Safeguard
AI Security

Anthropic Claude Enterprise security features overview

Claude Enterprise ships strong SSO, SCIM, audit logging, and SOC 2/ISO compliance — but its controls stop at the API boundary, leaving code and dependencies exposed.

James
Principal Security Architect
6 min read

Anthropic has spent the better part of 2025 and early 2026 quietly rebuilding Claude's enterprise trust story — SSO enforcement, SCIM-based lifecycle automation, exportable audit logs, configurable data retention, and a compliance portfolio that now covers SOC 2 Type II, ISO 27001, and HIPAA-eligible configurations for regulated customers. For security teams evaluating or already running Claude Enterprise, the relevant question isn't whether Anthropic takes security seriously — the documentation and certifications answer that — it's whether the surrounding software supply chain (the SDKs, MCP integrations, and CI pipelines teams build around Claude) gets the same scrutiny. It usually doesn't, and that gap is where the real exposure sits in late 2026.

This piece breaks down what Claude Enterprise actually ships on the security side, where the responsibility line falls between Anthropic and the customer, and what a supply-chain-security program should be watching that the vendor's own trust center won't tell you.

Identity and Access: SSO and SCIM as Table Stakes

Claude Enterprise supports SAML-based single sign-on and SCIM provisioning, which by 2026 is the baseline expectation for any SaaS platform touching sensitive internal data — not a differentiator. The practical value is in enforcement, not availability: enterprise admins can mandate SSO org-wide (blocking password-based fallback logins), and SCIM lets identity teams de-provision access the moment an employee is offboarded in the IdP, rather than relying on someone remembering to revoke a Claude seat manually.

The gap security teams consistently miss: SSO governs who can log into the Claude console. It does not govern what an API key can do once issued. API keys, workspace roles, and OAuth profiles (the kind created via ant auth login) are a separate credential surface entirely, and they're the ones that show up hardcoded in CI variables, .env files committed to repos, and long-lived service tokens that never rotate. A SOC 2 audit checks that SSO is enforced; it rarely checks whether every one of the forty API keys issued to your engineering org is actually still needed.

Audit Logs: Necessary, Not Sufficient

Claude Enterprise exposes exportable audit logs — user logins, workspace membership changes, API key creation/revocation, and (for Managed Agents / API usage) request-level metadata. Piped into a SIEM, this is genuinely useful for detecting anomalous access patterns: a service account suddenly hitting the Messages API from a new geography, or a workspace admin role granted outside a change window.

Where this breaks down in practice is granularity at the prompt and tool-call level. Audit logs tell you a request happened; they don't tell you that a custom tool call embedded in an agentic session touched a production database, or that a Managed Agents session with bash access ran a command against a customer's cloned repository. Organizations running Claude for code review, agentic coding, or MCP-connected workflows need to instrument their own tool-execution layer — the custom tools, the MCP servers, the CI runners — because Anthropic's audit trail stops at the API boundary. It does not extend into whatever your engineering team wired up on the other side of a tool_use block.

Data Retention and the Zero-Retention Question

Data retention policy is one of the more consequential — and least understood — knobs in Claude Enterprise. Anthropic supports configurable retention windows, and API customers can request zero data retention (ZDR) for eligible models, meaning prompts and outputs aren't retained for training or logged beyond the request lifecycle. This matters enormously for regulated industries (healthcare, financial services, defense contractors) evaluating whether proprietary source code, customer PII, or classified specifications can safely pass through a hosted LLM at all.

The catch that trips up procurement teams: retention settings are model- and workspace-scoped, not universal. Anthropic's most capable models in the Fable/Mythos tier explicitly require a minimum 30-day retention window and are not available under ZDR — a request from a ZDR-configured org against those models returns a hard 400 error, no exceptions. If your security policy mandates zero retention org-wide, that policy silently forecloses access to Anthropic's frontier tier. This is a governance decision that needs to be made explicitly at the workspace-configuration level, not discovered when a developer's request starts failing in production.

Compliance Certifications: What They Cover and What They Don't

Claude's compliance posture — SOC 2 Type II, ISO 27001, ISO 42001 (AI management systems), and HIPAA support with a signed BAA for eligible customers — covers Anthropic's own infrastructure, development practices, and operational controls. It is a legitimate, auditable statement about how Anthropic runs its business.

It says nothing about the security posture of the code your engineers write using Claude, the dependencies that code pulls in, or the CI/CD pipeline that ships it. This is the recurring blind spot across every LLM vendor's enterprise trust page, not just Anthropic's: a SOC 2 report is scoped to the vendor's control environment. It does not extend to cover an AI-assisted commit that introduces a vulnerable transitive dependency, a leaked API key in a generated snippet, or a supply-chain compromise in an MCP server your team connected to give Claude filesystem or repository access. Compliance teams treating "the AI vendor is SOC 2 certified" as a checkbox that closes out AI-related supply-chain risk are closing the wrong ticket.

Access Controls and Encryption: Solid Defaults, Narrow Scope

Data in transit is TLS-encrypted; data at rest is encrypted using industry-standard algorithms; workspace-level role-based access control lets admins scope who can create API keys, manage billing, or configure retention settings. These are sound, expected controls and there's little to critique here on Anthropic's side.

The scope limitation is the same one that runs through this entire analysis: encryption and RBAC protect Anthropic's infrastructure and the Claude console. They do not protect the artifacts Claude produces once they leave the API response — the generated code, the SBOM your build system doesn't check, the auto-merged PR from an agentic coding session that nobody diffed for a hardcoded credential or a newly introduced package with a typosquatted name. Enterprise security teams adopting Claude for coding, agentic workflows, or MCP-based tool access need controls on their side of that boundary, because Anthropic's controls end at delivery.

How Safeguard Helps

This is precisely the boundary Safeguard is built to close. Claude Enterprise's SOC 2 and ISO certifications secure the model provider; they don't secure the code, dependencies, or infrastructure changes that flow out of AI-assisted development pipelines built on top of it. Safeguard's reachability analysis determines whether a vulnerability introduced or surfaced by an AI-generated commit is actually exploitable in your runtime context, cutting through the noise that traditional SCA tools generate on every dependency scan. Griffin AI, Safeguard's autonomous remediation engine, reviews Claude-assisted commits and MCP-connected agent output for injected secrets, risky dependency changes, and supply-chain drift in real time — the layer of scrutiny that sits between "Claude produced this" and "this shipped to production." Combined with automated SBOM generation and ingest across every repo touched by AI coding assistants, plus auto-fix pull requests that remediate confirmed, reachable vulnerabilities without waiting on a manual triage queue, Safeguard gives security teams the audit trail and control surface that Claude Enterprise's own trust center, by design, doesn't extend to.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.