THE PERIMETER · AI SECURITY · May 16, 2026

Anthropic spent April and May making Claude more autonomous. Here's what that did to your threat model.

Six shipped features moved Claude meaningfully toward autonomy. Autonomy is a capability that changes the security analysis underneath every system that integrates Claude. If you reviewed your threat model in January and haven't revisited it, the document is out of date.

6 features shipped
6 threat surfaces
60d signal window
TL;DR 30-second version · free
  1. 01 Anthropic shipped six features in April–May that move Claude meaningfully toward autonomy: Managed Agents, the advisor tool, agent memory, multi-agent sessions, Outcomes, and Claude Platform on AWS.
  2. 02 The biggest threat-model shifts: agent memory creates cross-session attack continuity, multi-agent sessions enable lateral movement, and AWS deployment makes your IAM policy the new Claude access control.
  3. 03 If you haven't updated your threat model since January and you've adopted any of these features, the document is out of date. The features arrived faster than security-grade documentation did.
DEEP ANALYSIS · free while in beta
READING AS
FOR YOU

Pick one feature you have adopted in the last 90 days. Write its threat model paragraph this week. If you have not adopted any, skip — not every change is for everyone.

FOR YOU

Audit your webhook endpoints if you have enabled Managed Agent webhooks. Signature verification, replay protection, payload size limits, SSRF defense. The day-one defaults are not enough.

FOR YOU

Anthropic is moving deliberately toward an agent-platform position. The threat surface they introduce is also where competitors will differentiate. Watch for vendors whose pitch is "we sit between you and Anthropic."

FOR YOU

If your product depends on an autonomous Claude agent, your security posture is now downstream of Anthropic's sandbox guarantees. "Anthropic handles it" is not an answer that closes enterprise deals — read their isolation docs and form your own.

FOR YOU

Memory persistence is the most under-evaluated feature in the lineup. Cross-session injection-into-memory studies would be high-impact. The eval does not need novel ML — it needs careful design and patient runs.

What shipped that matters.

Apr 8

Claude Managed Agents

Fully managed agent harness with sandboxing, built-in tools, and SSE streaming.

foundation
Apr 9

Advisor tool

Executor model paired with a higher-intelligence advisor that guides mid-generation.

architecture
Apr 23

Agent memory

Managed Agents now persist memory across sessions.

state
May 6

Multi-agent sessions

Multiple Managed Agents collaborating, with shared session state.

coordination
May 6

Outcomes

Rubric-based grader sends agents back to revise until they meet the bar.

evaluation
May 11

Claude Platform on AWS

Anthropic-managed Claude infrastructure via AWS with IAM authentication.

deployment

The shape of the system you integrate with looks different now.

BEFORE
Stateless API call
  • Your code calls the Messages API
  • Claude responds
  • Your code decides what to do
  • State lives in your application
AFTER
Managed agent runtime
  • You delegate work to a managed worker
  • Worker may consult a higher-intelligence advisor
  • Worker may collaborate with peer workers
  • Worker may invoke a grader
  • Worker may retain memory of previous tasks
  • Worker may execute tools you do not directly control

Each new layer is a Claude model running on Anthropic-managed infrastructure that you do not see. Your threat model now spans every layer.

Six places where the threat model needs updating. Severity reflects how often the surface is reachable in typical agent integrations, not absolute risk.

  1. 01 HIGH

    Memory persistence creates cross-session attack continuity

    Before agent memory shipped on April 23, a prompt injection died with the session that triggered it. Now an injection that successfully writes to memory can influence every subsequent session that reads from it. The attacker only needs one good window.

    DO If you use agent memory, treat every memory write as potentially adversarial until you have proven otherwise.
  2. 02 HIGH

    Multi-agent sessions add a lateral movement surface

    A successful injection on one agent can influence the others if they consume each other's output. Anthropic's docs document isolation guarantees but not as a single security-framed page.

    DO Write the lateral-movement matrix yourself before production: agent A can write to / read from / invoke / observe.
  3. 03 MEDIUM

    Advisor + executor introduces a two-model trust boundary

    The advisor model's output becomes part of the executor's effective prompt. An injection against the advisor influences the executor without ever appearing in the user-visible message stream.

    DO Audit logs need to capture advisor outputs, not just executor outputs, for credible incident reconstruction.
  4. 04 MEDIUM

    Webhooks introduce inbound network surface

    The May 6 release added webhooks for session and vault lifecycle events. Your webhook endpoint is now a public-internet attack surface.

    DO Apply signature verification, payload size limits, replay protection, and SSRF defense. Day-one defaults are not enough.
  5. 05 MEDIUM

    Vault credential background refresh changes incident response

    A leaked mcp_oauth credential used to expire on its own clock. With background refresh on, it stays valid until you actively revoke it. The window extends as long as the attacker keeps the refresh path alive.

    DO Find the vault credential revocation button in your console before you need it. Update the IR playbook to revoke, not just rotate.
  6. 06 HIGH

    AWS deployment introduces a different shared-responsibility line

    Claude Platform on AWS uses AWS IAM auth, not Anthropic API keys. Your IAM policy is now your Claude access control.

    DO Audit your AWS IAM policies for Claude access the same way you would any IAM policy fronting a sensitive backend.

Three concrete actions this week.

  1. 1

    Audit which features your code touches

    Most teams use only the basic Messages API. The threat model only changes for features you have actually adopted.

  2. 2

    Document memory + revocation if you use Managed Agents

    Write down what data flows into agent memory, who can read it back, and what the revocation procedure is. If you cannot answer in one paragraph, you are not ready for production.

  3. 3

    Audit IAM if you are on Claude Platform on AWS

    Your IAM policy is now in scope for Claude access control. Audit it like any other IAM policy fronting a sensitive backend.

Signals in the next 60 days that matter.

First red-team report on memory persistence

Somebody will run an injection-into-memory eval and write it up. When it lands, it will shift how serious organizations treat the memory feature.

Anthropic's documentation maturity on multi-agent isolation

Features shipped before the security-grade docs. The latter usually arrives a quarter or two later. Watch for it.

"Managed Agent firewall" vendor emergence

If third parties pitch policy enforcement layers between your app and Anthropic's agent runtime, that signals where Anthropic's built-in posture is not yet sufficient.