The Slack channel was quiet except for the rhythmic tap of keyboards. Two engineers and a product manager were deep in a debugging session at 11:47 pm, trying to trace why the checkout flow kept timing out for European users. Normally, this would mean juggling screens—pulling logs from Datadog, checking recent commits in GitHub, cross-referencing Jira tickets—all while hoping someone hadn’t accidentally deleted a key environment variable. But tonight, something felt different.

One engineer typed @Claude: check the last 3 deployments to the eu-west-1 cluster for latency spikes and hit enter. Within seconds, Claude responded—not as a personal assistant borrowing someone’s login, but as a quiet presence in the thread. It pulled the deployment history from their internal tooling, spotted a config change from 2:15 am that coincided with the spike, and even drafted a Slack message to the infra team suggesting a rollback. No one had to pass over credentials. No one had to explain the context again. Claude just… knew.

That seamless moment is the quiet revolution behind Anthropic’s new Claude Tag feature. Launched in beta this week, it’s not just another AI chatbot slapped into Slack. It’s a fundamental rethink of how AI permissioning should work in team settings—and it’s already changing how Anthropic’s own engineers build software.

For years, the default approach for workplace AI assistants was simple: when you tagged the bot, it acted as you. It used your Google Drive access, your GitHub token, your calendar permissions. Handy for solo work, but a mess in teams. Imagine three people steering the same AI agent in a channel. Whose permissions should it use? Yours? The pm’s? The intern’s? And what happens when that person logs off, leaves the company, or suddenly loses access to a critical tool? The agent breaks—or worse, becomes a security liability if someone’s overly permissive account becomes the default key to the kingdom.

Anthropic’s solution, detailed in their June 24th blog, is called “agent identity.” Instead of borrowing human credentials, Claude Tag gets its own set of service accounts—provisioned by an admin—for every tool it touches. In Slack, it posts as the Claude app. In GitHub, it opens pull requests as the Claude GitHub App. In your data warehouse? It queries under a warehouse-specific service account the admin set up. No human passwords involved. No impersonation. Just Claude, operating under its own clearly defined identity.

As Rob Seaman, Slack’s GM, put it at the launch: “We’re moving AI from a private back-and-forth into the open channel where the whole team can see what it’s doing and collectively steer it.” The shift isn’t just philosophical—it’s practical. When Claude operates under its own identity, admins gain granular, channel-by-channel control. Want the engineering channel to push code but the legal channel to only read contracts? Done. Need to cut off access to the production database in a general chat, but allow it in the on-call rotation channel? A few clicks in the admin console. And crucially, when Claude logs an action—say, merging a PR—it’s traceable to its service account, not to whoever happened to be online when the request came in. Audit trails suddenly make sense.

This isn’t theoretical for Anthropic. According to Cat Wu, their head of product for Claude Code, internal teams now route roughly 65% of all code changes through an internal version of Claude Tag. It’s not just writing code—it’s triaging support tickets, tracking product metrics, investigating bugs, all while operating asynchronously. Engineers assign a task, walk away to attend a meeting or grab coffee, and come back to find Claude has already pulled relevant logs, proposed a fix, and posted it in the thread for review. The AI isn’t waiting to be poked; it’s working in the background, accumulating context from the channel’s history, and surfacing insights only when useful.

Of course, with great power comes the need for guardrails—which is where the real admin craftsmanship kicks in. Claude Tag doesn’t just give broad access; it forces intentionality. Admins start by defining a baseline identity for the workspace (say, read-only access to non-sensitive docs and Slack history), then tailor it per channel. The marketing team’s channel might get connected to HubSpot and Google Analytics, while the finance channel gets tightly scoped to just the expense-reporting tool and read-only access to the general ledger. Private channels stay isolated—what Claude learns in an HR discussion about salary bands never bleeds into the public #general channel.

And yes, there’s an “ambient mode” where Claude can proactively jump in—flagging a relevant doc from another channel, summarizing a dormant thread, or nudging the team about an upcoming deadline. But smart admins are turning it on only after weeks of observing Claude’s on-demand behavior.

The security mechanics are quietly elegant. When an admin connects a tool—say, Snowflake—the credential isn’t stored in Claude’s brain or even in Anthropic’s vaults. It’s held by a component called Agent Proxy, which injects it at the network boundary only when Claude makes a request, then checks it against an allow-list. If Claude tries to call an unapproved API? Blocked instantly, before the model even sees the raw credential. Every action gets logged twice: once in Anthropic’s systems, and again in the connected tool’s native audit trail (so your GitHub admins still see PRs coming from the “Claude GitHub App” service account).

This model arrives at a critical inflection point. AI agents aren’t just chatbots anymore—they’re becoming autonomous teammates capable of multi-step reasoning and asynchronous work. Anthropic’s internal data shows the length of tasks an agent can reliably complete solo has been doubling roughly every four months. But autonomy without clear boundaries is chaos in a team setting. Agent identity isn’t just a permission tweak; it’s the scaffolding that lets AI scale from personal toy to enterprise infrastructure without turning security teams into nervous wrecks.

Will it work everywhere? Early adopters are already stress-testing it. One fintech company told me they’re using Claude Tag to automate regulatory report drafting—pulling transaction data from their core banking system, policy docs from SharePoint, historical filings from an archive—all while ensuring the AI never touches raw PII. A healthcare startup is experimenting with ambient mode in their patient-support channel, having Claude surface relevant FAQ snippets from Confluence when agents mention specific symptoms.

The real test, though, comes August 3rd. That’s when Anthropic retires the old “Claude in Slack” integration that relied on individual user permissions. Teams still using the legacy setup will need to migrate—or lose access. For admins, it’s a chance to finally clean up the permission sprawl that’s accumulated over years of ad-hoc AI tooling. For everyone else? It’s the moment they realize their AI teammate doesn’t need to borrow their badge to get the job done. It’s got its own.

And somewhere, in a quiet Slack channel at midnight, an engineer is smiling as Claude drops another insight into the thread—no passwords passed, no context re-explained, just work getting done. That’s the quiet magic of agent identity: making the invisible work of permissioning feel, well, invisible. Like it was always supposed to be this way.