When we first started evaluating Anthropic’s Claude Cowork, it sounded almost too good to be true. AI that doesn’t just chat, but actually works alongside your team like a real colleague. It can access files, edit documents, organize workspaces, browse the web, and automate repetitive tasks. The productivity upside is clear and exciting.
That said, as we’ve taken a closer look through an enterprise security lens, we’ve identified some meaningful risks that we believe every security and IT leader should be evaluating carefully before rolling this out more broadly.
Unlike traditional chat-based AI tools, Claude Cowork can request direct access to folders and files on users’ computers. While this is what makes it so powerful, it also creates a much larger attack surface.
One overly permissive approval from a team member could expose sensitive customer data, contracts, financial information, or intellectual property. We’ve seen how easy it is for busy employees to grant broad access without fully understanding the long-term implications.
This is one of the issues that concerns us most. Security researchers have already demonstrated how attackers can embed hidden instructions in documents, emails, or web pages. Once Cowork processes that content, it can be tricked into performing actions the user never intended — including quietly exfiltrating files.
These aren’t just theoretical risks anymore. They’re practical vulnerabilities that work against the current version, and they could lead to real data breaches in an enterprise environment.
Even on enterprise plans, data still leaves the organization to reach Anthropic’s servers. The audit logging and monitoring capabilities are still maturing, which makes it difficult for security teams to maintain full visibility into what the AI is doing and why.
For companies in regulated industries like finance, healthcare, or legal services, this lack of transparency and control is particularly problematic right now.
Because the tool feels so helpful and natural to use, people tend to share more with it than they would with other systems. A simple request like “summarize these client files” can quickly involve sensitive or unredacted data.
It’s the helpful-colleague problem on steroids — extremely capable, but without the same understanding of confidentiality and boundaries that a real employee would have.
At the end of the day, Claude Cowork is a powerful piece of technology with real potential to change how teams get work done. But after evaluating it closely, we’ve concluded that the security trade-offs are significant enough that we’re not comfortable rolling it out broadly just yet.
The deep system access, prompt injection risks, and limited visibility for our security team make it a tool we need to handle with a lot of caution. For now, we’re sticking to small, tightly controlled pilots with very clear boundaries and keeping any sensitive data far away from it. I suspect quite a few other companies are taking a similar wait-and-see approach until Anthropic adds stronger enterprise-grade controls.
Castor Security is a leading cybersecurity partner dedicated to providing innovative, transparent security solutions. They strategically identify security gaps, disjointed processes, and vulnerabilities, implementing tailored solutions to fortify your defenses and ensure seamless integration with your existing infrastructure.
To learn more about our customizable solutions, please email Collin McKinzie at [email protected].