Claude Cowork - AI Security Risks

Claude Cowork is one of the most capable AI productivity tools available today. Launched by Anthropic in early 2026, it allows non-technical users to automate complex, multi-step tasks — processing files, generating reports, browsing the web, and interacting with desktop applications — all without writing a single line of code.

For Startups, SMBs, and growing teams, the appeal is obvious: more output, less manual effort. But with great capability comes real security responsibility. This article breaks down the key security risks organizations need to understand before deploying Claude Cowork, and the concrete mitigation actions to put in place.

Anthropic explicitly states that Cowork activity is not captured in Audit Logs, Compliance API, or Data Exports. Conversation history is stored locally on the user's device — not in Anthropic's centralized audit infrastructure. For organizations operating under compliance frameworks, this creates a significant evidentiary gap. Frameworks directly affected:

Because Cowork can read local files and browse the web autonomously, it is vulnerable to indirect prompt injection attacks. A malicious actor can embed hidden instructions inside a document, PDF, or webpage that Cowork processes — redirecting Claude's behaviour without the user's knowledge.

Here is an example: A user receives a file via email with hidden white-on-white text instructing Cowork to locate the user's SSH key and embed it in an expense report. Security researchers have also demonstrated web-based variants where malicious site content silently uploads local files to an attacker-controlled server — using Anthropic's own domain as the outbound channel, bypassing standard DLP and firewall rules.

Cowork operates directly on your computer's file system, accessing any folder you grant permission to. Unlike cloud-based tools, Cowork can read, write, move, and modify local files — including sensitive ones you may not have intended to expose: contracts, financial records, HR data, customer PII, configuration files, credentials, and API keys — often stored casually in Documents, Downloads, or Desktop folders.

Cowork supports MCP (Model Context Protocol) server integrations, which extend Claude's capabilities to external tools and services (Slack, Google Drive, HubSpot, etc.). Each MCP integration represents a third-party dependency — and like open-source software, a compromised or malicious MCP server can introduce risk into your environment.

Instructions embedded in MCP tool results can potentially manipulate Cowork's behaviour, similar to prompt injection via files and websites.

Cowork is easy to install and requires no IT involvement. In organizations without a formal AI Governance and/or Acceptable Use Policy, employees may be using Cowork today — accessing sensitive data, processing client files, and generating outputs — with zero visibility at the organizational level.

This is Shadow AI: the equivalent of Shadow IT, carrying all the same risks: data leakage, compliance exposure, and an inability to respond to incidents because the activity was never tracked.

Cowork is designed to run long, complex tasks autonomously. The desktop app must remain open and the machine must stay awake for the duration. This means employees may initiate a task and walk away — leaving an AI agent executing actions on their behalf with no human in the loop. Without active oversight, consequential actions (file modifications, web submissions, data exports) can occur without timely review.

Anthropic is explicit: do not use Cowork for regulated workloads. This is not a grey area. If your organization is pursuing or maintaining SOC 2, HIPAA, PCI-DSS, CMMC, ISO42001 or ISO 27001, Cowork should be:

Claude Cowork is a genuinely powerful tool — and for non-regulated knowledge work, it can deliver real productivity gains. The risks outlined here are not reasons to avoid it entirely. They are reasons to deploy it deliberately, with AI Governance in place.

The organizations that will benefit most from AI productivity tools are the ones that treat AI Governance as an enabler, not a barrier. If you haven't yet assessed your AI tool risk posture, now is the time.

Learn more at about AI Governance & Risk Assessment