Below, we walk through the threat model in depth, break out our recommended tiers of functionality and corresponding configurations you can set to mitigate risks for each tier, and then walk through every configuration you can set for Claude Cowork and what that might mean for your business.
Published: January 15, 2026; Last Updated: June 12, 2026
Claude Changes Every Day
100+ alerts since January. We monitor:
✓Features enabled by default
✓New data retention policies
✓Plugins and connectors
✓And much more
Recent Alerts and Configurations for Claude
Anthropic has released Fable, a Mythos-class model. New terms dictate that prompts submitted to and outputs generated by Fable are retained by Anthropic for 30 days. This supersedes existing ZDR and contractual agreements, and includes use via third-party providers.
See configurations
⋮See 6 more alerts from Jun 8 – Jun 9
Claude has added a dashboard in Organization settings for connector owners to monitor connector performance across Claude surfaces, including adoption, errors, latency, and usage breakdowns.
See configurations
⋮See 16 more alerts from May 30 – Jun 8
In Claude Cowork, admins can now configure the egress allowlist to control which hosts the agent may fetch when processing search results.
See configurations
⋮See 42 more alerts from Apr 28 – May 29
Anthropic is adding Plugins to Claude that are available to users to install by default.
See configurations
The Threat Model
For Claude Cowork, the range of threats is greater because of the amount of untrusted input and the amount of confidential data it has access to. It also has a range of actions it can take on your system, which increases the downstream risk of your system being manipulated.
For example, an untrusted plugin downloaded from the internet could manipulate Claude into following an attacker’s instructions. You can see an example from Claude Code here that demonstrates how that could lead to data exfiltration: Hijacking Claude Code via Injected Marketplace Plugins
Because Claude has access to local file systems, it can also exfiltrate files that you have. Here is an example of Claude Cowork being manipulated by external data into exfiltrating confidential data: Claude Cowork exfiltrates files
This could also lead to phishing. For example, an untrusted piece of content could convince a user into submitting their credentials - a form of social engineering attack that allows an attacker to manipulate the LLM into crafting contextually relevant queries to convince a user to share their credentials. Example here with Slack: Data Exfiltration from Slack via Indirect Prompt Injection
Ultimately, the best way to “secure” Claude Cowork against novel indirect prompt injection vulnerabilities stems across four layers:
Layer 1
Restrict data sources
implementing binary restrictions on access to types of external data sources that Claude can access (e.g., disallowing Slack access)
Layer 2
Govern approved data sources
configuring restrictions on that data (e.g., permitting only organizational admins to add skills)
Layer 3
Restrict actions on output
configuring restrictions on the types of actions that Claude can take based on output (e.g., restrict the sites Claude in Chrome can click on)
Layer 4
Restrict output surfaces
restrictions on the externally connected output surfaces (e.g., preventing automated link previews in Slack)
However, Claude’s settings are a bit interesting – not every single one operates in isolation. For example, to use Plugins, Skills must be enabled; and to enable Skills, an organization must enable Cloud Code Execution and File Creation. This is counterintuitive as Plugins are applicable to Cowork, while the Cloud Code Execution setting is labeled as only applicable to Claude 'Chat'. Below, we walk through different combinations of ways you can set up Claude Cowork - that have different tradeoffs between functionality and risk - accounting for what combinations are actually feasible given what settings can be on (or off) at the same time.
Configurations vs Functionality
Below are our recommended Tiers of Claude Cowork usage depending on your organization’s risk tolerance. Maximizing functionality requires risk tradeoffs depending on the threat model.
Tier 1 maximizes functionality for rapid adoption
Tier 2 enables functionality where organizational controls are available
Tier 3 optimizes functionality with consideration for a low-risk deployment requirement
Get the configs to securely deploy Claude for your use case
We help security teams strike the balance between capability and risk
Tier 1: Maximized functionality
In Tier 1, you get access to all of Claude Cowork’s functionality. However, this greatly increases the risk surface. Injections can come from Skills and Plugins that users upload, from local folders that contain untrusted data, web search, connectors, and desktop extensions. Additionally, Claude can work across apps via Claude for PowerPoint and Claude for Excel which can be orchestrated from Cowork. Furthermore, extended functionalities such as Claude in Slack and Claude for Design are scoped in.
There are some useful settings that you should turn on regardless, even if you want to maximize functionality. While settings do not substantially reduce your risk exposure to indirect prompt injection for Cowork they allow you to maximize functionality while avoiding some risks and enabling telemetry to gain observability.
Note: Connectors and desktop extensions are still ‘restricted’ in this tier, as they must be individually added by an organization.
NIST AI RMF Coverage with Tier 1 Configuration
Not sure what these categories are? See our NIST AI RMF Reference
Govern
1, 2
Map
1, 2
Measure
—
Manage
1
Required Settings for Tier 1
Settings for Cowork (and universal settings)
DisableOrganization > Data and Privacy > Privacy Settings > Rate Chats
Allow people to rate Claude's responses and share that feedback with Anthropic.
Disabling this feature limits the sharing of potentially sensitive data with Anthropic. This does not affect functionality.
EnableOrganization > Cowork > Monitoring
Cowork supports OpenTelemetry (OTel) events for monitoring and observability. You can enable this for granular observability without impacting any functionality.
Settings for Claude Chat Only
DisableOrganization > Privacy Settings > Location Metadata
Allow Claude to use coarse location metadata (city/region) to improve product experiences for your team members.
Operationalize fast; minimize risk
Enable secure adoption now
Tier 2: Balancing functionality with risks
In tier two, functionality tradeoffs are balanced against risks, restricting control over connected resources to the organization-level where possible and limiting access to sensitive org-specific data (e.g., connection to Excel and PowerPoint). Claude can perform meaningful automation and file work using org-controlled tools and integrations. Prompt injection risk is managed by restricting untrusted data sources (user skills, plugins, unvetted domains) while keeping the org's approved toolset functional.
What's enabled:
- Organization-vetted skills — org-approved skills can be used; users cannot upload their own
- Skill sharing — allowed within one's organization
- Organization-configured plugins — org-designated plugins auto-installed; users cannot add their own
- Network egress (package managers only) — Claude can install packages for data analysis; additional approved domains can be allowlisted
- Claude in Chrome — browser automation enabled for most sites, with an org-managed blocklist for sensitive sites
- Desktop extensions — org-uploaded extensions available; allowlist controls what users can install
- Connectors — org-configured connectors available to team members
- Always allow mode for connectors — prohibited, encouraging human in the loop approval
- Skip all approvals mode — prohibited, encouraging human in the loop approval
- Public Projects — access to public projects prohibited, limiting injection risks
- Ask Organization — allows access trusted org-specific data
- M365 Integrations — orchestrating Claude for PowerPoint and Excel prohibited limiting varied trust level data processing
- Claude in Design — allows the Claude for Design tool; use with external code assets is discouraged.
- Claude in Slack — disallowed, limiting ingest of varied trust level data sources
- Dispatch agents — disabled, preventing autonomous agents from interacting with one's computer without substantial oversight
NIST AI RMF Coverage with Tier 2 Configuration
Govern
1, 2, 3, 4, 6
Map
1, 2, 3, 4
Measure
2
Manage
1, 2, 3, 4
Required Settings for Tier 2
Settings for Cowork (and universal settings)
EnableOrganization > Libraries > Skills > Cloud Code Executions and File Creation
Allow Claude to execute code on a server and create and edit docs, spreadsheets, presentations, PDFs, and data reports. Required for skills to be enabled. Available on web and desktop.
Cowork can perform most of these file creation capabilities locally, without cloud access. However, enabling this setting is a prerequisite to allowing the use of Skills and Plugins.
Note: This path reflects the setting when viewed from the desktop app. In the web browser, it is displayed as 'Code Execution and File Creation' (no 'Cloud').
EnableOrganization > Libraries > Skills > Skills
Turn skills on or off for everyone in your organization, including admin-managed organization skills. Requires 'Code execution and file creation' to be enabled to use.
Skills might contain executable code. Team members should be careful when using skills from unknown sources.
DisableLibrary > Skills > User-created skills
Allow team members to upload or create their own skills. Turn off to lock your org to approved skills only.
EnableLibrary > Skills > Skill sharing
Allow team members to share skills with each other.
EnableLibrary > Skills > Share with organization
Allow team members to share skills with the entire organization.
ConfigureOrganization > Libraries > Skills > Organization Skills
Manage skills that can be viewed and used by anyone in your organization.
Select skills that have been vetted by one’s organization and add them to the organization-wide skill list.
ConfigureOrganization > Libraries > Plugins
Allows organizations to designate plugins that will be blocked, automatically installed, or made optionally available to organization members.
Here, organizations should select plugins to set as ‘installed by default’ for users.
Note: during testing, when organization-level plugins were installed by default for users, it was observed that the org-level plugins were installed but did not appear operable without Skills enabled.
Related: Claude for Legal Risk
DisableOrganization > Office Agents > Let Claude Work Across Apps
Members can let Claude share context between apps like Excel and PowerPoint.
Related: AI in Excel and Google Sheets: Prompt Injection and Data Exfiltration Risks
DisableOrganization > Cowork > Cowork > Enable Dispatch
Allow members to create persistent Cowork agents that can control their computer to autonomously work on tasks. Persistent agents receive instructions from any logged in device on the same account and can access files, apps and websites on their computer.
Dispatch agents are prohibited, preventing autonomous agents with computer usage capabilities from operating a user's device without oversight (which carries significant risk as a prompt injection can manipulate Claude to interact with a user's apps, including taking screenshots or activating the user's keyboard).
EnableOrganization > Capabilities > Code Execution > Allow Network Egress
Give Claude network access to install packages and libraries in order to perform advanced data analysis, custom visualizations, and specialized file processing. Monitor chats closely as this comes with security risks.
Then configureOrganization > Capabilities > Code Execution > Allow Network Egress > Domain Allowlist > Package Managers Only
Additionally, add any approved domains the Cowork sandbox will need to access (e.g., to preview interactive content with external elements) to the ‘Additional allowed domains’ section.
Related: What domains should I add to my allowlist?
EnableOrganization > Claude in Chrome > Enable for your Team
Allow team members to use the Claude in Chrome extension. Configure site permissions after enabling.
This enables the Claude in Chrome connector, which allows Claude to navigate and operate the user’s Chrome browser.
Set ‘Allow extension’Organization > Claude in Chrome > Default for all sites > Allow/Deny Extension
This will configure Claude in Chrome so that sites are allowed by default, unless they are explicitly added to the ’Blocked sites’ list.
ConfigureOrganization > Claude in Chrome > Blocked Sites
Claude in Chrome cannot be used on these websites.
Add sensitive sites to the Blocked Sites list. It is recommended to block sites for which the user operates with a high level of privilege and sites that are likely to process highly sensitive data (e.g., password managers, billing pages for apps used in the organization, etc.)
Note: during testing, the blocklist did not appear to restrict access.
EnableOrganization > Libraries > Connectors > Desktop Extension Allowlist
Limit the extensions that your team can install on their desktop. When enabled, users can only install desktop extensions that have been added to the list above.
Via this allowlist, organizations should configure which desktop extensions they would like to allow. Note, ‘desktop extensions (DXT)’ are being renamed to MCP Bundles (MCPB).
Related: The Risks of Connectors in Your AI Applications
ConfigureOrganization > Libraries > Connectors > Add
Control which connectors your team members have access to.
Use this menu to add connectors for use within one’s organization.
Related: The Risks of Connectors in Your AI Applications
DisableOrganization > Cowork > Permissions > Allow "Act without asking" mode
When enabled, users can let Claude act without asking for approval—including using tools, editing files, and browsing websites. This can put organizational data at risk.
Disable this setting — when 'always allow' is available, prompt injections can manipulate Claude to take sensitive actions on websites or perform destructive operations on local files in the connected Cowork folder without user consent.
DisableOrganization > Cowork > Permissions > Allow “Always allow” for connector tools
Let members choose "Always allow" when approving connector tools in Cowork. This increases risk from prompt injection — content from connected apps could cause Claude to take unintended actions without per-use approval. Learn more
Disable this setting — when 'always allow' is available, prompt injections can manipulate Cowork to take actions via connectors without any opportunity for user approval.
DisableOrganization > Privacy Settings > Public Projects
All users in an organization can see and start chats in public projects.
This will prevent users from creating chats with Cowork that leverage data from public projects.
EnableOrganization > Capabilities > Data Sources > Ask Organization
Allow your team members to search across your organization's connected data sources and knowledge bases for more comprehensive results.
This will allow users to open Cowork chats based on trusted data from the Ask Organization interface. Note, in the real UI, this setting uses your organization name, e.x, “Ask PromptArmor”.
Settings for Claude Chat Only
DisableOrganization > Privacy Settings > Location Metadata
The risk of Claude having user-level metadata on location does not outweigh any benefits from localization; by turning it off, it allows users to determine when they want to share location-level data (e.g. via the chat) rather than having it by default
DisableOrganization > Privacy Settings > Share chats
Sharing chats increases the risk of data exposure between users of different privileges (although sharing is restricted to within the same organization.
DisableOrganization > Privacy Settings > Share Chats That Use Connectors
Disallows people from sharing chats that use connectors with others in your org. Recipients will see Claude's response, but not the data from the connector. Sharing chats increases the risk of data exposure outside of your tenant.
EnableOrganization > Capabilities > Claude Design
Allow team members to access Claude Design.
DisableOrganization > Claude in Slack > Allow Claude in Slack
Let members of your organization connect Claude to your Slack workspace and use the Claude bot.
Enable adoption while mitigating novel risks
We'll help you find the configuration that fits both.
Tier 3: Locked Down
Tier 3 prioritizes security above all else, disabling most dynamic or external-facing capabilities. Claude operates as a mostly self-contained assistant with no access to external data, executable code, or connected services. Prompt injection surface is minimal.
What's disabled:
- Code execution and file creation (cloud) — no server-side code execution and file creation
- Network egress — no package installs or external domain access from the sandbox
- Skills — All skills blocked, including user-uploaded skills, and skill sharing is prohibited
- Plugins — user-uploaded plugins blocked
- Connectors and desktop extensions — no external service integrations
- Always allow mode for connectors — prohibited, encouraging human in the loop approval
- Skip all approvals mode — prohibited, encouraging human in the loop approval
- Claude in Chrome — no browser automation
- Ask Organization — users cannot access or start chats based on data from ‘Ask Organization’
- Public Projects — users cannot access or start chats in shared projects
- M365 Integration — users cannot orchestrate Claude in Excel or PowerPoint from Cowork
- Claude in Design — disallowed reducing risk of injections or malicious code in externally-sourced assets
- Claude in Slack — disallowed, limiting ingest of varied trust level data sources
- Dispatch agents — disabled, preventing autonomous agents from interacting with one's computer without substantial oversight
What's enabled:
- OTel monitoring — full observability with no functionality impact
- Local Cowork operations — remain available (file access and chat attachments are user-level controls, not disabled by default)
NIST AI RMF Coverage with Tier 3 Configuration
Govern
1, 2, 3, 4, 5, 6
Map
1, 2, 3, 4, 5
Measure
1, 2, 3
Manage
1, 2, 3, 4
Required Settings for Tier 3
Settings for Cowork (and universal settings)
DisableOrganization > Privacy Settings > Rate Chats
This does not increase functionality, but increases the risk that some metadata or response feedback may be used by Anthropic to train their model
DisableOrganization > Privacy Settings > Public Projects
All users in an organization can see and start chats in public projects.
This will prevent users from creating chats with Cowork that leverage data from public projects.
DisableOrganization > Capabilities > Data Sources > Ask Organization
This turns off the ability for your team members to search across your organization's connected data sources and knowledge bases for more comprehensive results. Those connected data sources increase the risk of indirect prompt injections
DisableOrganization > Office Agents > Let Claude Work Across Apps
Members can let Claude share context between apps like Excel and PowerPoint.
Related: AI in Excel and Google Sheets: Prompt Injection and Data Exfiltration Risks
DisableOrganization > Capabilities > Code Execution > Cloud Code Execution and File Creation
This setting allows Claude to execute code on a server and create and edit docs, spreadsheets, presentations, PDFs, and data reports. Required for skills to be enabled. Available on web and desktop. The setting is relevant as this must be toggled ‘on’ to enable skill uploads for Cowork.
DisableOrganization > Capabilities > Code Execution > Allow Network Egress
Give Claude network access to install packages and libraries in order to perform advanced data analysis, custom visualizations, and specialized file processing. Monitor chats closely as this comes with security risks.
Alternatively, if specific domains must be accessible from the Cowork sandbox, configure:
Enable : Organization > Capabilities > Code Execution > Allow Network Egress
Then configureOrganization > Capabilities > Code Execution > Allow Network Egress > Domain Allowlist > None
Additionally, add any approved domains the Cowork sandbox will need to access (e.g., to preview interactive content with external elements) to the ‘Additional allowed domains’ section.
Related: What domains should I add to my allowlist?
EnableOrganization > Cowork > Monitoring
Cowork supports OpenTelemetry (OTel) events for monitoring and observability. You can enable this for granular observability without impacting any functionality.
ConfigureOrganization > Libraries > Plugins
This allows you to block plugins for organization members.
Note: during testing, when organization-level plugins were installed by default for users, it was observed that the org-level plugins were installed but did not appear operable without Skills enabled.
Related: Claude for Legal Risk
DisableOrganization > Cowork > Permissions > Allow "Act without asking" mode
When enabled, users can let Claude act without asking for approval—including using tools, editing files, and browsing websites. This can put organizational data at risk.
Disable this setting — when 'always allow' is available, prompt injections can manipulate Claude to take sensitive actions on websites or perform destructive operations on local files in the connected Cowork folder without user consent.
EnableOrganization > Libraries > Connectors > Desktop Extension Allowlist
Limit the extensions that your team can install on their desktop. When enabled, users can only install desktop extensions that have been added to the list above.
Via this allowlist, organizations should configure which desktop extensions they would like to allow. Note, ‘desktop extensions (DXT)’ are being renamed to MCP Bundles (MCPB).
Related: The Risks of Connectors in Your AI Applications
ConfigureOrganization > Libraries > Connectors > Add
Control which connectors your team members have access to.
Use this menu to add connectors for use within one’s organization (if necessary).
Related: The Risks of Connectors in Your AI Applications
DisableOrganization > Cowork > Permissions > Allow “Always allow” for connector tools
Let members choose "Always allow" when approving connector tools in Cowork. This increases risk from prompt injection — content from connected apps could cause Claude to take unintended actions without per-use approval. Learn more
Disable this setting — when 'always allow' is available, prompt injections can manipulate Cowork to take actions via connectors without any opportunity for user approval.
DisableOrganization > Cowork > Cowork > Enable Dispatch
Allow members to create persistent Cowork agents that can control their computer to autonomously work on tasks. Persistent agents receive instructions from any logged in device on the same account and can access files, apps and websites on their computer.
Dispatch agents are prohibited, preventing autonomous agents with computer usage capabilities from operating a user's device without oversight (which carries significant risk as a prompt injection can manipulate Claude to interact with a user's apps, including taking screenshots or activating the user's keyboard).
DisableOrganization > Office Agents > Let Claude Work Across Apps
Members can let Claude share context between apps like Excel and PowerPoint.
Related: AI in Excel and Google Sheets: Prompt Injection and Data Exfiltration Risks
DisableOrganization > Libraries > Skills > Cloud Code Executions and File Creation
This allows Claude to execute code on a server and create and edit docs, spreadsheets, presentations, PDFs, and data reports. Required for skills to be enabled. Available on web and desktop. The setting is relevant as this must be toggled ‘on’ to enable skill uploads for Cowork.
Note: This path reflects the setting when viewed from the desktop app. In the web browser, it is displayed as 'Code Execution and File Creation' (no 'Cloud').
DisableOrganization > Libraries > Skills > Skills
Turn skills on or off for everyone in your organization, including admin-managed organization skills. Requires 'Code execution and file creation' to be enabled to use.
Skills might contain executable code. Team members should be careful when using skills from unknown sources.
DisableLibrary > Skills > User-created skills
Allow team members to upload or create their own skills. Turn off to lock your org to approved skills only.
DisableLibrary > Skills > Skill sharing
Allow team members to share skills with each other.
DisableLibrary > Skills > Share with organization
Allow team members to share skills with the entire organization.
ConfigureOrganization > Libraries > Skills > Organization Skills
Manage skills that can be viewed and used by anyone in your organization.
Select skills that have been vetted by one’s organization and add them to the organization-wide skill list.
Disable[USER LEVEL SETTING] Cowork > New Chat > Work in a folder
Disallow users in Cowork from accessing and operating on the contents of a local directory.
Configure[USER LEVEL SETTING] Cowork > New Chat > Plus Button
Disallow users in Cowork to add files and photos, include a Project, or select Connectors for the chat.
DisableOrganization > Claude in Chrome > Enable for your Team
Disallow team members from use the Claude in Chrome extension.
Set ‘Deny extension’Organization > Claude in Chrome > Default for all sites > Allow/Deny Extension
Set deny to disallow Claude in Chrome for all sites.
Settings for Claude Chat Only
DisableOrganization > Privacy Settings > Location Metadata
The risk of Claude having user level metadata on location does not outweigh any benefits from localization; by turning it off, it allows users to determine when they want to share location level data (e.g. via the chat) rather than having it by default
DisableOrganization > Privacy Settings > Share chats
Sharing chats increases the risk of data exposure between users of different privileges (although sharing is restricted to within the same organization.
DisableOrganization > Privacy Settings > Share Chats That Use Connectors
Disallows people from sharing chats that use connectors with others in your org. Recipients will see Claude's response, but not the data from the connector. Sharing chats increases the risk of data exposure outside of your tenant.
DisableOrganization > Capabilities > Data Sources > Web Search
This turns off web search for users in Claude Chat (note that this does NOT apply to Cowork. Web Search is always enabled for Cowork)
DisableOrganization > Capabilities > Data Sources > Interactive Content
Let Claude display maps, images, and other visual content using third-party services. This does not apply to Cowork
DisableOrganization > Capabilities > Artifacts > Enable Artifact Connectors
EDIT 4/12/2026: This setting has been removed from Claude. Artifacts are no longer governable at the admin level.
This turns off the ability for team members to work with artifacts that use data from external sources – as those external sources increase risk exposure to indirect prompt injections.
DisableOrganization > Capabilities > Memory > Enable memory for your team
Each team member's Claude can remember context from their own past chats. Memory stays private to each person. Learn more
DisableOrganization > Capabilities > Claude Design
Allow team members to access Claude Design.
DisableOrganization > Claude in Slack > Allow Claude in Slack
Let members of your organization connect Claude to your Slack workspace and use the Claude bot.
Learn how to deploy securely in a sensitive tenant
Understand the specific configurations and requirements behind data processing, retention, and training guarantees.
Additional Controls and NIST Mappings
Beyond the Cowork-specific configurations above, the following infrastructure controls determine whether your tier configuration is actually enforceable. Without identity, access, monitoring, and data governance controls in place, even a Tier 3 lockdown can be circumvented; for example, by users switching to personal accounts.
These action items should be implemented regardless of which tier is selected, then combined with the tier-specific Cowork configurations.
NIST AI RMF Coverage Gained from Additional Controls Applied
Action
Configuration
NIST Mapping
Configure SSO and require it for Console and Claude
Enforces the organizational authentication boundary. Without SSO, users can authenticate outside org controls, undermining every tier configuration.
ConfigureOrganization > Organization and Access > SSO
EnableOrganization > Organization and Access > Require SSO for Console
EnableOrganization > Organization and Access > Require SSO for Claude
AI RMF · GOVERN 1 · MEASURE 2
Configure SCIM directory sync and enable group mappings
Automates account lifecycle and role assignment from your IdP. Ensures deprovisioned employees lose Cowork access immediately.
ConfigureOrganization > Organization and Access > SCIM (Directory Sync)
ConfigureOrganization > Organization and Access > Provisioning Mode > SCIM + Group Mapping
EnableOrganization > Organization and Access > Enable Group Mappings
AI RMF · GOVERN 2 · GOVERN 3
Configure IP allowlisting
Prevents access from untrusted networks or unmanaged devices.
ConfigureContact Sales
AI RMF · MEASURE 2
Restrict organization access and creation
Prevents shadow AI organizations under your domain, blocks personal account creation with org emails, and removes open invite paths that could allow unvetted users into the org.
EnableOrganization > Organization and Access > Security > Restrict Organization Creation
DisableOrganization > Organization and Access > Domains > Discoverable
DisableOrganization > Organization and Access > Organization Access > Invite Link
DisableOrganization > Organization and Access > Organization Access > Member Invite
AI RMF · GOVERN 1
Enable shortened session length
Limits session duration before reauthentication, reducing exposure window if a session is compromised.
EnableOrganization > Organization and Access > Security > Shortened Session Length
AI RMF · MEASURE 2
Configure RBAC with role-based feature access
Differentiate Code Execution, Memory, Web Search, Claude Code, and Cowork permissions by user group.
ConfigureOrganization > Custom Role > Create a Role > Code Execution & File Creation
ConfigureOrganization > Custom Role > Create a Role > Memory
ConfigureOrganization > Custom Role > Create a Role > Web Search
ConfigureOrganization > Custom Role > Create a Role > Claude Code
ConfigureOrganization > Custom Role > Create a Role > Cowork
AI RMF · GOVERN 3 · MAP 3
Enable the Compliance API
Streams compliance data from Claude Chat for visibility. Cowork activity is currently excluded, but this is critical for holistic monitoring of your Claude deployment.
EnableOrganization > Data and Privacy > Compliance API > Access
AI RMF · MEASURE 2 · MEASURE 3
Configure data retention and deletion policies
Define how long chats and uploads are retained. Enable separate retention periods for chats vs. projects to apply stricter retention to project data that may contain more sensitive or persistent context.
ConfigureOrganization > Data and Privacy > Privacy Settings > Retention Period for Chats and Projects
EnableOrganization > Data and Privacy > Privacy Settings > Separate Retention Periods
AI RMF · MANAGE 4 · GOVERN 6
Disable chat sharing
Disabling chat sharing prevents exposure of AI interaction data between users of different privilege levels. Disabling sharing of chats that use connectors is especially important as those chats may surface data from connected systems that the recipient should not have access to.
DisableOrganization > Privacy Settings > Share Chats
DisableOrganization > Privacy Settings > Share Chats That Use Connectors
AI RMF · MEASURE 2
Develop a phased rollout plan
Start with Cowork disabled, enable for a pilot group with restrictive settings, establish monitoring baselines, then expand based on observed risk.
N/A
AI RMF · GOVERN 1 · MANAGE 1
Conduct AI risk management training for Cowork users
Include prompt injection recognition, suspicious action identification, and safe file handling.
N/A
AI RMF · GOVERN 2
Establish an AI/Cowork-specific incident response plan
Define escalation paths, containment procedures (e.g., disabling Cowork org-wide), and communication protocols for prompt injection incidents or data exfiltration.
N/A
AI RMF · MANAGE 2 · MANAGE 4
Document accepted residual risks and define exit criteria
For each tier, document what risks remain unmitigated (e.g., audit log gap, prompt injection surface) and the conditions under which Cowork would be disabled.
N/A
AI RMF · MANAGE 1 · GOVERN 1
Mapping Claude to a specific framework or policy?
OWASP Top 10 for LLMs, ISO 42001, internal policies, and more.
| Helpful Resources |
|---|
| NIST AI RMF 1.0NIST AI RMF PlaybookOWASP Top 10 for LLM ApplicationsMITRE ATLASRegulating AI Agents |
All configurations, granularly
Organization›Privacy Settings›Rate Chats
Allow people to rate Claude's responses and share that feedback with Anthropic.
Cowork · Yes
Organization›Privacy Settings›Share chats
Allow people to share chats with others in your org.
Cowork · Nothere is no option to share Cowork chats.
Organization›Privacy Settings›Share Chats That Use Connectors
Allow people to share chats that use connectors with others in your org. Recipients will see Claude's response, but not the data from the connector.
Cowork · Nothere is no option to share Cowork chats.
Organization›Privacy Settings›Location Metadata
Allow Claude to use coarse location metadata (city/region) to improve product experiences for your team members.
Cowork · Notesting indicates metadata is not passed to Cowork as context.
Organization›Privacy Settings›Public Projects
All users in an organization can see and start chats in public projects.
Cowork · YesUsers can start a Cowork session based on projects.
Organization›Capabilities›Data Sources›Web Search
Turn on web search for your team members.
Cowork · NoWeb search is always enabled for Cowork.
Organization›Capabilities›Data Sources›Interactive Content
Let Claude display maps, images, and other visual content using third-party services. Learn how your data is used
Cowork · NoCowork does not display interactive inline content. Cowork creates files and supports an interactive viewer, which is a separate functionality.
Organization›Capabilities›Data Sources›Ask Organization
Allow your team members to search across your organization's connected data sources and knowledge bases for more comprehensive results.
Cowork · YesUsers can start a Cowork session based on Ask Organization that carries organizational context to the Cowork session.
Organization›Capabilities›Visuals›Enable Artifact Connectors
Let team members work with artifacts that use data from external sources. Learn more
EDIT 4/12/2026: This setting has been removed from Claude. Artifacts are no longer governable at the admin level.
Cowork · NoCowork creates files and supports an interactive viewer, but these are not Artifacts.
Organization›Capabilities›Visuals›Inline visualizations
Allow Claude to generate interactive visualizations, charts, and diagrams directly in the conversation for members of your organization.
Cowork · NoCowork creates files and supports an interactive viewer, but these are not 'Inline Visualizations'.
Organization›Capabilities›Claude Design
Allow team members to access Claude Design.
Cowork · No
Organization›Office Agents›Let Claude Work Across Apps
Members can let Claude share context between apps like Excel and PowerPoint.
Related: AI in Excel and Google Sheets: Prompt Injection and Data Exfiltration Risks
Cowork · YesUsers can orchestrate Claude in Excel or PowerPoint via Cowork.
Organization›Capabilities›Code Execution›Cloud Code Execution and File Creation
Allow Claude to execute code on a server and create and edit docs, spreadsheets, presentations, PDFs, and data reports. Required for skills to be enabled. Available on web and desktop.
Note: This path reflects the setting when viewed from the desktop app. In the web browser, it is displayed as 'Code Execution and File Creation' (no 'Cloud').
Cowork · SomewhatCowork can natively perform most of these capabilities locally, but this is relevant because the setting must be toggled 'on' to enable skill uploads, which are applicable to Cowork.
Organization›Capabilities›Code Execution›Allow Network Egress
Give Claude network access to install packages and libraries in order to perform advanced data analysis, custom visualizations, and specialized file processing. Monitor chats closely as this comes with security risks.
Cowork · Yes
Organization›Cowork›Enable for your Organization
Your network egress settings will apply. Cowork is a research preview—some enterprise features like audit logs, compliance API, and data exports are not currently available. Learn more about using Cowork safely
Cowork · Yes
Organization›Cowork›Permissions›Allow "Act without asking" mode
When enabled, users can let Claude act without asking for approval—including using tools, editing files, and browsing websites. This can put organizational data at risk.
Cowork · Yes
Organization›Cowork›Permissions›Allow “Always allow” for connector tools
Let members choose "Always allow" when approving connector tools in Cowork. This increases risk from prompt injection — content from connected apps could cause Claude to take unintended actions without per-use approval. Learn more
Cowork · Yes
Organization›Cowork›Cowork›Enable Dispatch
Allow members to create persistent Cowork agents that can control their computer to autonomously work on tasks. Persistent agents receive instructions from any logged in device on the same account and can access files, apps and websites on their computer.
Cowork · Yes
Organization›Cowork›Monitoring
Cowork supports OpenTelemetry (OTel) events for monitoring and observability. Cowork reuses Claude Code's OTel events schema via the Claude Agent SDK. Learn more
Cowork · Yes
Organization›Libraries›Plugins
Allows organizations to designate plugins that will be blocked, automatically installed, or made optionally available to organization members.
Note: during testing, when organization-level plugins were installed by default for users, it was observed that the org-level plugins were installed but did not appear operable without Skills enabled.
Related: Claude for Legal Risk
Cowork · Yes
Organization›Libraries›Connectors
Control which web and desktop connectors your team members have access to.
Related: The Risks of Connectors in Your AI Applications
Cowork · Yes
Organization›Libraries›Connectors›Desktop Extension Allowlist
Limit the desktop extensions that your team can install on their desktop.
When enabled, users can only install desktop extensions that have been added to the list above.
Related: The Risks of Connectors in Your AI Applications
Cowork · Yes
Organization›Libraries›Skills›Cloud Code Execution and File Creation
Allow Claude to execute code on a server and create and edit docs, spreadsheets, presentations, PDFs, and data reports. Required for skills to be enabled. Available on web and desktop.
Note: This path reflects the setting when viewed from the desktop app. In the web browser, it is displayed as 'Code Execution and File Creation' (no 'Cloud').
Cowork · SomewhatCowork can natively perform most of these capabilities locally, but this is relevant because the setting must be toggled 'on' to enable skill uploads, which are applicable to Cowork.
Organization›Libraries›Skills›Skills
Turn skills on or off for everyone in your organization, including admin-managed organization skills. Requires 'Code execution and file creation' to be enabled to use. Skills might contain executable code. Team members should be careful when using skills from unknown sources.
Note: during testing, it was observed that disabling this setting served to prevent users from adding their own plugins.
Cowork · YesIn order for skills to be uploaded, this setting must be enabled. In order for plugins to be used, this setting must be enabled.
Organization›Libraries›Skills›User-created skills
Allow team members to upload or create their own skills. Turn off to lock your org to approved skills only.
Cowork · Yes
Organization›Libraries›Skills›Skill sharing
Allow team members to share skills with each other.
Cowork · Yes
Organization›Libraries›Skills›User-created skills
Allow team members to share skills with the entire organization.
Cowork · Yes
Organization›Libraries›Skills›Organization Skills
Manage skills that can be viewed and used by anyone in your organization.
Cowork · Yes
Cowork›New Chat›Work in a folder
Allows Cowork to access and operate on the contents of a local directory.
Cowork›New Chat›Plus Button
Allows users to add files and photos, include a Project, or select Connectors for the chat.
Cowork›New Chat›Model Selection
Allows users to select what model will be used for Cowork's response.
Organization›Claude in Chrome›Enable for your Team
Allow team members to use the Claude in Chrome extension. Configure site permissions after enabling.
Cowork · Yes
Organization›Claude in Chrome›Default for all sites›Allow/Deny Extension
Set default access for your team
Note: During testing, inconsistent behavior was observed from this setting.
Cowork · Yes
Organization›Claude in Chrome›Allowed Sites/Blocked Sites
Claude in Chrome can/cannot (depending on whether the default is allow or deny) be used on these websites.
Notable User Level Items:
Note: During testing, inconsistent behavior was observed from this setting.
Cowork · Yes
Organization›Claude in Slack›Allow Claude in Slack
Let members of your organization connect Claude to your Slack workspace and use the Claude bot.
Cowork · No
Organization›Capabilities›Memory›Enable memory for your team
Each team member's Claude can remember context from their own past chats. Memory stays private to each person. Learn more
Cowork · No
Stay ahead of every Claude change. New settings and changed defaults, flagged and explained as they ship.
Claude Cowork Security FAQ
Deploy Claude Securely
Choose how to enable your secure rollout
Secure Claude Implementation Services
Expert guidance throughout your Claude roll-out
Full Vendor Assessment
Complete AI risk assessment, actionable recommendations, and more
Functionality and Risk Alerts
New features, feature modifications, controls deprecations, and more
Data Privacy Alerts
Training, retention, policy changes, and more