Claude Cowork is Anthropic's agentic desktop product — a cowork AI that takes a goal, opens the folders you grant it, and works the task to a finished deliverable across your files and connected systems. It shipped as a research preview on January 12, 2026, spread to every paid Claude plan within weeks, and picked up enterprise controls — private plugin marketplaces, admin-managed connectors, OpenTelemetry export — in a February 24 update, 43 days after launch. Entry price is $17 a month for an individual Pro seat. Your employees can expense it on a card.

That last sentence is the governance problem. Cowork is simultaneously the most useful thing Anthropic ships for non-developers and the most shadow-AI-shaped: an agent with write access to real documents, OAuth tokens into Gmail and Drive, and a mode where it acts without asking. We sat in on a mid-market security review in March where the CISO first learned Cowork existed from an expense report — three Pro subscriptions, one legal department, zero conversations with IT.

This is the briefing for the person who has to approve or deny it. Not a first-impressions diary — a capability inventory, a demand list, a scope classification, and the honest line between "enterprise Cowork with controls is enough" and "you need a governed custom agent."

What a Cowork AI Can Actually Touch

The demos show spreadsheet generation. The security review should start with the reach. As of July 2026, Cowork runs in the Claude desktop app on macOS and Windows (Linux in beta) and has four distinct surfaces.

Diagram of Claude Cowork's reach and its permission gates: local folders behind per-folder grants, SaaS connectors behind a two-gate model of admin org-wide enablement plus individual user OAuth, plugins from a curated private marketplace, and a dashed trust boundary showing untrusted web and email content as the prompt injection path into the agent.
Diagram of Claude Cowork's reach and its permission gates: local folders behind per-folder grants, SaaS connectors behind a two-gate model of admin org-wide enablement plus individual user OAuth, plugins from a curated private marketplace, and a dashed trust boundary showing untrusted web and email content as the prompt injection path into the agent.

Local files and folders

Access is granted per folder. Anthropic's documentation is specific: "Claude can only read and write files in folders you've connected." Within a connected folder Cowork reads, edits, creates, and reorganizes files on its own. Permanent deletion is the one hard exception — Cowork must ask for explicit approval before deleting anything, in every mode. That is a real safeguard, and also a narrow one: exfiltration, overwriting, and bad edits are not deletions.

Connectors into the SaaS stack

The February update shipped connectors for Google Workspace (Calendar, Drive, Gmail), Docusign, FactSet, MSCI, Apollo, Clay, Outreach, Similarweb, LegalZoom, WordPress, and Harvey. Governance runs on a two-gate model: an admin enables a connector org-wide, then each user individually OAuths their own account. Note the gap — there is currently no per-group connector control. Enabling Docusign for the legal team enables it for everyone.

Plugins, skills, and private marketplaces

Plugins turn Cowork into role-specific agents; Anthropic maintains an open-source starter set in its knowledge-work-plugins repository. Admins can seed a private plugin marketplace, pre-approve plugins, provision them per user, and pull from private GitHub repositories (private beta). What does not exist yet: an in-product submission and review workflow — plugin vetting is a process you build outside the tool.

The two autonomy modes

Cowork runs in "Ask before acting," where it pauses for approval at each step, or "Act without asking," where it executes the whole task and shows you the result. One more caveat belongs in your threat model: network egress permissions do not apply to the built-in web fetch, web search, or MCP tools. The knob that says "no internet" does not cover everything that reaches the internet.

Cowork, Claude for Work, Team, Enterprise: Untangling the Names

The naming genuinely confuses buyers — the phrase "cowork AI" typed into a search box might mean any of three different things:

  • Claude Cowork is the product — the agentic desktop experience described above.
  • Claude for Work is Anthropic's umbrella branding for its business plans, the ones sold under commercial terms.
  • Team and Enterprise are those plans. Cowork the product is included in Pro, Max, Team, and Enterprise — every paid tier, but with very different control planes around it.

The tier you buy determines the governance you get, not the capability:

Control surfacePro / Max (consumer)TeamEnterprise
Contract termsConsumer terms; each user chooses whether chats may train modelsCommercial terms; no training by defaultCommercial terms; no training by default
Price (July 2026)Pro $17/mo annual; Max from $100/mo$20/seat/mo annual standard; $100 premium (about 5x usage)Custom, sales-assisted
Enable/disable and rolesNone — personal accountOrg-level enablement, role assignmentGroup-based RBAC against your IdP, SSO, SCIM
Connector governanceUser self-serveAdmin enables org-wide + user OAuthSame, plus MCP controls
Plugin governancePublic marketplacePrivate marketplace, pre-approvalPrivate marketplace + private GitHub sources (beta)
TelemetryNoneAdmin dashboard, OpenTelemetry exportOTel plus Analytics API (per-user daily activity, T+1)

If the plan decision itself is the open question, we broke down seat math and SSO thresholds in Claude Team vs Enterprise and procurement routes in Claude enterprise pricing paths. Short version: Cowork governance starts at Team and gets real at Enterprise.

The CISO's Demand List Before Saying Yes

Approval should be conditional, not binary. These are the four conditions we would put in writing.

Audit trails that actually cover Cowork

The good: admins can export real-time, event-level OpenTelemetry data for Cowork sessions — usage, costs, tool activity — straight into a SIEM. Enterprise adds an Analytics API with per-user daily activity: sessions, tool actions, connector invocations, refreshed on a T+1 schedule.

The gap, in Anthropic's own words as of July 2026: "the Compliance API and Audit Logs do not cover Claude Cowork yet." Sit with that. The most autonomous surface in the product line is the one your compliance tooling cannot yet see. OTel-to-SIEM is the compensating control, and it should be wired before the pilot starts, not after the first incident. The principle is the same one behind agent observability: if you cannot replay what the agent did, you cannot govern it.

Data boundaries and the training line

Under commercial terms — Team and Enterprise — Anthropic does not train on your inputs or outputs by default. Consumer plans are different: since late 2025, each Pro and Max user chooses whether their chats may be used for training, with retention up to five years for those who opt in. That asymmetry is the entire case for forcing Cowork onto work accounts; the expense-report story from the introduction is what the alternative looks like. One useful operational fact: deleted Cowork tasks are removed from Anthropic's backend systems within 30 days.

Tool permissioning that matches blast radius

Demand the hardening controls Enterprise exposes: network egress allowlists, mount controls, and desktop extension allowlists, configured in the admin console. Then demand your own compensations for what the platform does not give you — the missing per-group connector scoping, and the egress carve-out for web fetch and MCP traffic. If your custom MCP servers are in scope, hold them to the bar in MCP server security hardening before an agent with file access can call them.

Plugin governance before the marketplace opens

Seed the private marketplace with a curated set. Pre-approve. Decide who can add sources. Because there is no in-product review workflow, write the review process down — who vets a plugin, against what checklist, on what cadence — and treat plugin additions like dependency updates, not app-store installs.

The Shadow-AI Shape and the Scoping Matrix Call

Shadow AI used to mean employees pasting text into a chatbot. A cowork AI changes the physics: the unsanctioned tool now holds OAuth tokens and writes to disk. The blast radius of one enthusiastic analyst went from "confidential paragraph in a prompt" to "agent with standing access to the shared drive." This is precisely the scenario an AI governance program exists to catch — useful enough to spread on its own, invisible enough to spread unmanaged.

Diagram showing how one permission toggle moves Claude Cowork across the AWS agentic AI security scoping matrix: the default ask-before-acting mode maps to Scope 2 prescribed agency with human approval of each action, while act-without-asking maps to Scope 3 supervised agency with autonomous execution, so policy should govern Cowork as Scope 3 with OTel export, connector allowlists, plugin curation, and no autonomy on untrusted content.
Diagram showing how one permission toggle moves Claude Cowork across the AWS agentic AI security scoping matrix: the default ask-before-acting mode maps to Scope 2 prescribed agency with human approval of each action, while act-without-asking maps to Scope 3 supervised agency with autonomous execution, so policy should govern Cowork as Scope 3 with OTel export, connector allowlists, plugin curation, and no autonomy on untrusted content.

Where does it land on AWS's agentic AI security scoping matrix? The framework itself is covered in our agentic AI security scoping matrix guide, so here is just the call. In its default "Ask before acting" mode, Cowork behaves like Scope 2: prescribed agency, a human approving each change. Flip "Act without asking" and it becomes Scope 3: supervised agency, autonomous execution within granted permissions after kickoff. One user-reachable toggle moves it between scopes. Policy has to assume the permissive setting, so govern Cowork as Scope 3.

That classification also frames the prompt injection question honestly. Anthropic trains Claude to refuse embedded malicious instructions, scans untrusted content entering the context, and gates deletions — and still states plainly that "the chances of an attack are still non-zero." An agent that reads inbound email and edits local files satisfies both preconditions for injection: untrusted input, consequential output. Our standing defenses are in prompt injection defense for enterprise agents; the Cowork-specific rule is simple — autonomous mode and untrusted content never mix.

A Cowork AI Rollout Pattern That Works

We have watched two of these rollouts go well and one go sideways. The difference was sequencing.

  1. Pilot on governed seats only. 20 to 50 people on Team or Enterprise, work accounts, with a written policy (and ideally a network control) against personal-account Cowork on managed devices.
  2. Allowlist three connectors, not eleven. Start with the Google Workspace set. Remember every connector you enable is enabled org-wide — pick accordingly.
  3. Seed the plugin marketplace before opening it. A curated starter set plus a documented external review process for additions.
  4. Wire OpenTelemetry to your SIEM before day one. Weekly review of session and tool-call patterns for the first month; monthly after. This is your audit trail until the Compliance API catches up.
  5. Set "Ask before acting" as the trained default. Publish the short list of task types where autonomous mode is acceptable — and the rule that untrusted content is never on it.
  6. Budget usage and seats deliberately. Cowork tasks burn allocation faster than chat, premium Team seats carry roughly 5x standard usage, and SCIM provisioning fails silently if you run past your seat count. All three surprised someone we know.

The Build-vs-Buy Line: When Cowork AI Is Enough

Cowork sits at the buy end of a spectrum we have mapped elsewhere: AI-DLC describes how delivery teams restructure around agents, Strands Agents is the framework conversation when the answer is build, and Cowork is the packaged coworker you adopt rather than construct. The honest criteria run in both directions.

When enterprise Cowork suffices

Individual knowledge work is the sweet spot: documents, analysis, research synthesis, file wrangling — tasks where the agent acts as one person, on that person's data, under that person's identity, producing output a human reviews anyway. If OTel-based telemetry satisfies your audit requirement and the data involved is already appropriate for a commercial-terms SaaS tool, buying is the right call. Building a custom agent to reorganize the marketing team's folder tree is engineering vanity.

When you need a governed custom agent

The line is crossed when the agent stops being someone's coworker and becomes part of a business process. The signals:

SignalEnterprise CoworkGoverned custom agent
IdentityActs as the individual userNeeds its own service identity and scoped credentials
AuditOTel export, T+1 analytics acceptableImmutable, compliance-grade trail with replay
DataUser's own folders and OAuth scopesRegulated data, residency constraints, cross-customer boundaries
Blast radiusOne person's files and accountsProduction systems, customer-facing actions
Change controlAnthropic's roadmap and defaultsYou own evals, versioning, rollback
Tool accessVendor connector catalogYour systems, brokered through a policy layer

When three or more right-column signals apply, you are past what any packaged cowork AI should be trusted with, and into territory where tool access belongs behind an MCP gateway with centrally enforced policy — credentials the agent never holds, allowlists the user cannot toggle, logs nobody can turn off.

What to Watch Next

Three roadmap items would materially change this assessment. First, Compliance API and audit log coverage for Cowork — the moment that gap closes, the strongest objection on the demand list disappears. Second, per-group connector controls; org-wide-or-nothing is the clumsiest part of the current model. Third, the multi-app orchestration work (Excel and PowerPoint integration is in research preview now) — every application Cowork can drive expands the Scope 3 surface.

The pattern from January to July 2026 has been six months of steady enterprise hardening. The direction is right. The gaps are just still real enough to demand the compensating controls this briefing lays out — in writing, before the first seat is provisioned.

Frequently Asked Questions

What is Claude Cowork?

Claude Cowork is Anthropic's agentic desktop product — a cowork AI that accepts a goal and autonomously works across local folders, connected SaaS tools, and plugins to produce a finished deliverable. It launched as a research preview on January 12, 2026 and is included in all paid Claude plans through the desktop app on macOS and Windows, with Linux in beta.

Is Claude Cowork the same as Claude for Work?

No. Claude for Work is Anthropic's umbrella branding for its business plans — Team and Enterprise — sold under commercial terms. Claude Cowork is a product included in those plans (and in the consumer Pro and Max tiers). The distinction matters: contract terms, admin controls, and training policy differ sharply between the two.

Which Claude plans include Cowork?

As of July 2026, Cowork is included in Pro ($17/month annual), Max (from $100/month), Team ($20/seat/month annual standard, $100 premium), and Enterprise. Governance controls scale with tier: consumer plans have none, Team adds org-level enablement and connector gating, and Enterprise adds group RBAC, SSO, SCIM, and the Analytics API.

Does Anthropic train on Cowork sessions?

On Team and Enterprise plans, no — commercial terms exclude customer inputs and outputs from model training by default. On consumer Pro and Max plans, each user chooses whether their data may be used for training, with retention up to five years for those who opt in. This is the core argument for restricting workplace Cowork use to commercial-plan accounts.

Can we audit what Cowork does?

Partially. Admins can export real-time, event-level OpenTelemetry data on sessions, tool calls, and costs to a SIEM, and Enterprise orgs get a per-user Analytics API. However, Anthropic states that the Compliance API and Audit Logs do not cover Cowork yet as of July 2026, so OTel export is the compensating control until that gap closes.

Where does Cowork land on the AWS agentic AI scoping matrix?

Govern it as Scope 3, supervised agency. Its default "Ask before acting" mode behaves like Scope 2 — a human approves each action — but a user-reachable toggle enables autonomous execution, and policy has to assume the permissive setting. Scope 3 governance means telemetry export, connector allowlists, plugin curation, and a hard rule against autonomous mode on untrusted content.

References

  1. Anthropic — Cowork and plugins for teams across the enterprise (February 24, 2026). https://claude.com/blog/cowork-plugins-across-enterprise
  2. Claude Help Center — Get started with Claude Cowork. https://support.claude.com/en/articles/13345190-get-started-with-claude-cowork
  3. Claude Help Center — Use Claude Cowork safely. https://support.claude.com/en/articles/13364135-use-claude-cowork-safely
  4. Anthropic Privacy Center — Is my data used for model training? https://privacy.claude.com/en/articles/7996868-is-my-data-used-for-model-training
  5. AWS Security Blog — The Agentic AI Security Scoping Matrix: a framework for securing autonomous AI systems. https://aws.amazon.com/blogs/security/the-agentic-ai-security-scoping-matrix-a-framework-for-securing-autonomous-ai-systems/
  6. GitHub — anthropics/knowledge-work-plugins, Anthropic's open-source plugin set for Cowork. https://github.com/anthropics/knowledge-work-plugins
  7. Anthropic — Claude pricing: Pro, Max, Team standard and premium seats, Enterprise. https://claude.com/pricing