Secure How Enterprise Teams Use Anthropic’s Claude with Akto

Claude is no longer a tool that a few people experiment with. It's how developers write code, how marketers ship campaigns, how operations teams automate the work that used to eat up their weeks. It runs in terminals, in IDEs, inside Claude.ai Projects, and through MCP servers that connect it to Google Drive, Slack, GitHub, Salesforce, and the rest of the enterprise stack.

That kind of adoption is a win. It has also opened a category of risk most security programs aren't equipped for.

Where Claude Shows Up in Your Organization

Claude's enterprise footprint divides into two distinct layers: the surfaces through which employees access Claude, and the capabilities operating within each surface. The risk profile of any Claude session depends on how those layers combine.

Primary Access Surfaces

These are where and how your employees interact with Claude. Controls written for one of these surfaces do not transfer cleanly to the others. Each must be assessed and governed independently.

Claude.ai (web)

The browser interface at claude.ai - the way most employees first encounter Claude. Marketers draft copy here, analysts summarize documents, and support teams write responses. It's also where employees upload files - PDFs, spreadsheets, source code, to ask Claude questions about them. Most "shadow Claude" use starts here, in a tab that the security team never approved.

Claude Code

Anthropic's agentic coding tool that runs in the terminal or inside an IDE. It reads developer codebases, writes patches, runs commands, and opens pull requests. Because it has agency over the developer's machine - file system, shell, git, CI/CD, it's the highest-privilege Claude surface in most enterprises, and the one with the largest active footprint most security teams underestimate.

Claude Desktop and Cowork

The native desktop app for Mac and Windows. Cowork is its agentic mode - a desktop assistant for non-developers that automates file and task management directly on the user's machine. Marketers use it to organize campaigns; ops teams use it to wrangle spreadsheets; analysts use it to chase down information across local files and connected apps. Same agentic power as Claude Code, in the hands of users who don't necessarily think of themselves as running code.

Capability Layers Across Surfaces

Projects

Persistent workspaces inside Claude.ai and Claude Desktop. Teams use them to upload reference documents, define custom system instructions, attach MCP connectors, and share state with colleagues. Because Projects persist and aggregate across sessions, they accumulate sensitive material, proposals, customer records, source code, and financial models, far beyond the scope of any single chat. A Project effectively functions as a shared enterprise data store, but inherits Claude's native user-level access controls, which were not designed for enterprise data governance.

MCP servers

Model Context Protocol is the integration layer through which Claude connects to external systems. An MCP server may be a sanctioned enterprise integration - Slack, Salesforce, GitHub, Google Drive , or an unsanctioned tool registered locally on a developer machine and never decommissioned. In either case, MCP is the conduit pulling live enterprise data into Claude sessions, and the channel through which Claude can take action back on those systems. MCP traffic is therefore both a data egress path and a privileged execution path.

Skills and plugins

Custom instructions that extend Claude's behavior, from automating a defined workflow to encoding a domain-specific assistant. Skills execute as trusted system prompts with no sandbox; their content is not bound by user-level controls. Compromised or misconfigured Skills can alter Claude's behavior across every session in which they are loaded.

The risk profile of any Claude session is the product of these layers. A Claude Code session with a custom Skill loaded and an MCP server connected to a production database presents a materially different control problem than a single Claude.ai chat. Atlas must address each surface, each capability layer, and the combinations they form.

The Enterprise Visibility Gap

Ask the average CISO who's using Claude across their organization, what data is flowing through it, and which MCP servers are active on employee laptops, and the honest answer is usually some version of "we don't know."

That isn't hypothetical. It's the default state. Source code goes into Claude Code. Financial models go into Claude.ai Projects. Customer data flows in through connectors. Skills run as trusted system prompts with no sandbox. Every one of these touchpoints is a place where data can leak, where prompt injection can hijack an agent, where shadow AI can quietly proliferate.

Traditional security tooling wasn't built for any of this. DLP scanners can't catch prompt injection written in plain English. EDR doesn't know what an MCP server is. SASE doesn't see the difference between a sanctioned and an unsanctioned Claude session. And native audit logs cover some Claude surfaces, not all of them.

Akto Atlas for Claude is built specifically for this problem. It doesn't try to bolt a generic DLP onto an AI assistant. Instead, it secures each way an employee actually interacts with Claude, at the surface, in real time, and with a unified policy and audit layer behind it.

Here's how.

1. Continuous Discovery and Asset Inventory

Before anything else, security teams need to know who's using Claude, on which devices, through which surfaces, and with what data. Atlas builds and maintains a live inventory of every Claude touchpoint: browser sessions, Claude Code CLI activity, IDE plugins, Claude Desktop and Cowork agents, locally spun-up MCP servers, and active Skills. Every interaction ties back to a device, browser session, and user identity.

The outcome: shadow Claude usage stops being hidden. Unmanaged devices, unsanctioned MCP servers, and risky Skills surface immediately, not three months into an incident.

2. Real-Time Prompt and Response Inspection

Once visibility is in place, the next risk is data leaving in a prompt or coming back in a response. Atlas inspects every prompt, file upload, response, and tool call at the endpoint before it reaches Claude. PII, PHI, financial data, source code, API keys, and credentials are detected and blocked or redacted inline.

Critically, this works on AI-native threats traditional scanners miss: prompt injection embedded in document content, jailbreak attempts disguised as benign queries, and instructions hidden inside Skills or context. A regex-based DLP won't catch a paragraph of plain English telling an agent to exfiltrate environment variables. Atlas will.

3. Agentic Activity Monitoring for Claude Code and Cowork

This is the surface most enterprises underestimate. Claude Code and Cowork hold the highest privilege of any Claude surface: file system access, local task execution, repository operations, and CI/CD pipeline integrations.

Akto provides both runtime visibility and runtime protection on these surfaces. It monitors Claude Code sessions and Cowork activity at the session level - file interactions, tool invocations, repository access, and secrets in CLI prompts caught before they ever reach Claude. Every tool invocation becomes auditable and attributable to a user. Inline guardrails defend against prompt injection, jailbreaks, sensitive information disclosure, insecure output handling, and the broader OWASP Top 10 for Agentic AI, applied at runtime, on the endpoint, before unsafe behavior reaches the model or the developer's machine.

4. Project and Connector Data Governance

Claude Projects accumulate sensitive material fast. Engineering specs go in. Customer data flows in through Slack and Drive connectors. Pull requests, deal terms, and financial models stack up in spaces that were designed for collaboration, not enterprise governance.

Atlas turns every Project into a managed asset. Security teams see who has access, what documents are uploaded, which connectors are active, and what data those connectors are actually pulling from third-party tools like Slack, Google Drive, GitHub, Salesforce, and other MCP-connected systems. Granular access policies - beyond native RBAC - control which users or groups can access specific Projects, upload files, or invoke connectors.

5. Runtime Controls for Skills and MCP Connectors

Skills run as trusted system prompts inside Claude. That makes them powerful and dangerous. Industry audits have found that more than a third of agent skills contain at least one security flaw, and malicious skill campaigns have already seeded hundreds of poisoned skills into circulation. A compromised Skill can quietly instruct Claude to exfiltrate secrets or bypass guardrails.

Atlas runs SkillGuard at the endpoint to block malicious Skill instructions at runtime. For MCP, Atlas's Endpoint Shield wraps every connector with a security proxy, enforces connector allowlists, and inspects connector traffic in real time. Unsanctioned MCP servers get flagged. Unsafe tool calls get gated before they execute.

6. Continuous Compliance and Audit Reporting

AI is now inside the regulatory perimeter. The EU AI Act is in phased rollout. NIST's AI Risk Management Framework defines the control surface that enterprise auditors map to. SOC 2, HIPAA, GDPR, and ISO 27001 - none of these obligations soften because the data is passed through an LLM.

Atlas maps every Claude policy violation to the controls those frameworks expect and produces audit-ready reports across EU AI Act, NIST AI RMF, MITRE ATLAS, SOC 2, ISO 27001, HIPAA, GDPR, and more. When a DSAR or legal hold lands,

Unified Platform, Flexible Deployment

The six protections above are not six products. They are one platform, delivered through four deployment paths that can be combined as the enterprise's Claude footprint matures.

Anthropic Compliance API Connector. An agentless integration that pulls activity data directly from Anthropic's Compliance API - chat activity, user and organization management, MCP server events, and Skills activity. Deploys in minutes with no endpoint installation, and applies asynchronous guardrails to flag policy violations across all discovered Claude.ai usage.

Browser Extension. A lightweight Chrome extension that delivers rapid, organization-wide coverage of web-based Claude usage. Monitors web activity, file uploads, and API interactions inline, with no measurable impact on the user experience.

Endpoint Shield + Hooks. The deeper enforcement layer for desktop applications and IDE-based MCP connections, paired with native hook integration. Wraps MCP servers with Akto's security proxy and validates prompts, responses, and tool calls at runtime.

Enterprise EDR / SASE + Hooks. Deployment at scale through existing SASE and EDR platforms - Microsoft Defender for Endpoint, SentinelOne, and others - combined with native hooks for prompt, response, MCP, and tool call validation at the source. Centralized policy management and unified reporting through the Akto Atlas dashboard.