Claude Cowork Security Risks: The Enterprise Guide to Safe Deployment

Introduction

Within 48 hours of Claude Cowork's launch in January 2026, security researchers at PromptArmor demonstrated a complete attack chain. A Microsoft Word document containing 1-point white text, invisible to any human reviewer, carried hidden prompt injection instructions that caused Cowork to upload the user's financial documents, including files containing partial Social Security numbers, to an attacker-controlled Anthropic account. No exploits, no malware, no user interaction required beyond opening a file.

This was not a fringe edge case. It was a demonstration of the fundamental security model of a workstation AI agent: Cowork processes untrusted content as part of its normal operation, and that content can instruct it to act.

Claude Cowork is Anthropic's desktop AI agent - currently in research preview that runs on employee machines with access to local files, browser sessions authenticated with the user's cookies, shell execution, MCP server connections, and native enterprise connectors. It can execute scheduled tasks that run unattended. It can control the desktop via Computer Use on higher tiers. It is not a chatbot with extra features. It is a fully capable local agent with a correspondingly large attack surface.

Security teams evaluating Cowork consistently encounter the same gap: Cowork activity is explicitly excluded from Anthropic's Audit Logs, Compliance API, and Data Exports on every plan tier, including Enterprise. The compliance tooling organizations rely on for every other SaaS tool has a documented blind spot for the AI agent running on their employees' machines.

This guide covers every significant Claude Cowork security risk-- what the attack surfaces are, where the governance gaps exist, and what platform and security teams need to put in place before enabling Cowork across their organization. It also covers how TrueFoundry's AI Gateway and MCP Gateway close the control-plane gaps that Anthropic's native tooling leaves open.

What Claude Cowork Actually Is (And Why It Changes the Security Model)

Most security teams evaluate Cowork as if it were an enhanced chatbot. The correct mental model is a local agent process running on each employee's machine with the following capabilities:

• Arbitrary code execution in a sandboxed environment - with the ability to request sandbox escape for specific approved tasks
• Local file read and write within configured mount points - including sensitive directories unless explicitly excluded
• Web browsing using the user's authenticated session cookies - not its own isolated session, meaning Claude inherits the user's logged-in identity across every site they're authenticated to
• Scheduled tasks via Anthropic's Dispatch feature - tasks that continue executing while the user is away from their machine
• MCP server connections - to databases, internal APIs, and SaaS tools the user has access to
• Native connectors - Slack, Google Workspace, Microsoft 365, with the permissions of the authenticated user account
• Computer Use on Pro/Max tiers - full mouse and keyboard control of the desktop outside the sandbox

The threat model is categorically different from a chatbot. A successful prompt injection against Claude.ai leaks conversation context. A successful injection against Cowork can exfiltrate local files, execute shell commands, send messages as the user, create persistent scheduled tasks, and interact with every service the user is authenticated to, all without triggering a single explicit permission dialog if the right settings are not in place.

The Six Attack Surfaces

1. Indirect Prompt Injection Through File and Web Content

Prompt injection is the highest-severity and highest-likelihood attack vector against Cowork. The attack pattern is consistent: a user asks Cowork to perform a legitimate task. During that task, Cowork reads untrusted content — a web page, a document, an email, an API response. That content contains embedded instructions targeting the agent. Cowork then executes those instructions, potentially without the user seeing a confirmation dialog.

Anthropic self-reports approximately 1% attack success rate against Claude in Chrome even after mitigations. At enterprise scale with thousands of Cowork sessions running daily, a 1% success rate across document processing workloads is not theoretical — it is a statistical certainty.

Attack vectors for injection:

• Office documents (Word, Excel, PDF) with invisible text, white-on-white content, or font-size-1 characters
• Web pages with <span style="display:none"> or hidden <div> elements containing instructions
• Email bodies and attachments in summarization workflows
• API responses from external services that Cowork queries via MCP tools
• Database records returned by SQL queries, particularly in analytics or reporting workflows

The PromptArmor demonstration (January 2026) showed the complete chain: a Word document with invisible injection text → Cowork instructed to search for financial documents → Cowork uploads found documents to an attacker's Anthropic account using the attacker's API key, embedded in the injection. No user interaction beyond opening the document.

2. The Audit Gap: Cowork Is Invisible to Compliance Tooling

This is the most operationally significant Claude Cowork security risk for enterprise teams. As of mid-2026, Cowork activity is explicitly excluded from all three of Anthropic's compliance mechanisms:

This means: you cannot pull a compliance report showing what files a user's Cowork session accessed. You cannot set DLP alerts on data flowing through Cowork conversations via Anthropic's native tools. You cannot demonstrate to auditors exactly what Claude did on a specific machine at a specific time using Anthropic's infrastructure alone.

The only native observability channel is OpenTelemetry export but by default, prompts, MCP server names, tool names, and skill names are excluded from those logs. Verbose logging must be explicitly enabled, and even then the coverage is event-level metadata, not full conversation replay.

Conversation history is stored locally on the user's machine. Your endpoint security posture - full-disk encryption, EDR, patch management becomes the data-at-rest protection layer for Cowork sessions. If your fleet doesn't enforce FileVault (macOS) or BitLocker (Windows), Cowork conversation data sits unencrypted on disk.

3. Browser Agent Risks: Authenticated Session Inheritance

Claude Cowork's browser does not use isolated sessions. When Cowork browses the web, it uses the user's authenticated session cookies. This means Claude inherits logged-in identity across Google Workspace, Salesforce, internal tools, banking portals, every site the user is authenticated to in their default browser profile.

The risk is compounded by the fact that prompt injection through web content is a documented, reproducible attack. Every web page Cowork fetches during a research or summarization task is an injection surface. A malicious page can instruct Claude to:

• Navigate to an authenticated internal system and exfiltrate data
• Submit forms or initiate transactions as the user
• Read browser-cached credentials from connected services
• Send messages or emails as the user via authenticated webmail sessions

Disabling web search and restricting browser navigation to an approved domain allowlist is the primary mitigation. For teams where web access is required, configure explicit egress allowlists in the admin console and route Cowork browser traffic through your existing proxy for CASB/DLP visibility.

4. Scheduled Tasks and the Dispatch Feature

Scheduled tasks (Dispatch) represent a persistence vector that most security teams underestimate. A scheduled task runs unattended while the desktop app is open, including when the user has left their machine. A prompt injection that successfully creates a scheduled task doesn't just execute once: it can execute repeatedly, on a schedule, while the user is away.

The attack chain looks like this: user asks Cowork to process a batch of documents → one document contains injection instructions → injection creates a Dispatch task that runs every night → task reads sensitive files and sends them to an external destination → this continues until the task is manually discovered and removed.

Monitoring scheduled task creation as a high-priority security event is essential. Any new Dispatch task creation should trigger an alert and review. Organizations should also audit existing scheduled tasks during any Cowork security assessment, they may have been created by previous injection attempts.

5. MCP Servers, Plugins, and Supply Chain Risk

Every MCP server, plugin, and native connector that Cowork can access expands the blast radius of a successful prompt injection proportionally. An agent with access to a read-only documentation MCP server has a limited exfiltration surface. An agent with access to a Slack connector, a GitHub MCP server, a database connector, and Google Workspace has the keys to the organization.

Supply chain risk is real and documented:

• Snyk's ToxicSkills audit found that 36.82% of 3,984 agent skills scanned had at least one security flaw
• Cyata discovered arbitrary file read, file deletion, and RCE vulnerabilities in Anthropic's official mcp-server-git, fixed in version 2025.12
• Tool poisoning - hidden directives in MCP server tool descriptions that execute silently is an active attack technique

Native connectors (Slack, Google Workspace, M365) inherit the user's full permissions in the connected service. A connector that can send messages as the user is an exfiltration path if Claude is compromised via injection. An admin-level Slack connector means Claude can post to any channel, DM anyone, and read any conversation the user can access.

6. Computer Use: No Permission Checks

On Pro and Max tiers, Cowork's Computer Use feature allows Claude to directly control the desktop - clicking, typing, navigating, and interacting with applications outside the sandbox entirely. Computer Use does not go through the same permission check framework that gates other Cowork tool calls.

This means a prompt injection that reaches Computer Use can interact with any desktop application, including ones not connected via MCP or connectors - local password managers, VPN clients, SSH terminals, local database tools, or any application the user has open. Computer Use should be disabled entirely in enterprise environments until a per-application allowlist capability is available.

Plan Tier Security Comparison: Enterprise Is the Only Viable Option

Enterprise is the only tier that provides a reasonable security starting point. Team gives basic admin controls but ships with permissive defaults - Chrome on, connectors wide open that require immediate remediation. Pro and Max tiers have essentially no organizational security controls. If employees are using personal Claude Pro subscriptions for work tasks, you have zero governance surface.

Why TrueFoundry Closes the Gaps Anthropic's Native Controls Leave Open

Anthropic's native Cowork controls govern what users can configure in the admin console. They don't govern the model call layer, the MCP tool invocation layer, or provide the centralized observability that the Cowork audit gap creates.

TrueFoundry's AI Gateway sits between Cowork and the model providers, giving platform teams control at the request level:

• Every LLM call from every Cowork session is logged with user attribution, model selection, token counts, and cost - filling the observability gap that Cowork's audit exclusion creates
• Budget caps and rate limits prevent individual Cowork sessions from consuming unbounded token capacity during long agentic runs
• Model access control ensures Cowork sessions only access approved models, blocking unapproved high-cost or high-capability models
• Request-level guardrails apply content filtering and PII detection at the infrastructure level, independent of what Cowork's application-layer settings permit

TrueFoundry's MCP Gateway governs every tool call Cowork makes:

• Centralized MCP server registry - only approved servers are reachable through the gateway. Cowork sessions cannot reach unapproved MCP endpoints regardless of what users configure locally
• Role-based tool access - different teams access different tool subsets. A finance analyst's Cowork session cannot call database write tools even if the MCP server technically offers them
• Pre-execution guardrails - tool calls are checked before execution. Instructions that look like injection-triggered actions (e.g., bulk file reads followed by API writes) can be flagged or blocked
• Complete tool invocation audit trail - every MCP call logged with user identity, tool name, request payload, response, and latency. Exported via OpenTelemetry to your SIEM

Together, these fill the three critical gaps that Anthropic's native tooling doesn't address: request-level observability, MCP governance, and centralized policy enforcement across all Cowork sessions.

See TrueFoundry enterprise security for Claude and MCP Gateway documentation for architecture details.

Hardening Cowork: Control-by-Control

Identity: SSO, SCIM, and Tenant Restrictions

Before enabling Cowork for any user, configure identity controls. These are the foundation everything else builds on.

• Enforce SSO (SAML 2.0 or OIDC) via the Claude Admin Console. Every Cowork user authenticates through your IdP. MFA is inherited automatically.
• Configure SCIM provisioning so deprovisioning flows automatically — terminated employees lose Cowork access when their IdP account is deprovisioned, without manual intervention.
• Deploy tenant restrictions at the network layer by injecting the anthropic-allowed-org-ids HTTP header at your proxy or firewall. This prevents users on managed devices from authenticating to personal Claude accounts and bypassing your governance controls entirely.
• Enable domain capture so corporate email addresses always route to the enterprise workspace, even if a user attempts to create a personal account.

Managed Settings: Lock Before You Launch

The managed-settings.json deployed via MDM is the primary enforcement mechanism for Cowork on managed devices. Settings at the system-level path cannot be overridden by users. Deploy this before enabling Cowork for your pilot group:

{
  "permissions": {
    "disableBypassPermissionsMode": "disable",
    "deny": [
      "Bash(curl:*)",
      "Bash(wget:*)",
      "Read(**/.env)",
      "Read(**/.ssh/**)",
      "Read(**/credentials/**)",
      "Read(**/.aws/**)"
    ],
    "ask": ["Write(**)", "Bash(git push:*)"]
  },
  "allowManagedPermissionRulesOnly": true,
  "allowManagedHooksOnly": true,
  "transcriptRetentionDays": 14,
  "allowedMcpServers": [
    { "serverUrl": "https://truefoundry-mcp-gateway.your-company.com/*" }
  ],
  "strictKnownMarketplaces": []
}

Critical settings explained:

Web Browsing and Network Egress

Web search and browsing is the primary prompt injection vector for Cowork. Every page the agent fetches is an injection surface. Configure these controls in the admin console:

• Disable web search for users who don't require it. This is the single highest-impact control for reducing injection exposure.
• Configure egress allowlists for teams that need web access. Start with the minimum set of domains required and expand on request.
• Route Cowork traffic through your existing proxy. This gives your CASB/DLP visibility into what domains Claude is reaching, even if it can't inspect agent decision-making.
• Restrict the mount points Cowork can access on the local filesystem. Exclude ~/.ssh, ~/.aws, credential stores, and any directory containing secrets.

Connector and MCP Governance

Apply minimum viable scope to every connector. Default connector configurations often request broader permissions than any specific use case requires.

Route all MCP server access through TrueFoundry MCP Gateway. This gives your team role-based access control at the tool level, pre-execution guardrails, and a complete audit trail of every tool invocation, independently of what Cowork's native controls capture.

Scheduled Tasks (Dispatch)

• Treat scheduled task creation as a high-priority security signal. Any new Dispatch task should trigger an alert and require review.
• Audit existing scheduled tasks during your Cowork security assessment - prior injection attempts may have left persistent tasks.
• Disable Dispatch by default and enable it only for teams with a documented use case and a review process for task creation.
• Monitor task execution patterns. Long-running or unexpectedly frequent Dispatch tasks may indicate an injected instruction being repeatedly executed.

Monitoring: Building the Detection Layer Anthropic Doesn't Provide

Given the Cowork audit gap, organizations must build their own detection layer. The Gravitee State of AI Agent Security 2026 report found that only 47.1% of deployed agents are actively monitored. For Cowork, where native audit coverage is zero, this is not an acceptable posture.

What to Monitor via OpenTelemetry

Enable verbose OpenTelemetry logging and route to your SIEM from day one:

TrueFoundry AI Gateway provides the model-call layer of this monitoring — every LLM request from every Cowork session with full attribution, exportable to any OTEL-compatible SIEM. TrueFoundry MCP Gateway provides the tool-call layer — every MCP invocation logged with user identity, payload, and response. Together, they give you the observability foundation that Cowork's native audit exclusion makes impossible to build from Anthropic's tooling alone.

See TrueFoundry OpenTelemetry export documentation for SIEM integration setup.

Phased Rollout: The Three-Phase Approach

Do not enable Cowork org-wide on day one. A phased rollout gives your team time to validate controls and understand the actual risk surface before broad exposure.

Phase 1 - Pre-Enablement (Before Any User Gets Access)

• Confirm Enterprise tier — Team/Pro/Max lack critical controls
• Configure SSO + SCIM through your IdP
• Deploy tenant restrictions at the network/proxy layer
• Push managed-settings.json via MDM: bypass permissions disabled, MCP allowlist set to TrueFoundry gateway only, mount controls configured, credential directories blocked
• Configure OpenTelemetry endpoint routing to your SIEM with verbose logging
• Define acceptable use policy: what data categories are permitted in Cowork sessions
• Disable Computer Use, web search, Dispatch at the org level - re-enable per team based on demonstrated need

Phase 2 - Controlled Pilot (5–10 Users, Low-Risk Team, 2 Weeks)

• Enable Cowork for a single pilot group
• Configure RBAC roles restricting to the minimum required capabilities
• Set all connectors to read-only
• Keep web search disabled
• Monitor OTEL dashboards daily review session patterns, tool calls, and any alerts
• Document every configuration change users request, these reveal where defaults are too restrictive for legitimate workflows

Phase 3 - Ongoing Governance

• Weekly: review OTEL session dashboards, audit new Dispatch tasks, triage connector write alerts
• Monthly: review plugin/skill additions, audit MCP server versions and check for supply chain CVEs, rotate connector OAuth tokens, review Anthropic security advisories
• Quarterly: formal access review of Cowork entitlements by team, update vendor risk register, run tabletop for Cowork compromise scenario, reassess mount controls and egress allowlists

Enterprise Cowork Security Checklist

Frequently Asked Questions

What are the biggest Claude Cowork security risks for enterprises?Prompt injection through file and web content is the primary threat?

‍Because Cowork processes untrusted content as part of normal operation - documents, web pages, API responses, database records any of these sources can carry embedded instructions that Cowork executes. The blast radius is large because Cowork has file access, shell execution, authenticated browser sessions, and connector access to enterprise systems. The secondary risk is the audit gap: Cowork activity is not captured by Anthropic's compliance tooling on any plan tier, meaning organizations must build their own observability layer independently.

Is Claude Cowork safe to use in a regulated industry?

Cowork should not be used for regulated workloads without explicit additional controls. Anthropic's own documentation states that Cowork should not be used for regulated use cases because Audit Logs, Compliance API, and Data Exports do not currently capture Cowork activity. For organizations in HIPAA, GDPR, SOC 2, or financial regulatory contexts, this audit exclusion means Cowork cannot satisfy standard compliance requirements without supplementary tooling, such as routing all traffic through TrueFoundry's AI Gateway for request-level logging and MCP Gateway for tool invocation auditing.

What is the difference between Claude Cowork and Claude Code from a security perspective?

‍Both are agentic tools with file access, shell execution, and MCP connectivity. The key differences are: Cowork adds browser automation using the user's authenticated cookies (a significant additional attack surface), native connectors to enterprise SaaS tools (Slack, Google Workspace, M365), and scheduled task execution via Dispatch. Cowork is also more tightly integrated with the desktop environment. Both have the same audit gap for Cowork-specific activity. Claude Code's terminal-focused operation gives security teams more predictable tool access patterns; Cowork's broader surface requires a wider set of controls.

How do I prevent prompt injection attacks in Claude Cowork?

‍No single control eliminates prompt injection risk entirely - Anthropic's own data shows ~1% success rate even with mitigations. The defense-in-depth approach: disable web search for users who don't require it (removes the largest injection surface), configure filesystem deny rules to block credential reads, route MCP traffic through TrueFoundry MCP Gateway with pre-execution guardrails that flag injection-pattern tool calls, and monitor Dispatch task creation as an early indicator of injection persistence. See TrueFoundry's prompt injection guide for the full control stack.

How does TrueFoundry help secure Claude Cowork?

‍TrueFoundry addresses the two gaps Anthropic's native controls leave open. The AI Gateway logs every model call from every Cowork session with full user attribution, filling the observability gap created by Cowork's exclusion from Audit Logs and the Compliance API. The MCP Gateway governs every tool call Cowork makes: enforcing which MCP servers are reachable, applying role-based access control at the tool level, running pre-execution guardrails, and logging every invocation with payload. Both export via OpenTelemetry to any SIEM, giving security teams the detection capability that Anthropic's native tooling doesn't provide.

Conclusion

Claude Cowork is a different category of enterprise software risk than any SaaS tool your security team has evaluated before. It's an AI agent that runs on employee machines with local file access, browser session inheritance, shell execution, and connections to your enterprise systems — and its activity is explicitly excluded from the compliance tooling you rely on for everything else.

The risks are real and documented: a working file exfiltration chain demonstrated within 48 hours of launch, two published CVEs, and a 1% injection success rate that scales to a statistical certainty across thousands of daily sessions. None of this means Cowork cannot be deployed safely in enterprise environments. It means the deployment requires explicit controls that the default configuration does not provide.

The six attack surfaces described in this guide each have concrete mitigations. The organizations deploying Cowork safely are the ones treating it as agent infrastructure from the start — with the same rigor applied to identity, endpoint controls, network governance, and observability that they apply to any other privileged system on the network.

TrueFoundry's AI Gateway and MCP Gateway provide the centralized enforcement and observability layer that closes the control gaps Anthropic's native tooling leaves open. Combined with the MDM, SSO, and network controls outlined in this guide, they give enterprise security teams a defensible Cowork posture — not just for today's threat landscape, but for the expanded agent capabilities that are coming in future releases.