It’s not enough to guard the list of tools that can be used. You have to define their permissions. With the general availability release, Anthropic introduced per-tool connector controls, so you can restrict which actions each MCP is permitted to use (e.g., always allow, needs approval, blocked).

These are applied org-wide, so there’s no customization (at least through Anthropic), which means role-based permissions aren't supported. In the GA release, Anthropic introduced role-based controls that can be configured manually or via your Identity Provider. It’s limited, focused more on specific features, like enabling Claude Code or Claude Cowork for specific groups, and enabling memory.

Scan for Malicious Connectors and Skills: Don’t assume you can trust what you find on the Internet. That Reddit user hobgoblin6767 pitching a new Agent Skill as the best thing ever shouldn’t be trusted. Before you load a new MCP or Skill, scan it first. Make sure it’s clean and doesn’t contain any nasty instructions or malicious code that could steal your credentials. That’s just how hobgoblins roll.

Manage Network Access: Cowork’s default network settings are safe, but also limiting. You may find users wanting to open access up. This can be done through an allow list, which lets you sync with approved and trusted domains. Similar to Connectors and Agent Skills, this is the safe path.

The YOLO path is opening up network access worldwide. It prioritizes functionality over security.

Disable Dispatch: This feature (currently in beta) allows Cowork agents to interact with the user’s computer. The agents are accessible through the user’s Anthropic account, allowing the user to interact with them from any device they log in to.

This is a prime target for an attacker to steal your Anthropic credentials and gain access to your local system. It goes without saying, but I’m saying it anyway, that’s bad. You can disable this in the Cowork organization settings.

Detection, Prevention, & Response: It’s not enough to collect logs. You need run-time visibility AND control. Implement a solution that monitors agent activity in real time, blocks malicious activity, enforces secure policies, and enables your teams to rapidly investigate.

That’s the short list, and it isn’t easy. You can get part of the way there with Anthropic’s configuration options, but it will only take you so far. Vendor solutions are limited, and many are still being built to keep up with Anthropic’s rapidly evolving feature set.

This is the gap we built Evoke to close. Here’s where Evoke’s platform can help:

If you need a partner to help you secure Cowork and avoid the rapid disassembly of your security posture, let’s chat.

Keep calm and Claude on.

If you have questions about securing agents, let’s chat.