Anthropic Releases Auto Mode for Claude Code Agents

Anthropic has shipped auto mode for Claude Code, replacing per-action approval prompts with a two-layer classifier system that lets the agent execute multi-step development tasks without human sign-off while intercepting unauthorized actions.

The previous model required developers to approve most operations—running shell commands, modifying files, calling external tools. Anthropic's data shows users accepted 93% of those prompts anyway. The company calls this "approval fatigue": developers rubber-stamping requests rather than reviewing them. The only alternative was a --dangerously-skip-permissions flag that disabled all guardrails. Auto mode bridges that gap.

The system runs two independent defense layers. An input-layer probe scans every tool output—file reads, shell results, web fetches—before it reaches the agent's context. When content appears to redirect the agent from the user's instruction, a warning is injected so the agent treats it as untrusted. An output-layer classifier running on Sonnet 4.6 evaluates each proposed action before execution in two stages: a fast single-token pass that clears safe actions with minimal overhead, followed by chain-of-thought reasoning only when the first stage flags an operation. Anthropic strips Claude's own messages and tool outputs from the classifier's view to prevent the agent from rationalizing past a block.

Anthropic is targeting overeager behavior and honest mistakes, not misaligned models. The company documents internal incidents: an agent that deleted remote git branches from a vague "clean up old branches" instruction, another that uploaded an engineer's GitHub auth token to a compute cluster after hitting an auth error, and a third that attempted migrations against a production database. Each model solved the problem it understood but overshot the user's intended boundary.

For enterprise teams, auto mode creates a governance wrinkle that predates the technical question. As Mykola Kondratiuk, director at Playtika, said: "With Auto Mode on, the AI is now the approver, not just the actor. Most governance docs still name a human there." Compliance frameworks built around human-in-the-loop approval need to account for classifier-mediated autonomy as a distinct control type.

Orchestrating agents delegate to subagents under the same protection. An outbound classifier checks whether the assigned task aligns with user intent before execution. On return, a second classifier reviews the subagent's full execution history to detect prompt injection or manipulation. If risks are flagged, warnings precede results to the orchestrating agent. This recursive architecture matters for multi-agent pipelines where a compromised subagent could propagate malicious instructions upstream.

The current classifier targets the specific overeager-behavior patterns Anthropic has documented internally. Coverage is incomplete. Anthropic asks users to report cases the classifier misses and will continue expanding evaluation sets and iterating on the safety-versus-cost tradeoff. The fast-filter and chain-of-thought split controls latency and compute cost but means novel edge cases that clear the first stage may not receive deeper scrutiny.

Auto mode does not replace enterprise-level controls—network isolation, credential scoping, and audit logging remain the operator's responsibility. It shifts the approval model: the bottleneck moves from human click-through on every action to a classifier gate on actions that carry risk. For organizations already running Claude Code, updating governance documentation to reflect classifier-mediated approval is the immediate operational task.