Claude Managed Agents provides a hosted agent harness, secure execution environments, persistent sessions, built-in tools, MCP connectivity, event streaming, and console tracing for long-running or asynchronous work. Anthropic manages important platform infrastructure. Your organization still owns whether an agent used the right data, had appropriate access, completed the business task, changed external state safely, stayed within cost, and recovered correctly after a failure.
Datrick provides an ongoing operating layer for an agreed Claude Managed Agents estate. Named engineers reconcile session, span, agent, tool, status, token, dependency, user, and business evidence; diagnose incidents; control changes; and maintain runbooks and service reporting. Anthropic support remains the escalation path for platform defects. Datrick owns the client-specific diagnosis, containment, validation, communication, and preventive action defined in the service boundary.
Anthropic hosts the agent runtime. Who owns a terminated session, failed MCP credential, unsafe tool call, or silent quality regression? Start with the agents already touching real work.
Treat beta status and data handling as architecture decisions
Anthropic currently documents Claude Managed Agents as beta and requires the versioned managed-agents-2026-04-01 beta header for Managed Agents requests. Behaviors can be refined between releases. Limited features such as MCP tunnels and dreaming can have a separate research-preview boundary. Record the enabled features, account access, API and toolset versions, supported regions, fallback path, vendor escalation, release acceptance, and the business workloads allowed to depend on the service.
Managed Agents is stateful by design. Anthropic states that sessions can retain conversation history, sandbox state, and outputs server-side and that the feature is not currently eligible for Zero Data Retention or HIPAA BAA coverage. Confirm that fit before placing regulated or sensitive workloads on the platform. Define session, upload, event, credential, and derived-output retention; access; deletion; regional requirements; and the evidence required to prove each control.
Operate the complete Claude agent production surface
| Service area | Managed responsibility | Boundary to define |
|---|---|---|
| Sessions and events | Status, queue, stream, interruption, rescheduling, termination, latency, event completeness, history, archive, and deletion. | Supported agents, session volume, hours, SLO, alert source, retention, and restoration authority. |
| Outcome quality | Representative evaluation, transcript review, instruction adherence, factual and task accuracy, unsafe behavior, and release regression. | Use cases, ground truth, metrics, thresholds, reviewers, sample rate, and acceptable residual risk. |
| Tools and MCP | Selection, permission policy, schema, connection, authentication, vault credential, timeout, result, side effect, retry, and rollback. | Allowed tools and servers, least privilege, approval, data or monetary impact, idempotency, and emergency disable path. |
| Environments and sandboxes | Cloud or self-hosted environment, packages, networking, allowed hosts, filesystem behavior, worker health, and environment changes. | Infrastructure owner, image and package versions, egress, region, isolation, patching, availability, and forensic access. |
| Identity and data | API access, vaults, OAuth or bearer credentials, user attribution, secrets, sensitive events, retention, deletion, and access review. | Security authority, ZDR and BAA fit, data classes, residency, credential owner, incident route, and evidence retention. |
| Release and lifecycle | Versioned agent definitions, model, system prompt, skills, tools, MCP servers, environment, client integration, evaluation, rollout, and rollback. | Source of truth, environments, approval, compatibility gate, freeze window, fallback, and acceptance evidence. |
| Usage, cost, and value | Tokens, sessions, duration, tool and external service use, sandbox, storage, evaluation, incidents, and support effort. | Attribution, budget owner, anomaly threshold, rate limits, unit economics, quality trade-off, and optimization authority. |
Turn the event stream into operational evidence
Managed Agents communication is event-based. Persist and correlate the application request, user identity, agent and environment ID, session ID, agent version, model, system configuration, event sequence, tool and MCP operations, token usage, status transitions, outputs, downstream state, and user outcome. Anthropic exposes session, span, and agent events; a session.error event conveys session errors, while console tracing can show content, timestamps, token usage, and tool execution to authorized Developers and Admins.
Monitor the monitor. A closed browser stream is not proof that a session stopped, and a running session is not proof that work is progressing. Detect missing or delayed events, null processing timestamps, stale running sessions, repeated rescheduling, terminated sessions, unusually long tool calls, token spikes, incomplete outputs, and discrepancies between event history and the external system. Preserve evidence before interrupting, redirecting, archiving, deleting, or retrying a session.
MCP connectivity needs its own health model. Anthropic documents that session creation does not validate MCP connectivity or credentials; the session can start and emit connection or authentication errors for the affected server. Decide whether an unavailable tool blocks the task, permits degraded operation, triggers credential rotation, or routes work to a person. Validate the exact MCP URL used for vault credential matching, retry behavior, and the target system state before replaying an action.
Diagnose the session, configuration, sandbox, tools, and business outcome together
| Symptom | Evidence to reconcile | Safe containment | Permanent control |
|---|---|---|---|
| Session terminated or repeatedly rescheduling | Status and error events, event order, agent and environment, model, context, token use, sandbox, tools, external dependencies, rate limits, and recent change. | Preserve history and files; stop new work; route to a known fallback; retry only after classifying side effects. | Synthetic session, failure classification, bounded retries, timeout and progress thresholds, capacity tests, and recovery runbook. |
| MCP connection or authentication failure | Server name and URL, vault ID, credential type and expiry, network, endpoint response, error retry status, tool availability, and task dependency. | Block affected action, rotate or reauthorize credentials, remove tool, or route to manual execution. | Credential-expiry alert, connectivity check, exact-URL validation, least privilege, degraded-mode test, and owner. |
| Wrong, incomplete, or unsafe outcome | User task, event history, model, system prompt, skills, tools, sources, tool results, approvals, output, expected result, and external state. | Interrupt session, disable affected tool, require review, narrow users, or restore the last accepted agent version. | Representative regression set, policy tests, transcript sampling, release gate, approval control, and outcome monitoring. |
| Unexpected tool access or side effect | Effective tool and MCP configuration, permission policy, session-local override, identity, vault, arguments, results, target audit, and config change. | Interrupt, revoke credential, replace tool set, isolate environment, preserve evidence, and invoke security response. | Negative tests, full-replacement config review, least privilege, human confirmation, idempotency, and emergency disable. |
| Latency or token-cost spike | Session duration, event and span timing, model, context, compaction, prompt caching, tool loops, retries, external latency, output size, and workload mix. | Interrupt runaway work, cap steps or budgets, pause schedule, route to a smaller scope, or reduce concurrency. | Per-task budget, anomaly alert, model and prompt evaluation, representative load test, caching review, and unit economics. |
| Release or environment regression | Agent version, session override, model, system, skills, tools, MCP, environment packages and networking, client release, evaluation, and rollback state. | Stop rollout, pin or restore the accepted configuration, pause schedules, and protect affected users. | Immutable release record, pinned dependencies, compatibility tests, canary, approval, and rehearsed rollback. |
Session overrides and updates deserve explicit review. Anthropic documents that override arrays replace rather than merge with the agent definition, and that session-local tool or MCP updates do not propagate to the underlying agent. Record both the reusable agent version and the effective session configuration. Otherwise two sessions can behave differently while appearing to reference the same agent.
Constrain cloud networking and own self-hosted infrastructure explicitly
For production cloud environments, Anthropic recommends limited networking with explicit allowed hosts and least privilege. Decide whether MCP servers and package managers require separate network access. Pin required package versions where reproducibility matters; unpinned packages can resolve to a newer release. Because environments are not versioned, maintain an external change record that identifies the environment configuration used by each accepted release.
A self-hosted sandbox changes the responsibility split rather than removing operational work. The client or service provider must operate the worker, container or isolation layer, network and credential controls, patching, capacity, logs, availability, and recovery. Test the boundary between Anthropic's session service and the self-hosted runtime, including disconnects, stale work, event delivery, state synchronization, shutdown, and forensic evidence.
Onboard one representative portfolio before promising a managed service
- Inventory: agents, versions, models, skills, tools, MCP servers, environments, channels, schedules, vaults, data, owners, users, and business outcomes.
- Fit decision: confirm beta tolerance, ZDR and HIPAA BAA implications, data classes, retention, deletion, region, fallback, and vendor escalation.
- Responsibility: define severity, response and update targets, access, change authority, platform and application ownership, client dependencies, and exclusions.
- Baseline: measure session status, task success, quality, review edits, latency, tokens, tools, external costs, incidents, and event completeness.
- Controls: validate permission policies, MCP credentials, network restrictions, package versions, approvals, evaluation gates, runbooks, and rollback.
- Exercise: rehearse a terminated session, MCP outage, credential failure, unsafe tool attempt, quality regression, cost spike, and platform fallback.
- Transition: run in shadow, accept the steady-state scope, publish escalation routes and service evidence, and prioritize the first improvement backlog.
Start with evidence, not a broad outsourcing promise. Datrick can assess the current Claude Managed Agents estate, define the operating boundary, close the most material control gaps, and transition one portfolio into managed support.
Request an AgentOps scoping reviewOfficial references and adjacent operating guides
- Claude Managed Agents overview and beta/data-retention boundary
- Session event stream and console observability
- MCP connector, vault credentials, and failure behavior
- Cloud environment networking and lifecycle
- How to build a production-ready AI workflow
- Managed human evaluation for AI agents
- Datrick Claude implementation services
Frequently asked questions
What are Claude Managed Agents?
Claude Managed Agents is Anthropic's beta, hosted agent harness and infrastructure for long-running and asynchronous tasks. An agent definition combines a model, system prompt, tools, MCP servers, and skills; sessions run that definition in a cloud or self-hosted environment and exchange persistent events with the calling application.
How do you monitor Claude Managed Agents in production?
Monitor session status and errors, span and agent events, tool calls and results, MCP connectivity, token usage, latency, environment and network state, user-reported outcomes, and recent configuration changes. Preserve session IDs and event history, alert on terminated, rescheduling, stalled, costly, or policy-relevant behavior, and test that telemetry itself is complete.
What does Claude Managed Agents production support include?
A defined service can include session and event monitoring, incident triage, tool and MCP troubleshooting, vault and credential coordination, sandbox and network review, regression evaluation, agent-version and environment change control, cost analysis, runbooks, reporting, and escalation to Anthropic for platform defects. Coverage depends on architecture, telemetry, access, beta behavior, and the accepted responsibility boundary.
How do you secure self-hosted or cloud Claude agent sandboxes?
Apply least privilege to tools, MCP servers, vault credentials, identities, files, packages, and outbound networking; prefer explicit allowed hosts for production cloud environments; separate secrets from reusable agent definitions; test denied actions; retain auditable events; and define containment for credential, data, or tool misuse. Self-hosted environments also require the client to operate the worker infrastructure and its security controls.
How long does Claude Managed Agents support onboarding take?
A focused onboarding commonly takes two to four weeks for a representative agent portfolio. It covers inventory, beta and data-retention fit, responsibility, access, environments, sessions, event collection, tools, MCP and credentials, quality and cost baselines, runbooks, controlled failure exercises, and acceptance of the steady-state support scope.
Need cross-platform ownership under your brand?
Review white-label AI agent managed support for MSPs