When a technically literate buyer asks about Claude Cowork security, they can tell the difference between a precise answer and a reassuring one. So this is the precise version: what Cowork can actually reach, what it cannot, what Anthropic provides on the business plans, and the things we deliberately refuse to promise. In a market where several vendors overclaim, accuracy is the more useful position, and it is the one your IT manager will respect.
How Cowork's access model works
The core principle is that access is granted, never assumed. Cowork does not roam your machine.
Folder access is explicit: Cowork touches only the directories you grant it, and nothing else on the machine.
Connector access is scoped per integration: mail, calendar, and CRM are each approved separately, not in a single blanket grant.
Browser and app control, where used at all, sit behind their own separate permission tiers.
What this means in practice is that the blast radius of Cowork is something you decide, not something you inherit. A workspace scoped to one project folder and two connectors can do a great deal of useful work while being structurally unable to reach anything else.
This is the right place to address a common worry head-on: people assume an AI assistant on their computer can quietly see everything, the way a piece of malware might. That is not the model. Cowork operates inside the permissions you set, and a folder you never grant is a folder it never sees. The mental shift for most IT managers is realising the controls look much like the ones they already apply to staff accounts, scoped access, business logins, and an audit trail, rather than something brand new they have to invent.
What Anthropic provides on paid business plans
The platform-level assurances matter when your compliance lead asks. The accurate version is this.
No training on your data on Team, Enterprise, and API plans, as a contractual position.
SOC 2 Type II reporting, admin controls, and audit features on the Enterprise tier.
A Sydney office and an announced plan for Australian data residency. State this plainly: residency is announced, not live, and processing currently happens offshore. Any Privacy Act assessment should assume offshore processing today.
We labour the residency point because it is the one most often misrepresented. An announced plan is good news worth tracking, but it is not a control you can claim in an audit today. Design your governance for offshore processing now, and treat onshore residency as an upgrade when it actually ships.
What we deliberately do not promise
Most vendor security pages are a list of promises. Here is our list of refusals, because they are more honest and more useful.
That Claude never makes mistakes. No AI tool clears that bar, and a setup that assumes it will is fragile.
That client-facing communication can run unsupervised. It drafts; a person approves.
That Australian data residency exists today. It is announced, not available.
That any AI setup removes the need for human accountability. Someone still owns the outcome.
That a tool fixes an undocumented process. Automating a mess just speeds it up.
Why publish refusals at all? Because the gap between what a tool promises and what it can actually do is where incidents are born. A team that believes Claude never errs will stop checking its work, and that is precisely when something slips through. Naming the limits up front keeps the human review in place where it belongs, which is the single most effective control in the whole setup. Honesty here is not a weakness in the pitch. It is the security feature.
The risks that actually matter, and their fixes
The real risks with Cowork are mostly operational rather than exotic, and each has a straightforward fix.
Over-broad folder grants. Fix it with a dedicated, scoped workspace rather than pointing Cowork at the whole drive.
Shadow AI on staff personal accounts. Fix it with business accounts and a one-page policy, so work data is not flowing through someone's private login.
Silent automation failures. Fix it with logged runs and a named owner who reviews them.
Sensitive data in prompts. Fix it with written paste rules tied directly to your Privacy Act obligations.
A sensible assessment path
None of this needs to be heavy. A half-day governance review before rollout maps the grants, writes the paste rules, and names the owners. That costs a fraction of the roughly $500,000 a typical Australian privacy incident response runs once legal and notification costs land. It is the cheapest insurance in the whole project, and it is the step most rushed rollouts skip.
We run governance-first Cowork implementations for businesses across Sydney and the rest of Australia. If you want the productivity without the exposure, book a call and we will start with the governance review.
