Managing AI tools on corporate machines, what are the best practices?
Posted by Sweaty-Career330@reddit | sysadmin | View on Reddit | 19 comments
We're rolling out Claude Code to our dev team and sysadmin team is unsure how to manage/monitor it.
Questions for other sysadmins:
- Do you allow Claude Code on corporate machines?
- How do you monitor what it does?
- Do you have policies around what it can/can't do?
- Can you block it from accessing certain networks or APIs?
- How do you handle updates/versioning?
It feels like AI tools are growing faster than our ability to manage them. We can monitor browser activity, API calls, file transfers but Claude Code just runs and we have no visibility.
Has your org figured this out? What's your approach?
Any advice would be helpful.
theapidude@reddit
(disclaimer i work here) Try out https://www.speakeasy.com/ . We provide a control plane for enterprises that covers the admin capabilities you listed out. We can do it across claude, cursor, codex and other providers too.
ArchonTheta@reddit
No pricing. No thanks.
StarSlayerX@reddit
Look into Claude Enterprise Plan
https://support.claude.com/en/articles/9797531-what-is-the-enterprise-plan
Sweaty-Career330@reddit (OP)
That's the gap we're addressing, real-time visibility without needing a separate governance platform.
Do most enterprises end up needing Purview or similar? Seems like a lot of extra complexity.
StarSlayerX@reddit
Yes, but Purview is able to ingest logs from other third party apps though API and that becomes the primary governance platform.
MightBeDownstairs@reddit
Mind pointing me in a direction for Claude setup of this?
bageloid@reddit
There isn’t, Claude code and cowork isn’t captured by Anthropics APIs. You need a third party to proxy those requests. As I said elsewhere, Prompt Security does this and Harmonic claims they are waiting on a Microsoft driver to be signed to do this. With prompt security you can directly ship off the logs to a SIEM or any tool that accepts webhooks if you don’t want it as your governance platform.
bageloid@reddit
The compliance API doesn’t capture claude code sessions.
StarSlayerX@reddit
Wrong please refer here: https://platform.claude.com/docs/en/manage-claude/compliance-api
turbokid@reddit
That does not work for code or coworker in the desktop app. Their documentation says to not to use these features if you need an audit trail.
StarSlayerX@reddit
Wrong, please refer here: https://platform.claude.com/docs/en/manage-claude/compliance-api
bageloid@reddit
We are currently in a PoC with Prompt/Harmonic and soon dash security.
Prompt captures all the… prompts in Claude code, they are launching their MCP gateway Monday. Harmonic has an MCP gateway, but isn’t capturing Claude code prompts, so we will probably move on from them. Dash Security isn’t public yet(a guy on our team is friends with one of the early employees), but we are probably going to do a design partnership for agentic controls, they look strong in this area.
zipsecurity@reddit
Honestly most orgs are still figuring this out and there's no clean answer yet. The most practical visibility you have is network monitoring, Claude Code calls api.anthropic.com, so if you're running a proxy or EDR with network visibility you can at least see it running and how much data is moving. Not content visibility, but it's something.
The bigger lever is defining what data it can touch rather than trying to control the tool itself. Policies that say "don't use Claude Code in repos with PII, credentials, or proprietary data" are more enforceable than blocking the binary, and easier to audit. Put it in your acceptable use policy with clear examples.
On data handling, API usage with Anthropic defaults to zero data retention, but worth confirming your tier and documenting that review for when auditors ask. For versioning, Claude Code auto-updates by default but you can pin versions via npm if you need consistency. The honest reality is that technical blocking rarely works for tools devs actually want to use, they'll find a way around it. Policy plus culture plus network monitoring is where most mature teams are landing right now, with a plan to revisit as the tools and management options evolve.
Loopback76@reddit
Enterprise plan is the way to go for centralized management of policies/configs
autogyrophilia@reddit
The best practice is "Don't do it ".
There simply has not been enough time for these processes to mature, so we are going to be learning lessons for a while until someone smart enough writes a book to be regurgitated around.
Try to us common sense and sandbox them as much as you can.
BadSausageFactory@reddit
yeah tell that to our marketing guy who was just promoted to 'AI Strategist'
'ok first thing is we need cowork on every machine so we have agents doing things for us 24 hours a day'
so help me I wish I was kidding
autogyrophilia@reddit
Man you are going to be such a fun paragraph when the O'Reilly book about it comes.
BadSausageFactory@reddit
I would show up at conventions offering to sign it like a minor star wars character
yes that's shitto, two tt's
BoringLime@reddit
I'm not super familiar with the Claude enterprise plans management side but it does give full metrics and such on the usage by user. We get reports like top users, how many commited lines it has produced by user. But it probably can go further. I feel like the ai tools evolving faster than any management has. Furthermore, there are so many ways around all the data governance as well, especially if they just type the information in on a personal phone, running on unlimited data plan.