Blank white background with no objects or features visible.

تعلن TrueFoundry عن استحواذها على Seldon AI، موسعة بذلك لوحة التحكم الخاصة بها للذكاء الاصطناعي للمؤسسات. البيان الصحفي الكامل →

أمان المؤسسات لـ Claude: دليل عملي للحوكمة لفرق الهندسة

By أشيش دوبي

Published: July 4, 202612

⚡ TL;DR

Securing Claude in the enterprise means governing three distinct attack surfaces — the web app, the desktop app, and Claude Code in the terminal — each of which needs its own controls.

Key takeaways
  • Three attack surfaces: Claude’s web app (browser sandbox), desktop app (local tool access), and Claude Code (in developers’ terminals) each carry different risks and need their own controls.
  • Identity first: enforce SSO/SAML, scoped roles, and least-privilege access as the foundation of any Claude deployment.
  • Govern the traffic: route Claude’s model and tool calls through a gateway so you control which models, tools, and MCP servers each user or agent can reach.
  • Lock down local & MCP: sandbox local tool access and apply approval flows to MCP servers — recent CVEs showed a cloned repo can be enough to exfiltrate keys or run code.
  • Audit, retain, control cost: centralized audit logging, data-retention/compliance policies, and spend controls keep usage accountable — TrueFoundry centralizes all of this across teams.

The three Claude attack surfaces (and why they need different controls)

Eight out of ten Fortune 10 companies now use Claude, and over 300,000 businesses run it in production. Two CVEs in the past year proved that a cloned repo is all it takes to exfiltrate API keys or execute code before a trust dialog even appears.

Claude ships across three interfaces — web, desktop, and CLI — and each one has a different attack surface. The web version runs in a browser sandbox, the desktop app connects to local tools, and Claude Code sits in your developers' terminals with the same permissions as their user accounts. It can read files, run bash commands, and connect to external services.

Most enterprise security guides treat these interfaces as one thing, but they are not. Governing Claude well means applying the right controls to each surface, rather than blanket policies that over-restrict developers or leave gaps. The sections below walk through how to do it.

Surface
Claude.ai (Web) Lowest risk
Claude Desktop Medium risk
Claude Code (CLI) Highest risk
Code execution None — runs in browser sandbox Local tool integrations Full bash access in user context
Primary risk Data exfiltration via prompts Unvetted local tool sprawl Credential theft, code injection
Best control DLP + domain capture Tool review + auto-update via MDM Managed settings + native sandbox
📋

CISO & Security Admin Guide

Enterprise Security for Claude Code — 8-step checklist

2-page reference covering identity, model routing, sandboxing, MCP governance, retention & audit · PDF

Download the guide

Identity and Access Configuration

SSO should be live before you hand Claude to a single developer — not after, and certainly not "soon."

Claude supports SAML 2.0 and OIDC with Okta, Azure AD (Entra ID), Auth0, and Google Workspace, and you can manage all of it from the Claude Admin Console (see the setup guide). Three settings matter most at this stage.

Critical SSO Configuration Steps

  • Enable Require SSO for Console and Require SSO for Claude. Both settings enforce SSO-based authentication and inherit MFA from your identity provider.
  • Claim your corporate email domains through domain capture. Once active, any sign-in attempt with a company address automatically routes to the enterprise workspace, preventing employees from reverting to personal accounts across any interface.
  • Map your Identity Provider (IdP) groups to Claude roles. Primary Owner gets full admin access, including billing. Admin manages users, policies, and audit logs, but cannot touch billing, and Member uses Claude within admin-defined policies.

Revoking someone in your IdP drops their access across web, desktop, and CLI instantly.

How identity provider groups map to Claude roles across web, desktop, and CLI.

API Key Management

SSO handles interactive logins, while API keys handle everything else — Claude Code sessions, CI/CD pipelines, and any automation hitting the API outside a browser.

You should issue keys through the Admin Console because developers should never use personal keys in a corporate context. Store them in AWS Secrets Manager, HashiCorp Vault, or Azure Key Vault, rotate them quarterly, and revoke them immediately on suspected compromise or when someone leaves the team.

Model Access and Traffic Routing

After identity, the next layer is model access and traffic routing. You need answers to two questions: which models can developers use, and where does their Claude traffic actually flow?

Restricting the Model Set

A simple allowlist in the Admin Console stops developers from switching to higher-cost or unapproved models:

{
  "allowedModels": ["claude-sonnet-4-5", "claude-haiku-4-5"]
}

Routing Traffic Through a Gateway

Routing Claude traffic through your own LLM gateway lets you inspect, log, and govern requests at the network layer. You can set these environment variables on developer machines to get started:

export ANTHROPIC_BASE_URL=https://your-gateway.internal.corp
export HTTPS_PROXY=https://proxy.your-company.com:8080

One important detail is that these variables apply only to Claude Code and Claude Desktop. Web routing is controlled at the organization level through the Admin Console.

Enforcing Routing Policies Across Developer Machines

Setting variables on one machine is easy, but doing it across 100 machines and ensuring nobody changes them is the real challenge.

You can enforce routing policies across developers’ machines in three ways:

  1. MDM / Endpoint-Managed Settings push a managed-settings.json file to every machine via Jamf, Kandji, or Intune. Claude Code reads the file at startup with no network dependency, and the settings are tamper-resistant at the OS level. The tradeoff is that MDM only works on corporate-owned devices.
  2. Server-Managed Settings (Beta) delivers configuration from Anthropic's servers when developers authenticate. No file deployment is needed, and the approach works on BYOD devices. The catch is that enforcement is client-side only, so a developer with sudo can tamper with it. The approach is also incompatible with custom ANTHROPIC_BASE_URL, so if you route through a gateway, this option is off the table.
  3. Direct Cloud Provider routes Claude Code to your AWS Bedrock or Google Vertex account. Traffic stays in your VPC with cloud-native audit logging, but the downside is single-provider lock-in and complex IAM setup.

Using a Centralized Gateway for Multi-Provider Routing

Instead of configuring each provider one by one, TrueFoundry AI Gateway gives you a single proxy layer between Claude Code and all your model providers. You can point Claude Code at it with one variable:

export ANTHROPIC_BASE_URL=https://<your-truefoundry-gateway-url>

From there, you add provider accounts in the Gateway dashboard, and Claude Code reaches all of them — Anthropic, Bedrock, Vertex — via a single endpoint. Virtual Models let you create a single model identifier that routes across providers with weight-based or latency-based logic, and you can switch providers without touching any client configuration.

The Gateway also enforces rate limits, budget limits, and access control on every request before it reaches the provider.

Claude traffic routed through TrueFoundry AI Gateway to multiple model providers.

Local Tool Access and Sandboxing

The mistake most teams make is treating all three interfaces the same, even though they are fundamentally different in what they can touch.

Claude.ai (Web)

The web interface has no local code execution, so the primary risks are data exfiltration through prompts and shadow IT from personal accounts. Domain capture solves the second problem. 

For the first, classify Claude.ai as a third-party SaaS tool in your data loss prevention (DLP) and AI security tooling and apply the same controls you would to Google Docs or Notion. The Admin Console also lets you restrict file uploads, disable Artifacts, and control conversation retention.

Claude Desktop

The desktop app does not run arbitrary shell commands by default, but local tool integrations let developers connect Claude to scripts, file systems, and other resources. You should review each tool before approval and require explicit human confirmation before execution for anything with write access. Keeping the app current via MDM-enforced auto-update is also essential.

Claude Code (CLI)

Claude Code has the broadest attack surface of the three interfaces. It can read .env files, SSH keys, and credentials, run arbitrary bash commands in the developer's user context, and send code and context to Anthropic's servers for processing.

The following baseline managed-settings.json blocks the most dangerous operations:

{
  "permissions": {
    "disableBypassPermissionsMode": "disable",
    "deny": [
      "Bash(curl:*)", "Bash(wget:*)",
      "Read(**/.env)", "Read(**/.env.*)",
      "Read(**/secrets/**)", "Read(**/.ssh/**)",
      "Read(**/credentials/**)"
    ],
    "ask": ["Bash(git push:*)", "Write(**)"]
  },
  "allowManagedPermissionRulesOnly": true,
  "allowManagedHooksOnly": true,
  "transcriptRetentionDays": 14
}

Here is what each key setting does:

  • disableBypassPermissionsMode stops developers from using --dangerously-skip-permissions to override safety controls.
  • allowManagedPermissionRulesOnly locks out project-level and user-level permission overrides entirely.
  • deny rules block operations outright with no override possible.
  • ask rules require explicit developer approval before each execution.

One more thing worth emphasizing: Claude Code should never run as root under any circumstances.

Enabling Native Sandboxing

Claude Code's native sandbox enforces filesystem and network isolation at the OS level, using Seatbelt on macOS and bubblewrap on Linux. Anthropic's own internal testing found that sandboxing reduces permission prompts by 84% while maintaining stronger execution boundaries. You should enable it for all developers:

{
  "sandbox": {
    "enabled": true,
    "network": { "httpProxyPort": 8080, "socksProxyPort": 8081 }
  }
}

The sandbox prevents modification of system-level files, blocks contact with domains you have not allowed, and limits the blast radius of prompt injection attacks. You should also set "allowUnsandboxedCommands": false to close the escape hatch that would otherwise let commands run outside the sandbox.

MCP Server Governance

MCP servers connect Claude to external databases, APIs, and SaaS tools, and every new server a developer adds expands the attack surface. Without centralized control, you end up with credential sprawl, unvetted public servers running on developer machines, and no audit trail of which tools were called or what data returned.

The solution is to route all MCP access through a centralized gateway and allowlist only that gateway URL.

What TrueFoundry MCP Gateway Provides

TrueFoundry MCP Gateway handles enterprise MCP governance through a single control plane:

  • Centralized MCP registry that lets you register and manage all approved servers in one place, so developers connect to the Gateway instead of managing individual server connections locally.
  • Unified authentication where developers authenticate once with a TrueFoundry API key or IdP token (Okta, Azure AD, Auth0), and the Gateway handles outbound auth to each downstream server.
  • Role-based access control that governs which users and teams can reach which servers and tools, enforcing least-privilege from the dashboard.
  • Tool-level governance that lets you disable individual tools on a server or aggregate tools from multiple servers into a خادم MCP افتراضي يعرض فقط مجموعة فرعية معتمدة لكل فريق.
  • حواجز الحماية تطبق فحوصات ما قبل التنفيذ، وحظرًا في الوقت الفعلي، وتحققًا بعد التنفيذ على استدعاءات الأدوات.
  • كامل سجل التدقيق حيث يتم تتبع كل استدعاء أداة مع نسبة المستخدم، وحمولات الطلب/الاستجابة، وبيانات زمن الاستجابة.

يمكنك تأمينه في ملف managed-settings.json:

{
  "allowedMcpServers": [
    { "serverUrl": "https://truefoundry-mcp-gateway.your-company.com/*" }
  ],
  "strictKnownMarketplaces": []
}

تمنع مصفوفة strictKnownMarketplaces الفارغة جميع عمليات تثبيت MCP التي مصدرها السوق. على الأجهزة المدارة، يمكنك نشر ملف managed-mcp.json عبر MDM لتزويد الأجهزة مسبقًا بخوادم معتمدة، وبمجرد نشره، لا يمكن للمطورين إضافة خوادم تتجاوز تلك المحددة في الملف.

Three-step flow for locking down MCP server access through a centralized gateway.

الاحتفاظ بالبيانات والامتثال

قد تحتفظ Anthropic بالمدخلات والمخرجات افتراضيًا لتحسين السلامة والجودة، ولكن لديك ثلاث آليات للتحكم في الاحتفاظ.

إعدادات الاحتفاظ حسب الواجهة

بالنسبة لـ Claude.ai، يمكنك تعيين الاحتفاظ بحد أقصى 30 يومًا في إعدادات المؤسسة > البيانات والخصوصية. بالنسبة لـ Claude Code، استخدم إعداد transcriptRetentionDays في ملف managed-settings.json بقيمة تتراوح بين 7 و 14 يومًا كإعداد افتراضي معقول.

الاحتفاظ الصفري بالبيانات (ZDR)

لأعباء العمل الخاضعة للتنظيم، يجب عليك طلب ZDR عبر فريق حسابك في Claude. يمنع ZDR شركة Anthropic من تخزين المطالبات أو المخرجات بما يتجاوز ما هو ضروري لتلبية الطلب، ولكنه يتطلب ملحقًا تعاقديًا. يجب ألا تقوم بمعالجة معلومات الصحة المحمية (PHI) أو أي بيانات أخرى منظمة حتى يتم توقيع الملحق وتأكيد تفعيله.

أطر الامتثال

  • SOC 2 Type II الشهادة مملوكة لشركة Anthropic ومتاحة بموجب اتفاقية عدم إفشاء. تشمل مسؤوليتك إجراءات التوفير/إلغاء التوفير الموثقة، والاحتفاظ بالسجلات لأكثر من 90 يومًا، وتقييمًا حاليًا لمخاطر الموردين.
  • HIPAA يتطلب الامتثال لـ ZDR بالإضافة إلى مراجعة بشرية إلزامية لجميع المخرجات التي تتضمن بيانات المرضى، إلى جانب سجل تدقيق كامل لكل تفاعل يتعلق بمعلومات الصحة المحمية (PHI).
  • GDPR يتطلب الامتثال لـ إقامة البيانات (مناطق AWS في الاتحاد الأوروبي أو Vertex مع Private Service Connect)، وسير عمل الحذف الموثق عبر واجهة برمجة تطبيقات الامتثال (Compliance API)، وقواعد الرفض لحظر المحتوى الذي يحتوي على معلومات تعريف شخصية (PII).

تسجيل التدقيق وضوابط التكلفة

يجب عليك تصدير سجلات التدقيق إلى نظام SIEM الخاص بك بانتظام والاحتفاظ بها لمدة لا تقل عن 90 يومًا لـ SOC 2 أو لفترة أطول للصناعات المنظمة. ما يجب التقاطه يختلف حسب الواجهة:

  • الويب يتطلب تسجيل أحداث بدء/انتهاء الجلسة، وتحميل الملفات، وبيانات تعريف المحادثة.
  • سطح المكتب يتطلب تسجيل اتصالات خادم MCP، واستدعاءات الأدوات، ومكالمات الخدمات الخارجية.
  • CLI يتطلب تسجيل استدعاءات الأدوات، وأنماط الوصول إلى الملفات، وتنفيذ أوامر shell، والإجراءات المرفوضة.

عندما يتدفق ترافيك Claude عبر TrueFoundry AI Gateway، يتم تتبع كل طلب مع إسناد كامل للمستخدم عبر طلبات LLM و MCP على حد سواء. توفر لوحة تحكم موحدة مقاييس في الوقت الفعلي، ويتم تصدير جميع التتبعات إلى Grafana أو Datadog أو Splunk عبر أوبن تليمتري (OpenTelemetry).

يمكن للمسؤولين أيضًا تكوين إعدادات OpenTelemetry بشكل أصلي في ملف الإعدادات المدارة لتصدير القياس عن بعد مباشرة من Claude Code.

فيما يتعلق بالتكاليف، حدد حدودًا شهرية صارمة للإنفاق لكل مستخدم ولكل فريق في لوحة تحكم المسؤول. بدون هذه الحدود القصوى، يمكن لخط أنابيب غير مهيأ بشكل صحيح أن يستنزف ميزانيتك بين عشية وضحاها. تعد التفاصيل لكل مستخدم ولكل نموذج مفيدة لتقارير استرداد التكاليف، واكتشاف الشذوذ، و قابلية مراقبة تكاليف الذكاء الاصطناعي.

TrueFoundry AI Gateway dashboard with request tracing and usage metrics.

Here's The Evaluation Framework

Criteria What should you evaluate ? Priority TrueFoundry
Identity, Access Control & Secret Protection
Central authentication Does every model and tool request go through SSO, workload identity, service accounts, or scoped gateway keys? Must have Supported: SSO, workload identity, and scoped gateway keys.
SSO and IdP integration Does the platform integrate with SAML, OIDC, Okta, Azure AD, or Google Workspace and sync roles from the IdP? Must have Supported: SAML, OIDC, IdP role sync.
Role-based access control Can RBAC restrict models, providers, tools, environments, and logs by user, team, and application? Must have Supported: fine-grained RBAC at every resource level.
Virtual API keys Can API keys be generated and scoped to individual apps with configurable expiration and access controls? Must have Supported: scoped virtual keys with expiration policies.
Provider key isolation Can applications call models without receiving raw provider keys, and can keys be rotated without app redeploys? Must have Supported: centralized provider keys, zero-downtime rotation.
LLM Gateway Security Checklist
A practical guide used by platform & infra teams

الخلاصة

تأمين Claude ليس قرارًا واحدًا بل مجموعة قرارات متراكمة — الهوية، توجيه النموذج، العزل (sandboxing)، حوكمة MCP، الاحتفاظ بالبيانات، تسجيل التدقيق، وضوابط التكلفة — يطبق كل منها بشكل مختلف حسب الواجهة. يحتاج إصدار الويب إلى ضوابط منع فقدان البيانات (DLP) والتقاط النطاق. يحتاج تطبيق سطح المكتب إلى مراجعة أداة بأداة. يحتاج Claude Code إلى ملف managed-settings.json مؤمّن يتم نشره عبر MDM مع تمكين العزل الأصلي.

القاسم المشترك بين الثلاثة هو أنه يجب عليك توجيه حركة المرور ووصول MCP عبر بوابة مركزية تتحكم فيها. نقطة نهاية واحدة، مجموعة سياسات واحدة، ومسار تدقيق واحد. بوابة TrueFoundry للذكاء الاصطناعي توفر هذه الطبقة لكل من حركة مرور LLM وحوكمة خادم MCP، مع التحكم في الوصول المدمج، وتحديد المعدل، والحواجز الوقائية، وقابلية المراقبة.

ابدأ بتسجيل الدخول الموحد (SSO) والتقاط النطاق اليوم، ثم قم بفرض الإعدادات المدارة عبر أسطولك، ووجه كل شيء عبر بوابة تتحكم فيها. نقاط الضعف الأمنية (CVEs) حقيقية، ويزداد التعرض للخطر مع كل مطور يفتح Claude Code.

The fastest way to build, govern and scale your AI

Sign Up
Table of Contents

One Gateway for Every LLM, Agent and MCP Server

Book a 30-min with our AI expert

Book a Demo

The fastest way to build, govern and scale your AI

Book Demo
Summarize with
ChatGPT logo by OpenAI
Perplexity AI logo
Blurry red snowflake on white background, symmetrical frosty design with soft edges and abstract shape.

Discover More

No items found.
July 4, 2026
|
5 min read

تكاملات منصة التعلم الآلي #1: Weights & Biases

Use Cases
Engineering and Product
July 4, 2026
|
5 min read

تكامل Pillar Security مع TrueFoundry

No items found.
July 4, 2026
|
5 min read

التخزين المؤقت الدلالي لنماذج اللغة الكبيرة (LLMs): تقليل التكلفة وزمن الاستجابة بما يتجاوز التخزين المؤقت للبادئات

No items found.
July 4, 2026
|
5 min read

تكاملات أدوات التعلم الآلي #2 DVC لإدارة إصدارات بياناتك

Engineering and Product
Use Cases
July 4, 2026
|
5 min read

سير عمل كود كلود: كيف يعمل وكيفية استخدامه في الإنتاج

No items found.
July 4, 2026
|
5 min read

أفضل خوادم MCP لـ Claude Code

No items found.
July 4, 2026
|
5 min read

دليل مصادقة MCP في Claude Code 2026

No items found.

Recent Blogs

Black left pointing arrow symbol on white background, directional indicator.
Black left pointing arrow symbol on white background, directional indicator.

Frequently asked questions

Is Claude Code SOC 2 compliant?

Anthropic maintains SOC 2 Type II compliance for its Claude API and enterprise offerings. However, SOC 2 compliance for a deployment using Claude Code also depends on how the operator configures their own infrastructure, data handling, and logging practices. Enterprises typically layer their own compliant controls on top of Anthropic's baseline.

Can you make Claude HIPAA compliant?

Claude can be deployed in a HIPAA-compliant manner when the surrounding infrastructure meets the required safeguards. Anthropic offers Business Associate Agreements (BAAs) for qualifying enterprise customers. Organizations must ensure that PHI (Protected Health Information) is not inadvertently included in prompts or stored without proper controls.

Can you use Claude for commercial purposes?

Yes, Claude is available for commercial use through Anthropic's API. Businesses can integrate Claude into products and services under Anthropic's usage policies. Commercial usage requires agreement to Anthropic's terms of service, and certain use cases such as high-risk domains may require additional review.

Is Claude ISO 27001 certified?

Anthropic pursues leading security certifications for its infrastructure, and Claude's enterprise API is backed by robust security controls. Organizations considering ISO 27001 alignment should verify the current certification status directly with Anthropic, as certification scope and renewal timelines can change.

Is installing Claude Code a security risk?

Claude Code itself is not inherently a security risk, but its agentic nature means it can execute code, modify files, and make network requests all of which introduce risk if not properly scoped. Running Claude Code in sandboxed environments, restricting filesystem access, and maintaining permission prompts are essential practices for minimizing exposure.

Does Claude allow API access?

Yes, Anthropic provides a fully documented REST API that developers and enterprises can use to access Claude programmatically. The API supports text generation, vision, tool use, and multi-turn conversations, and it is available across multiple Claude model tiers.

What is Claude API compliance?

Claude API compliance refers to the set of security standards, certifications, and usage policies that govern how the Claude API is operated and accessed. This includes SOC 2 Type II, data retention policies, content filtering controls, and Anthropic's acceptable use guidelines all of which together define the compliance posture of any system built on Claude.

How to access Claude API compliance for free?

Anthropic publishes its compliance documentation, security overview, and usage policies publicly on its website and trust portal. Developers can review these materials at no cost. Accessing formal compliance reports (such as SOC 2 audit reports) typically requires signing an NDA and requesting them through Anthropic's enterprise sales process.

Is Claude API compliance stateless?

The Claude API is stateless by design each API request is independent and does not retain session state between calls. Conversation history must be explicitly passed in each request. This stateless architecture simplifies compliance by limiting the persistence of user data, though operators remain responsible for how they store and handle conversation content on their own infrastructure.

Take a quick product tour
Start Product Tour
Product Tour