Anthropic launched something impressive this week.
Claude Tag brings an AI agent directly into your Slack workspace as a collaborative team member. Tag @Claude in a channel, delegate a task, and it gets to work - building context over time, working asynchronously, learning from the channels it's in. At Anthropic, 65% of their product team's code is already created by their internal version of Claude Tag. That's not a pilot.
That's a production workflow.
I mean it when I say this is impressive. The capability is real, the use cases are obvious, and the productivity argument is compelling. I can see exactly why teams will adopt this fast.
I can also see exactly where the identity problem starts.
The Channel Is Not an Identity Model
Here is the core architectural issue with Claude Tag as it currently works.
Within a given Slack channel, there is one Claude that interacts with everyone. Anyone in the channel can tag @Claude and ask it anything. Claude will respond in the channel where everyone else can see the response.
Anthropic has addressed this at the channel level. System administrators specify which tools and data the model can access, and through which channels. A Claude set up for sales work won't pass memories to one set up for engineering. Channel-scoped permissions. Reasonable first step.
But channel-level scoping is not a permission model. It is a blunt instrument.
Here is what channel-level scoping cannot answer: when a specific user in a channel asks @Claude for information, does that user have permission to see the response? Not "is this user in the channel" - "is this user authorized to access the data Claude is about to retrieve and share?"
These are different questions. And in enterprise environments, the answer to the second question is rarely the same for every person in the channel.
The Problem Gets Concrete Fast
Consider a Slack channel your Infrastructure and DevOps team uses - a mix of engineers, on-call responders, and a few product managers looped in for visibility. Claude Tag is connected to your cloud infrastructure management tools, your deployment pipeline, and your configuration management system. A product manager asks @Claude to roll back the latest production deployment because of a performance issue they spotted in a dashboard.
Claude executes the request.
Two problems:
First: The product manager had no authorization to initiate a production infrastructure change directly. They couldn't log into the deployment system and do this themselves, because the permission model exists precisely to prevent it. Claude Tag bypassed that control entirely. The channel has access to the deployment tools. The product manager is in the channel. The request goes through.
Second: Every other person in the channel saw the request and the response. Including engineers who might have critical context on why that deployment shouldn't be rolled back. Including stakeholders who are now watching an unauthorized infrastructure change happen in real time.
The action was technically within the channel's tool access. It was completely outside the requesting user's authorization to perform it.
Now move this beyond infrastructure. Imagine Claude Tag connected to your HR system in a people operations channel. Or your financial systems in a finance channel. Or your customer data in a sales channel with mixed seniority and mixed access levels.
The channel-level permission model that Anthropic has built is the right starting point. It is not a complete answer to the enterprise identity problem.
The Developer Exception - And Why It Doesn't Generalize
To be fair to Anthropic's framing, Claude Tag is launching as an evolution of Claude Code. In the pure coding context, a channel of engineers working on the same codebase, the identity problem is less acute. Most engineers share broadly similar permission profiles. They have access to the same repositories, the same development tooling, the same deployment environments.
Even here, it is not perfectly flat. A DevOps engineer has different infrastructure permissions than a backend engineer. A senior engineer may have production access that a junior engineer does not. But the permission surface is narrow enough that channel-level scoping roughly approximates the authorization model that applies, and the blast radius of a mismatch is limited.
The moment Claude Tag moves beyond the codebase into production infrastructure, deployment pipelines, configuration management, cloud resource management - the developer exception starts to break down. As we illustrated above, the gap between what a product manager can do and what an infrastructure engineer is authorized to do is significant. And Anthropic is explicit that the same pattern is "spreading well beyond engineering" - to product metrics, support tickets, debugging, and more, with their roadmap pointing toward Cowork and the full range of enterprise workflows.
Finance channels. HR channels. Legal channels. Executive channels. Customer data channels.
In those environments, the permission surface is not flat. The gap between what an analyst can access and what a director can access, in the same channel, using the same @Claude agent, is significant. And that gap is where the identity problem becomes a real risk.
What's Actually Missing? Here’s a hint: IDENTITY
The identity capabilities Claude Tag currently lacks are significant because the gap is architectural, not just a matter of configuration.
Per-user authorization at query time. When a user tags @Claude and asks a question, the system should evaluate whether that specific user is authorized to see the information Claude is about to retrieve, not just whether the channel has access to the connected tools. This requires binding the request to the identity of the requesting user and evaluating that identity against the permission model of the data source being queried.
Response visibility scoping. In a multiplayer channel, Claude's response is visible to everyone. But the data in that response may not be appropriate for everyone to see. The system needs a mechanism to either scope responses to the requesting user, or evaluate whether the response contains information that exceeds the access rights of other channel members before posting it publicly.
Request attribution and audit. Anthropic notes that administrators can view a log of everything @Claude has done, along with who requested each task. That's necessary. It's not sufficient. A complete audit trail needs to capture not just who asked, but whether they were authorized to ask, what data was retrieved, whether that data was appropriate for the channel audience, and whether any access policy was implicitly bypassed.
Agent identity tied to the requesting principal. In the current model, Claude Tag has a channel-level identity. It acts on behalf of the channel, not on behalf of the individual user who tagged it. In enterprise environments with meaningful permission differentiation between users, the agent's effective identity and the access it can exercise should be scoped to the requesting principal, not the channel.
This Matters More As It Scales
The version of Claude Tag launching today is a coding assistant that also handles metrics and support tickets. The identity gaps are real but manageable in that context.
The version of Claude Tag that is coming, and that Anthropic is clearly building toward, is an enterprise workforce agent operating across every function of the business. That version needs a complete identity model, not a channel-level approximation of one.
The pattern here is one the industry has seen before. A powerful new capability launches with a reasonable first-pass security model. Adoption accelerates because the productivity benefit is real. The security model doesn't keep pace with where the capability gets deployed. Incidents accumulate until governance investment becomes unavoidable.
The identity infrastructure for enterprise AI agents- per-user authorization, response visibility scoping, request attribution, principal-bound agent identity- needs to be built concurrent with the capability, not retrofitted after adoption has already outrun governance.
Claude Tag is an impressive capability. The identity model it needs to be enterprise-safe at scale is the conversation the industry should be having right now.
That conversation is exactly what ARISE - Agentic Runtime Identity Security Enforcement is about.
Roee Salomon is CTO and Co-Founder of aizome, an Enterprise AI Agent Identity Fabric Platform. He previously co-founded and led AxoniusX within Axonius and has held engineering and security leadership positions for over 20 years.