Skip to main content

Claude's Riskiest Features Are Off by Default. Check Before a Client Turns Them On.

Nick Ross5 min read

TL;DR

  • Claude's Free, Pro, and Max tiers are personal accounts with no organizational governance; every meaningful admin control lives on the Team and Enterprise plans.
  • Domain verification and SSO stop employees from registering a personal Claude account under a corporate email and routing company data outside IT's view.
  • Claude Code, Claude in Chrome, Claude in Slack, and Cowork all carry elevated risk and should stay disabled in the admin console until there is an approved, governed use case.
  • Cowork's activity is excluded from Anthropic's audit logging and compliance export on every plan tier, including Enterprise, so compliance review needs to happen before enabling it, not after.
  • Claude API keys do not expire on their own, which makes workspace isolation and a scheduled key rotation policy mandatory rather than optional.

Claude ships with real enterprise controls: SSO, SCIM, workspace isolation, admin governance. Most of them sit unused on a given account, not because they don't work, but because nobody walked through the console and turned them on. Here is the checklist, in the order it actually matters.

Start with the plan tier, because it decides everything else

Claude security is a licensing question before it is a configuration question. Free, Pro, and Max are personal account tiers built for individual use, with no organizational governance available at all. Team and Enterprise are the commercial plans built for business use, and they are where every meaningful security control lives.

Comparison of Claude account tiers and the security controls each one unlocks

If a real business need for Claude exists and most of your users already reach for it, that is the signal to move to a paid commercial account and start layering in governance. If your organization is standardizing on a different tool, such as Microsoft Copilot, Claude becomes part of the shadow AI conversation to track instead of a tool to configure directly.

On a personal plan, anyone can sign up with a work email and start chatting, connecting local files, and uploading client documents immediately, with no perimeter around any of it. Worse, the privacy setting that feeds conversations into Anthropic's model training is enabled by default on a personal signup. On Team and Enterprise, that setting is not just off, it is not even present in the interface, because organizational data is never used for training at that tier.

Verify the domain and turn on SSO

Once the commercial account exists, verify the domain and configure single sign-on, tying it to Entra ID for Microsoft 365 shops or to Okta or another IdP. This does two things: it lets users sign in with existing corporate credentials, and it stops someone from using a work email to spin up a personal Claude account outside IT's control. Once the domain is captured, a work email routes into the governed organization instead of the open web.

Configuring SSO enforcement and provisioning mode in the Claude admin console

Inside the SSO settings, set:

  • Require SSO for Claude and Require SSO for the Console, enforcing authentication through the IdP
  • Restrict organization creation, so personal orgs cannot be created under the domain
  • Provisioning mode, either invite-only for explicit control over who gets access, or just-in-time to auto-provision a user the first time they sign in with SSO

With this in place, a user who tries to sign in without being assigned to the application gets blocked and routed into a compliant approval channel instead of slipping into a personal account with company data.

Turn off the high-risk products until there's a reason to turn them on

This is the step most teams skip, because they don't realize Claude is more than a chat box. Under organizational settings, a list of products carries meaningfully higher risk. Until there's an approved, governed workflow for each one, leave it off.

  • Claude Code. The agentic terminal and desktop tool for developers. A compromised account running Claude Code locally or in the browser is a serious exposure. If the team isn't actively developing with it, turn it off, which also disables related high-risk capabilities like remote control and routines.
  • Claude in Chrome. A browsing agent that performs autonomous workflows on websites. Anthropic blocks sensitive sites like banking and crypto by default, but while the feature is in preview, it carries meaningful risk from prompt injection and JavaScript execution on arbitrary pages. If enabled at all, restrict it to block extensions and allow only approved sites.
  • Claude in Slack. Same principle: enable only with a defined use case and an approved workflow behind it.
  • Cowork. A desktop agent that can manipulate the local file explorer, including deleting files, and run background tasks. High-risk settings like "act without asking" and "dispatch" are off by default for good reason, and autonomous background tasks can also generate unexpected cost on top of the security exposure. This is not a candidate for a first-wave rollout.
  • Plugins and connectors. Set default access to "not available" and require an approval step before any new plugin or connector, a Box or Canva connection for example, can touch company data.

Claude can also be restricted to web-only access instead of the desktop app, which pairs well with Microsoft Conditional Access policies for tighter, more granular control over where users connect from.

One caveat worth flagging directly: Cowork's activity is currently excluded from Anthropic's native audit logging and compliance export across every plan tier, including Enterprise. If compliance visibility matters for a client, settle that gap before enabling it, not after.

Lock down the console and the API

The last layer is Claude Console, used when a team calls Claude over the API with API keys. It's more developer-focused, but it matters more every quarter as organizations stand up their own managed agents.

Two priorities:

Isolate the workspaces. Separate development and production into distinct workspaces so keys stay scoped to the right environment. Workspaces also carry their own billing and spend limits, which matters because a compromised API key is a billing risk as much as a data risk, the same way a stolen cloud credential can be used to spin up a crypto-mining VM farm. Workspace region matters too: US is the default, and an EU workspace currently requires a separate setup process.

Manage the keys. Store them in a secure vault such as Azure Key Vault or AWS Secrets Manager and rotate them on a schedule. This matters because Claude API keys do not expire on their own, so key management discipline has to be built in deliberately, especially for teams new to running an API-based integration.

Find what else is already running before you lock this down

None of this matters if Claude is already running unmanaged somewhere else in the tenant. If you manage Microsoft 365 environments, a rapid tenant assessment that surfaces shadow AI usage tells you which users are already leveraging Claude, and which other AI tools showed up without anyone approving them, before you decide what to govern, what to adopt, and what to block outright.

CloudCapsule's Shadow AI report showing which AI tools are active across a tenant, broken down by user

Frequently asked questions

Which Claude plan is the minimum for handling client or business data?

Team. On Team and Enterprise plans, Anthropic's commercial terms apply and the model-training toggle is not just switched off, it does not exist at that tier. Free, Pro, and Max remain personal consumer accounts with no admin visibility.

Why should Claude Code or Cowork stay off by default?

Both carry a wider blast radius than chat. Claude Code can run agentic actions from a terminal or browser, and Cowork can manipulate local files, including deleting them, and run background tasks under high-risk settings like act-without-asking. Leave both off until a specific, approved workflow justifies turning them on.

What is the risk with unrotated Claude API keys?

Claude API keys do not expire on their own. A leaked key is a billing risk as much as a data risk, since it can run up usage charges before anyone notices. Store keys in a vault such as Azure Key Vault or AWS Secrets Manager and rotate them on a schedule.

Locking down one AI tool doesn't tell you what else is running

CloudCapsule's Shadow AI report shows which AI tools are active in a tenant, broken down user by user, so you know what to govern next after Claude.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading