.png)
Claude doesn't live in one place anymore. Between the Compliance API, Managed Agents, and MCP servers going mainstream, Claude's footprint expanded into six distinct surfaces in the space of a few months. Most security teams are still watching one of them.
Each surface introduces its own risk:
Fragmented audit trails: Claude Enterprise's chat surface logs the connection, not the prompt. A finance analyst can pull a quarter of board materials into a conversation, and the audit log shows only that the conversation happened.
Standing agent access: Managed Agents run on a schedule with write access to Salesforce, Slack, and your data warehouse, often with no human in the loop. When something goes wrong, the failure mode is hundreds of automated actions before anyone reads the alert.
Unmanaged API keys: The Claude Platform Console sits outside the chat surface entirely, which is exactly why it gets missed. A key minted six months ago and never rotated can still hold live access nobody remembers granting.
There's no CIS Benchmark or NIST mapping for Claude yet, the kind every other major infrastructure category your team governs already has.
This Guide closes that gap. It maps all six Claude surfaces to the mitigation that closes each one, and shows how Reco gives you the inventory, identity mapping, and threat detection to govern Claude at scale.
Reco is listed by Anthropic as a security integration for the Claude Compliance API.
Download today and get Claude governed.