Agentic AI

@Claude Just Joined Your Slack. Does It Know Who It's Talking To?

Roee Salomon, CTO & Co-founder of aizomeRoee Salomon· CTO & Co-founder of aizome6 min read

Anthropic launched something impressive this week.

Claude Tag brings an AI agent directly into your Slack workspace as a collaborative team member. Tag @Claude in a channel, delegate a task, and it gets to work - building context over time, working asynchronously, learning from the channels it's in. At Anthropic, 65% of their product team's code is already created by their internal version of Claude Tag. That's not a pilot.

That's a production workflow.

I mean it when I say this is impressive. The capability is real, the use cases are obvious, and the productivity argument is compelling. I can see exactly why teams will adopt this fast.

I can also see exactly where the identity problem starts.

The Channel Is Not an Identity Model

Here is the core architectural issue with Claude Tag as it currently works.

Within a given Slack channel, there is one Claude that interacts with everyone. Anyone in the channel can tag @Claude and ask it anything. Claude will respond in the channel where everyone else can see the response.

Anthropic has addressed this at the channel level. System administrators specify which tools and data the model can access, and through which channels. A Claude set up for sales work won't pass memories to one set up for engineering. Channel-scoped permissions. Reasonable first step.

But channel-level scoping is not a permission model. It is a blunt instrument.

Here is what channel-level scoping cannot answer: when a specific user in a channel asks @Claude for information, does that user have permission to see the response? Not "is this user in the channel" - "is this user authorized to access the data Claude is about to retrieve and share?"

These are different questions. And in enterprise environments, the answer to the second question is rarely the same for every person in the channel.

The Problem Gets Concrete Fast

Consider a Slack channel your Infrastructure and DevOps team uses - a mix of engineers, on-call responders, and a few product managers looped in for visibility. Claude Tag is connected to your cloud infrastructure management tools, your deployment pipeline, and your configuration management system. A product manager asks @Claude to roll back the latest production deployment because of a performance issue they spotted in a dashboard.

Claude executes the request.

Two problems:

First: The product manager had no authorization to initiate a production infrastructure change directly. They couldn't log into the deployment system and do this themselves, because the permission model exists precisely to prevent it. Claude Tag bypassed that control entirely. The channel has access to the deployment tools. The product manager is in the channel. The request goes through.

Second: Every other person in the channel saw the request and the response. Including engineers who might have critical context on why that deployment shouldn't be rolled back. Including stakeholders who are now watching an unauthorized infrastructure change happen in real time.

The action was technically within the channel's tool access. It was completely outside the requesting user's authorization to perform it.

Now move this beyond infrastructure. Imagine Claude Tag connected to your HR system in a people operations channel. Or your financial systems in a finance channel. Or your customer data in a sales channel with mixed seniority and mixed access levels.

The channel-level permission model that Anthropic has built is the right starting point. It is not a complete answer to the enterprise identity problem.

The Developer Exception - And Why It Doesn't Generalize

To be fair to Anthropic's framing, Claude Tag is launching as an evolution of Claude Code. In the pure coding context, a channel of engineers working on the same codebase, the identity problem is less acute. Most engineers share broadly similar permission profiles. They have access to the same repositories, the same development tooling, the same deployment environments.

Even here, it is not perfectly flat. A DevOps engineer has different infrastructure permissions than a backend engineer. A senior engineer may have production access that a junior engineer does not. But the permission surface is narrow enough that channel-level scoping roughly approximates the authorization model that applies, and the blast radius of a mismatch is limited.

The moment Claude Tag moves beyond the codebase into production infrastructure, deployment pipelines, configuration management, cloud resource management - the developer exception starts to break down. As we illustrated above, the gap between what a product manager can do and what an infrastructure engineer is authorized to do is significant. And Anthropic is explicit that the same pattern is "spreading well beyond engineering" - to product metrics, support tickets, debugging, and more, with their roadmap pointing toward Cowork and the full range of enterprise workflows.

Finance channels. HR channels. Legal channels. Executive channels. Customer data channels.

In those environments, the permission surface is not flat. The gap between what an analyst can access and what a director can access, in the same channel, using the same @Claude agent, is significant. And that gap is where the identity problem becomes a real risk.

What's Actually Missing? Here’s a hint: IDENTITY

The identity capabilities Claude Tag currently lacks are significant because the gap is architectural, not just a matter of configuration.

Per-user authorization at query time. When a user tags @Claude and asks a question, the system should evaluate whether that specific user is authorized to see the information Claude is about to retrieve, not just whether the channel has access to the connected tools. This requires binding the request to the identity of the requesting user and evaluating that identity against the permission model of the data source being queried.

Response visibility scoping. In a multiplayer channel, Claude's response is visible to everyone. But the data in that response may not be appropriate for everyone to see. The system needs a mechanism to either scope responses to the requesting user, or evaluate whether the response contains information that exceeds the access rights of other channel members before posting it publicly.

Request attribution and audit. Anthropic notes that administrators can view a log of everything @Claude has done, along with who requested each task. That's necessary. It's not sufficient. A complete audit trail needs to capture not just who asked, but whether they were authorized to ask, what data was retrieved, whether that data was appropriate for the channel audience, and whether any access policy was implicitly bypassed.

Agent identity tied to the requesting principal. In the current model, Claude Tag has a channel-level identity. It acts on behalf of the channel, not on behalf of the individual user who tagged it. In enterprise environments with meaningful permission differentiation between users, the agent's effective identity and the access it can exercise should be scoped to the requesting principal, not the channel.

This Matters More As It Scales

The version of Claude Tag launching today is a coding assistant that also handles metrics and support tickets. The identity gaps are real but manageable in that context.

The version of Claude Tag that is coming, and that Anthropic is clearly building toward, is an enterprise workforce agent operating across every function of the business. That version needs a complete identity model, not a channel-level approximation of one.

The pattern here is one the industry has seen before. A powerful new capability launches with a reasonable first-pass security model. Adoption accelerates because the productivity benefit is real. The security model doesn't keep pace with where the capability gets deployed. Incidents accumulate until governance investment becomes unavoidable.

The identity infrastructure for enterprise AI agents- per-user authorization, response visibility scoping, request attribution, principal-bound agent identity- needs to be built concurrent with the capability, not retrofitted after adoption has already outrun governance.

Claude Tag is an impressive capability. The identity model it needs to be enterprise-safe at scale is the conversation the industry should be having right now.

That conversation is exactly what ARISE - Agentic Runtime Identity Security Enforcement is about.

Roee Salomon is CTO and Co-Founder of aizome, an Enterprise AI Agent Identity Fabric Platform. He previously co-founded and led AxoniusX within Axonius and has held engineering and security leadership positions for over 20 years.


Roee Salomon, CTO & Co-founder of aizome

Roee Salomon

CTO & Co-founder of aizome

Related content

The latest news, technologies, and resources from our team.

  • NIST Just Proved Rules Aren't Enough. Intent-Based Identity Is What Comes Next.

    Darktrace's conclusion from the NIST analysis is that AI security must shift from rules to behavior. This is right. But behavioral detection alone has a limitation that matters for enterprise AI agent governance: it tells you when something looks different. It does not tell you whether what is different is wrong. The answer is not behavior alone. It is identity and intent as the reference layer against which behavior is evaluated.

    Amir Ofek

    Amir Ofek

  • The Enterprise Guide to AI Agent Identity, Governance, and the ARISE Category

    Enterprise AI agents are operating in Finance, HR, Sales, Operations, and IT at organizations across every industry - accessing sensitive data, executing multi-step workflows, and making consequential decisions, often with no human in the loop. The identity and governance infrastructure designed to secure human employees and traditional machine identities was not built for this.

    aizome - Making AI Agents Accountable

  • Why an LLM Is Not the Core Component of Intent Analysis

    Most vendors policing AI agents are using an LLM as the core component of their intent analysis. We think that's the wrong architectural choice - and here's the more nuanced picture of what actually works at production scale.

    Chen Pipek, CPO & Co-Founder, aizome

    Chen Pipek

  • Who Can Say No to Your AI Agent?

    MIT Sloan Management Review asked the question the AI governance industry has been avoiding: who in your organization can say "no" to an AI system doing something it shouldn't, and has the authority to mean it? Most people can't answer it. For enterprise AI agents specifically, it is even harder than it looks. And the reason it's harder reveals exactly what most AI governance programs are still missing.

    Amir Ofek

    Amir Ofek

  • RBAC Is Reaching Its Limit. Intent Is What Comes Next.

    Think of it as a Guardian Agent, a continuous, observant layer whose entire job is to make sure that no matter how fluid an agent's permissions become, it can never veer off course from its approved plan. RBAC defines the boundaries. The Guardian Agent polices them, in real time, for every action, across every session.

    Chen Pipek, CPO and Co-Founder of aizome

    Chen Pipek

Subscribe to the Aizome newsletter

Occasional, substance-first notes on making enterprise AI agents accountable. No spam; unsubscribe anytime.

We use your email only to send you our newsletter. See our privacy policy for how we handle your data. You can unsubscribe at any time.