Yesterday in London, at its first developer conference outside the United States (Code with Claude), Anthropic announced two new features for its Claude Managed Agents: self-hosted sandboxes in public beta, and MCP tunnels in research preview. The trade press — the French outlets first among them — immediately seized on the sovereignty angle. The Journal du Net wrote about “Anthropic playing the sovereignty card,” while L’Usine Digitale described it as “widening the gap in agentic AI” on European turf.
The narrative is appealing but oversimplified. The two announcements are not equivalent, and even taken together they shift only a limited part of the sovereignty needle. Rather than pitting a “marketing” narrative against a “critical” one, let’s try to lay out cleanly what changes, what doesn’t, and where the legal boundary actually lies.
Anatomy of a Claude managed agent: three planes you need to distinguish
To understand the scope of the two announcements, you have to break down what Anthropic calls a Managed Agent into three distinct planes:
- Model inference — every reasoning turn the agent takes invokes the Claude API. Everything that flows through the prompt (instructions, retrieved context, tool observations) is processed by Anthropic’s models, on their infrastructure in the United States.
- Orchestration — the “plan / tool call / observation / replan” loop that Anthropic drives, with context management, retries, and error recovery. This is the “agent loop” in the technical sense.
- Tool execution — the environment where the agent actually does something: running code, reading a file, calling a business API, querying a database.
Before the London announcements, all three planes ran on Anthropic’s side. It’s this distribution that’s a problem for the many CIOs seriously committed to confidentiality and sovereignty.
Self-hosted sandboxes: the real novelty
Self-hosted sandboxes (in public beta) move tool execution off Anthropic’s infrastructure. Concretely, the agent calls its tools inside a sandbox that you deploy on your own infrastructure — or with a managed partner like Cloudflare, Daytona, Modal, or Vercel. The code that runs, the file system, the outbound network requests: all of it stays within your perimeter.
This is a genuine step forward. In a team where compliance requires that no business code execute outside the IS, this is precisely the blocker that, until now, prevented using Claude for most agentic use cases. The New Stack notes that the pilot customers Anthropic named — Clay, DoorDash, Rogo — are all American. The European signal is yet to come.
But be careful: the sandbox moves execution, not orchestration or inference. The action plan the sandbox executes is still computed on Anthropic’s side, from prompts that pass through Anthropic’s servers. And the result of the execution is sent back to the Anthropic orchestrator to generate the next turn. So even with a self-hosted sandbox, the relevant data the agent handles transits through Anthropic — on two of every three cycles.
MCP tunnels: network security, not sovereignty
MCP tunnels (in research preview) solve a different problem: allowing the Claude agent to reach a Model Context Protocol server hosted inside your private network — an internal PostgreSQL, a business API, a Zabbix, an IBM i — without exposing it to the internet. You deploy a lightweight gateway in your environment; it establishes a single encrypted outbound connection to Anthropic; Claude reaches your MCP by traversing that tunnel in reverse.
It’s elegant and useful. It’s also exactly the model of Cloudflare Tunnel, Tailscale Funnel, Ngrok, or any reverse enterprise VPN from the past ten years. Anthropic’s merit isn’t inventing something new, but packaging it for its own use case.
But let’s not be mistaken about what gets solved. MCP tunnels reduce your external attack surface; they change nothing about what ends up being data sent to the model. The prompts, the contexts, the tool-call results — everything the tunnel brings back — transit through Anthropic’s servers to be ingested by the model. That’s exactly the point; otherwise the tunnel would serve no purpose.
Three blind spots the “sovereignty” narrative obscures
The CLOUD Act still applies. Anthropic is an American company. U.S. federal authorities can, under warrant, request access to data it holds or processes — wherever it is physically stored. Whether your data arrives via a public endpoint, an outbound tunnel, or a sandbox that re-injects it into a prompt makes no difference on this legal plane. Prem AI’s analysis of AI data residency is clear on this point: U.S. extraterritoriality remains the elephant in the room.
Orchestration remains opaque. Anthropic retains the action plan of each agent and the decision loop. You can log everything that leaves your side through the tunnel and everything that enters the sandbox; you have no independent way to verify what the model actually “thought,” nor who accessed those traces on Anthropic’s side. Auditability remains asymmetric.
The model itself runs in the United States. This is the point that the “Claude in Microsoft 365 Copilot” debate bluntly put back on the table for the European enterprise ecosystem: as long as inference doesn’t run in an EU region (Bedrock Frankfurt, Vertex AI EU), no sandbox and no tunnel solves the fundamental problem for organizations under strict GDPR.
What the most credible analysts say
Simon Willison — one of the most credible voices on the LLM ecosystem in 2026 — also points to a structural problem with MCP that’s worth recalling here: “Tool descriptions take up significant context space in agents, and chaining multiple MCP tools together passes responses through context, consuming more tokens and introducing opportunities for LLM mistakes.” He has even stopped using MCP in his coding workflows in favor of simple CLIs and Python libraries.
On MCP security specifically, Invariant Labs and Willison have also flagged the risk of rug-pull updates: an MCP server can change its behavior after installation without re-validation, because the protocol mandates no signing or versioning of manifests. Tunnel or not, this is a software supply chain issue that neither of the two announcements addresses.
The real sovereignty question
For CIOs who are seriously weighing the question — and that’s increasingly the case in 2026 — sovereignty isn’t decided at the level of the pipe, nor even the sandbox. It plays out across three planes in parallel:
- Where does the model run? US (Anthropic SaaS), EU (Bedrock Frankfurt, Vertex AI EU), or on-prem (Mistral, Llama, Qwen).
- Under which jurisdiction? CLOUD Act + Patriot Act, or European GDPR, or French sovereignty in the strict sense.
- What visibility do you have into the orchestration and decision chain? Black box, partial logs, or full reproducibility.
The credible answers today:
- Self-hosted models — Mistral, Llama, Qwen — deployed on your own infrastructure or with a sovereign hosting provider. This is the path we’re exploring at Sensor Factory for our OpsCenter POC, with a Mistral stack under consideration on DGX Spark. The trade-off is raw performance: a local Mistral Large doesn’t play in the same league as a Claude Opus 4.7 on the most complex tasks. But all three planes (model + orchestration + execution) stay under your control.
- Claude on AWS Bedrock EU Frankfurt or GCP Vertex AI EU with appropriate contractual commitments. This is the officially recommended workaround for strict GDPR requirements. You fall back into the extraterritoriality debate as soon as you dig in (AWS is also US), but you at least gain data residency.
- A hybrid architecture — a sovereign LLM for requests touching sensitive data, a frontier LLM (Claude, GPT, Gemini) for everything else, with a routing layer that arbitrates based on data classification. This is probably the realistic model for most enterprises in the medium term.
In practice
Does that mean you should reject sandboxes and MCP tunnels? No — and I’ll probably use them for some of our deployments. Taken together, they solve one real operational problem: letting a Claude agent reach internal MCPs and execute tools inside the client IS, with no public exposure and no business code leaving the perimeter. For a client that has already chosen to use Claude — and that owns that choice with full awareness of the implications — this is clear progress. Less network plumbing, less exposed surface, faster deployment.
But selling it as an answer to sovereignty is a marketing shortcut that will backfire on whoever makes it. Any reasonably serious CIO will see that as long as inference runs in the US and orchestration stays opaque, the legal perimeter hasn’t moved. That kind of mistake is rarely forgiven in this sort of discussion — especially when facing public-sector procurement or operators of vital importance (OIV) who have their own frameworks to apply (SecNumCloud, ANSSI, the European CRA).
So let’s draw clean distinctions about what we’re doing. Network security, yes: an MCP tunnel closes an entry point. Execution confinement, yes too: the self-hosted sandbox keeps your code within your perimeter. Data sovereignty, no: for that, you have to deal with where the model runs, under which jurisdiction, and the real visibility into the orchestration chain — not with how you bring it its cookies.
Matthieu Noirbusson is co-founder and CEO of Sensor Factory. The company develops the SenHub platform and supports its clients in their monitoring, observability, and AI agent integration projects.
