The interesting shift in agent infrastructure this year is not a smarter model. It is the question of who holds the dangerous parts: the code execution, the file system, and the connections to internal systems. Anthropic's self-hosted sandboxes and MCP tunnels are a clear statement that the execution layer belongs to the customer, even when the brain stays in the vendor's cloud.
At Code with Claude in London on 19 May — Anthropic's first developer event in Europe — two features landed on Claude Managed Agents. Self-hosted sandboxes, now in public beta, move tool and code execution out of Anthropic's managed cloud and onto infrastructure you control, with ready-made guides for Cloudflare, Daytona, Modal, and Vercel, or a generic worker you run yourself. MCP tunnels, in research preview, let an agent reach Model Context Protocol servers inside your network through a lightweight gateway that opens an outbound encrypted connection, so internal tools never have to face the public internet.
Mechanically, a self-hosted environment is just a work queue. Anthropic enqueues a session; your worker claims it, downloads the agent's skills, runs the tool calls locally, and posts results back. The agent's code, file system, and network egress stay on your side. Orchestration, context management, and the model calls stay on Anthropic's.
Most "private AI" claims fall apart on inspection because the data still round-trips to someone else's compute. This is more honest about where the boundary sits. The blast radius of an agent — the thing that reads your database, writes files, and calls internal APIs — now runs where your existing security, network policy, and audit controls already apply.
It is worth being precise about what does not move. The reasoning loop, the conversation context, and the model itself still live in Anthropic's cloud, and prompts and tool results still cross the boundary in both directions. This is a split-trust hybrid, not an air-gapped deployment — and a few rough edges remain, such as agent memory not yet being supported in self-hosted sandboxes. For many regulated teams the trade is acceptable; for the strictest ones it is not, and no one should let the word "self-hosted" blur the difference.
The direction is clear: frontier vendors are conceding that execution and data access are the customer's territory, and competing on the orchestration brain instead. It is the same logic that pushed inference into private VPCs, applied now to the agent's hands rather than its head.
Expect the next round of differentiation to be operational, not architectural. Queue depth, worker autoscaling, per-session sandbox isolation, and graceful-stop semantics are already in the documentation — these are production concerns, which is a good sign the feature was designed for deployment rather than for a keynote demo.
If you parked an agent project because tool execution or internal data could not leave your perimeter, this is the moment to revisit the architecture — but prototype against the real boundary, not a relaxed one, and confirm that keeping only the model loop in the cloud genuinely clears your compliance bar. If your team is trying to move an AI use case from demo to deployment, METECH helps scope, build, and validate the first working system in 2-3 weeks.