Scaling Managed Agents: Decoupling the brain from the hands

Detailed Analysis

Anthropic's engineering team has published a detailed architectural account of Managed Agents, a hosted service within the Claude Platform designed to run long-horizon AI agents reliably at scale. The core innovation is a deliberate decoupling of three previously entangled components: the "brain" (the Claude model and its controlling harness), the "hands" (sandboxed execution environments where code runs and files are manipulated), and the "session" (a durable, append-only log of all agent events). In the original monolithic design, all three components lived inside a single container. When that container failed, the entire agent state was lost, and engineers had no clean way to debug problems without accessing user data directly — a security and operational dead end. By separating these concerns into distinct interfaces, each component can now fail, be replaced, or be scaled independently without disturbing the others.

The architectural shift draws explicitly on a foundational principle from operating systems design: the virtualization of hardware into stable abstractions that outlast their underlying implementations. Just as the Unix `read()` call remains agnostic about whether it is addressing a 1970s disk pack or a modern SSD, Managed Agents defines interfaces — `execute(name, input)`, `provision({resources})`, `wake(sessionId)`, `emitEvent(id, event)` — that are deliberately indifferent to what runs behind them. This "cattle not pets" philosophy means that a failed sandbox container is caught by the harness as a tool-call error, a fresh container is provisioned from a standard recipe, and the session log provides full context for resumption. Similarly, if the harness itself crashes, a new instance can be rebooted by calling `wake(sessionId)` and replaying the event log from the last recorded state. The result is a system with no durable single points of failure anywhere in the execution path.

Security receives substantial architectural attention in this design. In the coupled model, credentials lived in the same container as Claude's generated code, meaning a successful prompt injection attack could grant an adversary access to tokens capable of spawning unrestricted new sessions — a privilege escalation path that grows more dangerous as models become more capable. The decoupled architecture addresses this structurally rather than through capability constraints: credentials are never made available inside the sandbox where untrusted code executes. For Git operations, repository tokens are used during sandbox initialization and wired into local remotes, so push and pull work without the agent ever handling the raw token. For custom tooling, OAuth tokens are held in a secure vault and accessed via a dedicated MCP proxy, keeping the trust boundary intact regardless of what the agent does inside the sandbox.

The practical performance gains from this redesign are significant. According to Anthropic's own measurements, decoupling reduced Time to First Token by 60% at the median and over 90% at the 95th percentile tail — improvements that reflect the elimination of startup overhead and coordination latency inherent in the monolithic container model. The architecture also enables multi-agent coordination patterns, allowing a primary agent to spawn sub-agents operating in parallel across separate brains and hands, with the session abstraction providing the connective tissue. Crucially, customers who need Claude to operate within their own virtual private clouds can now do so without network peering arrangements, since the hands are simply another pluggable interface rather than a co-located dependency.

This work represents a meaningful maturation point in the trajectory of production AI agents. Earlier agent frameworks were largely research artifacts — brittle harnesses built around the limitations of models at a specific moment in time. The Managed Agents design explicitly acknowledges that model capabilities are a moving target, noting that behaviors like "context anxiety" observed in Claude Sonnet 4.5 had already disappeared in Claude Opus 4.5, rendering harness workarounds obsolete. By encoding as few assumptions as possible about what any particular model can or cannot do, and by treating the infrastructure layer as a stable abstraction over evolving implementations, Anthropic is positioning the platform to absorb future capability improvements without requiring architectural rewrites — a discipline that will likely become a distinguishing factor as the industry moves from experimental deployments toward reliable, long-running autonomous systems.