A private inbox doesn’t have to come with a price tag—or a catch. Proton Mail’s free plan gives you the privacy and security you expect, without selling your data or showing you ads.

Built by scientists and privacy advocates, Proton Mail uses end-to-end encryption to keep your conversations secure. No scanning. No targeting. No creepy promotions.

With Proton, you’re not the product — you’re in control.

Start for free. Upgrade anytime. Stay private always.

Get free private email

The pattern I keep seeing with agentic AI tools is vendors racing to ship autonomy without governance. Move fast, let IT clean up the wreckage. Claude Cowork broke that pattern and the way it happened is almost as interesting as the product itself.

When Anthropic first released Cowork as a research preview, the security posture was genuinely concerning. A GUI-driven agent with file system write-access, aimed at business users who don't think in terms of blast radius. The problems were obvious: sandboxing that protected the OS but not the data, a "review the plan" model that relied on non-technical users to audit AI intent, and no clear boundary between productivity tool and privileged access.

Then Anthropic did something unusual. They listened and shipped the guardrails before going GA.

The public release addressed the three hardest problems in agentic tool governance. Most vendors don't even attempt one of them.

The sandboxing now actually constrains data flow. Apple Virtualization Framework isolation enforces explicit directory mounting with granular permissions. Users can't just hand Cowork their entire home directory anymore. The tool prompts for specific folder access and surfaces what it can and cannot reach. This is the difference between a sandbox that protects Anthropic's liability and one that protects your data.

Plan review moved from theater to transparency. The review-before-action model now shows the full execution plan in plain language: explicit file paths, explicit operations. Destructive actions (deletes, moves, overwrites) get flagged with visual warnings that non-technical users can actually parse. The question every CTO faces with agentic tools is whether the approval step is real governance or just a click-through. Cowork's implementation lands closer to real governance than anything else shipping today.

And then there are the enterprise policy hooks — the piece that matters most. The public release includes admin controls for defining which directories are mountable, whether web browsing is permitted alongside file access, and what operations require elevated approval. The defaults are sane: web search is disabled when local directories are mounted, and synced cloud drives (OneDrive, Google Drive, Dropbox) require explicit admin authorization.

Here's how I think about adopting agentic tools that touch the file system.

Tier 1 — Chat tools (Claude.ai, ChatGPT web). Text in, text out. Standard AI acceptable use policy. Low risk.

Tier 2 — Agentic tools with read access (code assistants, document summarizers). Can see your data, can't modify it. Moderate risk. Requires data classification awareness.

Tier 3 — Agentic tools with write access (Claude Cowork, Devin, agentic coding tools). Can create, modify, and delete files. These are effectively service accounts with natural language interfaces. They need privileged access governance, not productivity tool governance.

Most teams govern Tier 3 tools like Tier 1 tools. That's how you end up with an AI agent that has broader file system access than your junior engineers.

The real trade-off isn't security vs. productivity. It's whether you govern agentic tools proactively or reactively. Cowork gives you the hooks to do it proactively. Most competitors don't give you hooks at all.

The guardrails are strong. They are not a reason to skip your own governance layer.

Indirect prompt injection remains a live vector. If Cowork processes a downloaded PDF containing hidden instructions while it has access to a sensitive directory, the sandbox won't save you. The mitigation is the one Anthropic already implemented — disable web browsing when local directories are mounted. If your admin hasn't enforced this, do it today, not next sprint.

The DPA question needs an explicit answer. Employees with Claude Enterprise seats often assume the desktop agent falls under the same Data Processing Agreement. Don't assume. Verify directly with Anthropic. Agentic capabilities that touch local file systems may carry different data handling terms than the API or web interface.

Directory hygiene is your problem, not the tool's. Even with granular mounting, users will take the path of least resistance. Define a standard AI workspace directory, a dedicated folder for agentic tool access that contains no PII, financial data, or IP by default. Make it part of onboarding. Make it non-negotiable.

The pattern across the agentic landscape is stark: most vendors ship autonomy first and governance never. Anthropic shipped governance at launch. That doesn't make Cowork risk-free, no agentic tool is. But it makes Cowork the first agentic desktop tool where a CTO can define the permission boundary before the first user clicks "Allow."

The question isn't whether your teams will use agentic file tools. They already are, or they will be within the quarter. The question is whether the tool you adopt gives you the policy surface to manage it.

Define the classification. Enforce the directory boundaries. Verify the DPA. Everything else flows from that.