When Anthropic dropped Claude Managed Agents into public beta back in April, the pitch was straightforward: here’s the infrastructure to run Claude as an autonomous agent without building your own agent loop, tool execution, or runtime. It was the “bring your own model, we’ll handle the plumbing” play. Solid, useful, the kind of thing that makes engineers nod appreciatively.

But the update that landed on June 9th? That’s where things get interesting. Not because it’s flashy—it’s not. There’s no new model, no benchmark-shattering demo, no “AGI is here” energy. Instead, Anthropic added two features that sound almost mundane on paper: scheduled deployments and environment variables in vaults.

Talk to the teams actually using this stuff, though, and you’ll hear something that sounds a lot like relief.

The scheduling problem nobody wanted to solve

Here’s the thing about AI agents in production: they’re surprisingly needy. You build an agent that can analyze your sales data, generate a report, and push it to Notion. Great. Now you need it to run every Monday at 8 am. So you spin up a cron job. Or you set up GitHub Actions. Or you wrestle with AWS EventBridge. Maybe you build a little scheduler service because the existing ones don’t handle “wait, the agent failed halfway through, do I retry?” very well.

Three months later, you’re maintaining scheduling infrastructure instead of building agents.

Anthropic’s answer is almost disappointingly simple: scheduled deployments. You give an agent a cron expression. When it fires, the platform spins up a fresh session, the agent does its thing, and you move on with your life. Pause it, resume it, archive it, trigger an extra run on demand—all from the console. No scheduler to host, no queue to monitor, no “why did this run twice?” Slack threads at 2 am.

Rakuten’s teams are using it for weekly spreadsheet analysis that feeds product managers’ application health metrics without anyone building a dashboard. Ando’s agents watch hiring and sales channels, follow up on proposed next steps, and send meeting reminders—all on a schedule, all without a human poking them. Actively AI, which powers cross-account agentic search for sales teams, straight-up replaced their custom scheduling infrastructure with it. Their co-founder, Mihir Garimella, put it bluntly: “greatly simplified our stack and improved our product cycles.“

That’s the kind of quote you get when you solve a problem people didn’t realize they could stop having.

The secret management problem everyone has

If scheduling is the operational headache, secrets management is the security nightmare. Your agent needs to call the Notion API. Or hit a private database. Or use the Browserbase CLI to spin up a browser session. Where do you put the API key?

Hardcode it? Please don’t. Environment variables in the sandbox? Better, but now the model can see them. One prompt injection away from disaster. A secrets manager? Great, now you’ve got another dependency, another integration, another place where things can go wrong.

Anthropic’s vault system isn’t new—it’s been there for MCP connectors. But extending it to environment variables changes the game for CLI tools. Here’s how it works: you register an API key with an environment variable name and a list of allowed domains. The sandbox only ever sees a placeholder. The real key gets attached at the network boundary, and only on requests to domains you’ve explicitly approved. Rotate the key in the vault, and running sessions pick up the new value on their next call.

The model never sees the secret. The sandbox never holds it. It only goes where you said it could go.

Quan Nguyen, Notion’s Public API Lead, didn’t mince words: “Environment variables in vaults let us securely roll out the Notion CLI, meeting our security team’s strict guidelines by ensuring sensitive API tokens are never handed to agents.” Notion uses this for file-upload capabilities that their MCP tools couldn’t handle alone. Browserbase built their entire public catalog of browser skills on it—scheduled deployments even validate the catalog periodically. KERNEL connects agents to customer databases to flag usage surges in real time. Milana’s AI product engineer accesses customer codebases to find and fix bugs, with Raghav Sethi noting that “large-scale data analysis is now dramatically faster.“

Ziray Hao from Browserbase captured something fundamental: “Environment variables in vaults enabled our engineering team to combine two major compute primitives: the agent and the browser.“

The CLI as integration layer

This is the part that’s easy to miss. Everyone talks about MCP—and rightly so, it’s the emerging standard for connecting agents to tools. But CLIs? CLIs are the unglamorous workhorses of software engineering. They’re everywhere. Every SaaS tool worth its salt has one. They’re scriptable, they’re familiar, and they just work.

Anthropic’s insight: let agents drive existing CLIs directly through a shell. Register the CLI’s auth via vault environment variables, and suddenly your agent can use Notion’s CLI, Browserbase’s browse CLI, KERNEL’s CLI, Ramp’s, Sentry’s—any CLI that sends its key in an HTTP request. No custom integration. No MCP server to build and maintain. The CLI is the integration.

For teams drowning in “build vs. buy” decisions for every tool connection, that’s a genuinely different option.

The bigger picture: agents growing up

Zoom out, and this update tells you where the agent market actually is in mid-2026.

The numbers are staggering by any measure. The AI agents market is projected at $10.9-12 billion this year, growing 44-46% annually through 2030. Gartner says 40% of enterprise applications will embed task-specific agents by year-end—up from under 5% in 2025. But McKinsey’s data shows only 23% of organizations have achieved enterprise-scale agentic deployment. The gap between “we’re experimenting” and “this runs in production” is where the real work lives.

Anthropic’s revenue trajectory—CNBC reported $10.9 billion annualized for Q2 2026, with Claude Code alone doing $2.5 billion—suggests the market is voting with its wallet. But the features shipping now aren’t about raw model capability. They’re about the unsexy scaffolding that makes agents reliable, secure, and operable: scheduling, secrets, audit trails, cost controls, permission scopes.

The teams quoted in Anthropic’s announcement aren’t building demos. They’re running agents that analyze production logs, flag database surges, fix bugs in customer codebases, and refresh sales intelligence daily. They’re doing it with fewer agents, simpler stacks, and security reviews that actually pass.

What comes next

The public beta label means rough edges remain. The documentation is thorough, but the ecosystem is young. Most CLIs don’t yet work with the vault pattern—Browserbase, KERNEL, Notion, Ramp, and Sentry are the early ones. Self-hosted sandboxes exist for teams with strict data residency needs, but the cloud sandbox is the default. The managed-agents-2026-04-01 beta header on every API request reminds you this is still moving fast.

But the direction is clear. The agent harness is becoming infrastructure—boring, reliable, the kind of thing you build on top of without thinking about. Scheduled deployments and vault-backed CLIs aren’t headline features. They’re the features that let you stop worrying about whether the 8 am report ran, or whether the API key leaked, or whether the custom scheduler you built three months ago is going to hold up under load.

In a space defined by hype cycles and benchmark chasing, that’s a strangely radical proposition: make it work, make it safe, make it someone else’s problem to keep running.

The agents aren’t the story anymore. The infrastructure that lets them be boring? That’s the story.