TL;DR: Claude Cowork expands enterprise AI from answering questions to taking actions across browsers, desktop apps, and connected tools, which widens the trust boundary and makes built-in sandboxing, RBAC, and prompts necessary but not sufficient, according to Backslash Security. Continuous governance, connector review, and visibility into agent actions now matter more than endpoint assumptions.
At a glance
What this is: Backslash Security argues that Claude Cowork turns enterprise AI from a content assistant into an operational actor whose browser, desktop, and connector access materially expands the attack surface.
Why it matters: IAM, NHI, and security teams have to govern what an AI agent can do inside authenticated sessions, not just what data users paste into a prompt.
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
👉 Read Backslash Security's analysis of Claude Cowork security and enterprise AI risk
Context
Claude Cowork is an enterprise AI agent that can take action inside browsers, desktop applications, and connected tools rather than only generating text. That shift changes the primary security question from data entry risk to operational trust: what is an AI agent allowed to do once it inherits a user session and enterprise permissions?
For identity teams, the issue is governance of privileged behaviour rather than model output. Sandbox controls, permission prompts, and role-based access help, but they do not remove the need to define connector approval, session boundaries, and monitoring for actions that cross systems.
Key questions
Q: How should security teams govern AI agents that use existing browser sessions?
A: Treat the browser session as a privileged access path, not a convenience layer. Limit which systems the agent may reach, require approval for high-risk actions, and monitor the workflow across the authenticated session. The key question is whether the agent is inheriting more trust than the original task needs.
Q: Why do AI agents complicate least privilege for IAM teams?
A: Because their actions are dynamic at runtime and can span multiple systems inside one session. Least privilege is harder to define when the actor can sequence browser, desktop, and connector activity without a new request for each step. IAM teams need to govern the reachable environment, not only the initial entitlement.
Q: What do security teams get wrong about sandboxed AI agents?
A: They often assume sandboxing solves the whole problem. It reduces host compromise, persistence, and broad filesystem exposure, but it does not stop misuse of authenticated sessions, cross-application data movement, or overprivileged workflows. Governance still has to define what actions are acceptable inside the sandboxed boundary.
Q: Who is accountable when an AI agent misuses enterprise access?
A: Accountability sits with the organisation that approved the session, connector, and workflow scope. If the agent was allowed to inherit trust across tools, the failure is usually in governance, not just in the model. That is why identity, application owners, and security operations need a shared review path.
Technical breakdown
Computer Use and Browser Use expand the trust boundary
Computer Use lets an agent interact with the desktop through screenshots, clicks, typing, and application state, while Browser Use can operate through a user’s already-authenticated session. Technically, that means the agent inherits the reach of whatever the browser can access, including SaaS portals, cloud consoles, and internal dashboards. The security problem is not only credential theft. It is the reuse of legitimate session trust for actions the human did not explicitly authorise. That makes agent behaviour an identity problem, not just an endpoint problem.
Practical implication: treat browser session inheritance as a privileged access pathway and scope it with the same care as other high-risk identities.
MCPs, plugins, and connectors create a supply-chain path into the agent
MCPs and plugins extend what the agent can do by connecting it to APIs, internal systems, and third-party services. Each integration enlarges the trust boundary, because instructions or malicious content from connected systems can flow back into the agent’s decision path. In practice, unreviewed extensions become a governance problem similar to unmanaged secrets or third-party service accounts. The architectural issue is not just connectivity. It is the lack of lifecycle control over what gets attached to the agent and who approved it.
Practical implication: require explicit review and inventory for every connector, plugin, and skill before it is allowed to influence agent actions.
Sandboxing reduces endpoint compromise but not agent misuse
Anthropic’s VM sandbox constrains the agent away from the host filesystem and limits persistence and lateral movement on the endpoint. That reduces classical malware-style outcomes, but it does not eliminate cross-application data movement, overprivileged workflow execution, or prompt-driven misuse inside approved tools. In other words, containment is narrower than governance. Security teams still need observability into what the agent accessed, which systems it touched, and which actions it completed across a workflow.
Practical implication: pair sandboxing with activity monitoring and approval controls that can distinguish safe containment from unsafe business actions.
Threat narrative
Attacker objective: The attacker’s objective is to abuse the agent’s inherited trust so that legitimate enterprise sessions are turned into cross-application action and data exposure.
- Entry occurs when the agent is allowed into an authenticated browser session or enterprise tool through approved user access, connector trust, or a mounted workspace.
- Escalation happens when the agent uses that legitimate access to move across applications, pull data from internal systems, or trigger actions beyond the original human intent.
- Impact follows when the agent’s cross-system actions expose sensitive data, alter business records, or create unintended operational outcomes at enterprise speed.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Continuous access review was designed for identities whose privileges persist long enough to be observed. That assumption fails when an AI agent can move from one authenticated action to the next inside a single session. Cowork-style behaviour collapses the review window because the actor is operating, not waiting. The implication is that identity governance must stop assuming stable entitlements are always present long enough to certify or revoke.
Claude Cowork exposes a runtime governance gap, not merely a new interface. Sandbox isolation and permission prompts reduce exposure, but they do not decide whether a connector, browser session, or desktop workflow should exist in the first place. That gap sits squarely in OWASP-NHI and Zero Trust territory, where the question is who or what may inherit trust across systems.
Session inheritance is the named concept here: an authenticated human browser session becomes the delivery path for agent actions that the user may not explicitly recognise or supervise. That is structurally different from ordinary delegation because the agent is not borrowing credentials in a static way, it is executing inside live trust. Practitioners should treat that inherited trust as a distinct governance object.
Agentic AI complicates the same privilege assumptions that already fail in NHI programmes. The enterprise is still asking who approved the access, but the harder question is what happened after approval when the agent could chain browser, desktop, and connector actions without a new checkpoint. That makes the relevant control model closer to continuous identity governance than one-time provisioning.
From our research:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, which shows the governance gap is already operational.
- That is why practitioners should pair agent visibility with OWASP Top 10 for Agentic Applications 2026 as they formalise access and control boundaries.
What this signals
Session inheritance will become a standard governance problem as autonomous features spread into business tools. The practical issue is not whether the agent is useful, but whether the organisation can still explain which session, connector, or desktop workflow produced a business action. That demands better linkage between identity governance and application telemetry, especially where agent activity is indistinguishable from human use at the UI layer.
Agentic AI turns connector sprawl into identity sprawl. Every MCP, plugin, or skill adds a new trust relationship that must be owned, reviewed, and retired. Without that lifecycle discipline, the programme will accumulate hidden access paths that look like productivity features but behave like unmanaged machine identities.
The signal for IAM and NHI teams is clear: build controls for inherited trust, not only for issued credentials. If the organisation cannot audit what an agent accessed, the access model is already ahead of the control model.
For practitioners
- Define agent session boundaries Classify which browser sessions, desktop apps, mounted directories, and SaaS tools an AI agent may inherit before rollout, then restrict that scope to the minimum set required for the task. Map those permissions to the same review discipline used for high-risk identities.
- Review every connector and plugin Create an approval workflow for MCPs, plugins, and skills that includes source review, business owner sign-off, and periodic revalidation. Unverified extensions should be treated like unmanaged third-party access, not productivity add-ons.
- Monitor agent actions across systems Log which systems the agent touched, what data it viewed, and which actions it completed across browser, desktop, and connected applications. Connect those logs to access review and incident response so you can reconstruct the workflow after the fact.
- Separate containment from governance Use sandboxing and egress controls as containment, then layer policy for action approval, data movement, and exception handling on top. A constrained runtime does not automatically mean a governed operational identity.
Key takeaways
- Claude Cowork matters because it turns AI into an operational actor that can use browsers, desktop apps, and connectors, not just generate content.
- The evidence points to a governance gap that already exists in many programmes, with only 52% able to audit what their AI agents access and 80% reporting out-of-scope actions.
- The control priority is inherited trust: define session boundaries, review every connector, and monitor agent actions across systems before broad rollout.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | AGENT-03 | Agent use of connectors and tools raises prompt-to-action abuse risk. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Browser sessions and connectors behave like privileged non-human access paths. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Continuous verification is needed when agents inherit trust across systems. |
Apply lifecycle review and least-privilege controls to agent-issued access and inherited sessions.
Key terms
- Agentic AI identity: The access identity used by an AI system that can take actions rather than only produce outputs. In practice, it may inherit human sessions, call tools, and move across applications, which means it must be governed as an operational identity with scoped permissions and monitored behaviour.
- Session inheritance: A condition where an AI agent operates inside a user-authenticated browser or application session and can use the trust already established by that session. It matters because the agent may reach systems the human never explicitly re-approved for each action, creating hidden privilege extension.
- Connector governance: The controls used to approve, inventory, and retire integrations such as MCPs, plugins, and enterprise connectors. For AI agents, connector governance is a lifecycle problem because every integration expands the trust boundary and can become a path for unwanted instructions or data movement.
- Sandbox containment: An isolation model that limits an AI agent to a controlled runtime instead of the host operating system. It reduces persistence, lateral movement, and filesystem exposure, but it does not replace governance over what the agent may access, move, or do inside approved business workflows.
What's in the full article
Backslash Security's full blog post covers the operational detail this post intentionally leaves for the source:
- Feature-by-feature analysis of Computer Use, Browser Use, Dispatch, and desktop app integrations.
- Configuration guidance for sandboxing, egress controls, permission prompts, and admin settings.
- Practical discussion of connector governance, skill review, and rollout decisions by subscription tier.
- Workflow examples showing how agent actions move across Excel, Outlook, Jira, and SaaS tools.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org