<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Claude-Tag on RockB</title><link>https://baeseokjae.github.io/tags/claude-tag/</link><description>Recent content in Claude-Tag on RockB</description><image><title>RockB</title><url>https://baeseokjae.github.io/images/og-default.png</url><link>https://baeseokjae.github.io/images/og-default.png</link></image><generator>Hugo</generator><language>en-us</language><lastBuildDate>Tue, 14 Jul 2026 12:00:00 +0000</lastBuildDate><atom:link href="https://baeseokjae.github.io/tags/claude-tag/index.xml" rel="self" type="application/rss+xml"/><item><title>Everyone's Excited About Claude Tag. Nobody's Built the Trust Layer.</title><link>https://baeseokjae.github.io/posts/claude-tag-trust-layer/</link><pubDate>Tue, 14 Jul 2026 12:00:00 +0000</pubDate><guid>https://baeseokjae.github.io/posts/claude-tag-trust-layer/</guid><description>Claude Tag gives Slack a shared AI coworker. But its Agent Identity model creates a confused deputy security risk that enterprises are ignoring in the rush to adopt.</description><content:encoded><![CDATA[<p>Anthropic launched Claude Tag on June 23, 2026 — a shared AI agent that lives inside Slack channels as a permanent team member. It watches conversations, remembers context, schedules tasks, and takes action under its own identity. 65% of Anthropic&rsquo;s own product team code is already created by internal Claude Tag instances. The response from the developer community has been electric: at least five open-source alternatives appeared within weeks, and OpenTag hit 672 GitHub stars in its first three weeks.</p>
<p>But here&rsquo;s the problem nobody&rsquo;s talking about: the trust layer doesn&rsquo;t exist yet. Claude Tag&rsquo;s &ldquo;Agent Identity&rdquo; model — where the AI acts under its own persona per channel, not under the requesting user&rsquo;s identity — introduces a textbook confused deputy security risk. And the open-source clones are copying the same architecture without fixing it.</p>
<p>I&rsquo;ve spent the last few weeks digging into the security model, talking to teams who are adopting it, and looking at what a proper trust layer would require. This is what I found.</p>
<h2 id="what-is-agent-identity-and-why-does-it-matter">What Is Agent Identity and Why Does It Matter?</h2>
<p>Claude Tag doesn&rsquo;t impersonate the user who asks it to do something. Instead, each Slack channel gets its own Claude identity with a separate memory store, tool access configuration, and permission scope. When you ask Claude Tag to run a SQL query, it does so as &ldquo;Claude in #engineering-deployments,&rdquo; not as &ldquo;Alice from engineering.&rdquo;</p>
<p>This is a deliberate design choice. Anthropic&rsquo;s reasoning makes sense on the surface: a shared agent needs a stable identity so everyone in the channel can interact with it consistently. If Claude Tag acted as each individual user, you&rsquo;d lose the shared context and persistent memory that makes a team AI coworker useful.</p>
<p>The channel-scoped isolation is also real. Each channel&rsquo;s Claude has its own memory, its own tool bindings, and its own token spend limits. Admins can set per-organization and per-channel budgets. Audit logs track everything Claude has done and who requested each task.</p>
<p>On paper, it sounds reasonable. In practice, it creates a security model that would make any security engineer wince.</p>
<h2 id="the-confused-deputy-problem--claude-tags-security-blind-spot">The Confused Deputy Problem — Claude Tag&rsquo;s Security Blind Spot</h2>
<p>The confused deputy problem is a classic computer security concept: a program with elevated privileges can be tricked by a less-privileged user into abusing those privileges. Claude Tag&rsquo;s Agent Identity model is a textbook example.</p>
<p>Here&rsquo;s the scenario. Your #engineering-deployments channel has a Claude Tag instance with access to your CI/CD pipeline, your production database read-replica, and your incident management system. Alice, a senior engineer, asks Claude to run a deployment. That&rsquo;s fine — Alice is authorized. But Bob from marketing, who happens to be in the channel for a cross-team project, can also ask Claude to &ldquo;run the deployment script.&rdquo; Claude checks its channel-level permissions, sees it has deployment access, and executes — because the permission check is against the channel&rsquo;s Agent Identity, not against Bob&rsquo;s user identity.</p>
<p>The audit log will show &ldquo;Claude in #engineering-deployments ran deployment script, requested by Bob.&rdquo; But the deployment tool itself sees Claude&rsquo;s API key, not Bob&rsquo;s. There&rsquo;s no way for downstream systems to enforce per-user access controls. Claude Tag becomes a privileged backdoor that anyone in the channel can activate.</p>
<p>This isn&rsquo;t theoretical. The PromptQL team published a detailed teardown of Claude Tag&rsquo;s Agent Identity concept and flagged this exact issue. Their assessment: &ldquo;Agent Identity creates audit problems — security and audit is built around users, not Slack channels.&rdquo; They built a production-grade alternative with per-user identity auth in about a day.</p>
<h2 id="why-per-user-identity-is-the-harder-but-correct-path">Why Per-User Identity Is the Harder but Correct Path</h2>
<p>The obvious fix is to enforce user-identity authorization: when Bob asks Claude to run a deployment, Claude should check whether Bob personally has deployment permissions, not whether the channel has them. This is how every other enterprise authorization system works. You don&rsquo;t give a Slack channel an API key to production — you give it to specific people.</p>
<p>But per-user identity is harder to implement for a few reasons:</p>
<ol>
<li>
<p><strong>Token management.</strong> If Claude acts on behalf of Bob, it needs Bob&rsquo;s credentials or a delegated token. That means either OAuth token exchange on every request, or a service-to-service auth model with user assertion. Both are more complex than a single channel-level API key.</p>
</li>
<li>
<p><strong>Context switching.</strong> A shared agent that switches identity per-request loses the simplicity of &ldquo;Claude in this channel knows everything that happened here.&rdquo; You&rsquo;d need to either maintain a shared memory store with per-user access controls, or give each user their own memory scope — which defeats the purpose of a shared coworker.</p>
</li>
<li>
<p><strong>Latency.</strong> Every user-identity check adds a round-trip to your identity provider. At Slack message scale, that adds up.</p>
</li>
<li>
<p><strong>Partial delegation.</strong> Some actions should be channel-scoped (reading channel history, summarizing threads) while others should be user-scoped (writing to external systems, modifying infrastructure). Building a permission model that handles both cleanly is genuinely hard.</p>
</li>
</ol>
<p>None of these are unsolvable. OAuth 2.0 token exchange, SCIM-based group sync, and attribute-based access control (ABAC) have been solving these problems for a decade. But they require infrastructure that Claude Tag doesn&rsquo;t have and that most open-source alternatives aren&rsquo;t building either.</p>
<h2 id="the-open-source-stampede--alternatives-racing-to-fill-the-void">The Open-Source Stampede — Alternatives Racing to Fill the Void</h2>
<p>Within three weeks of Claude Tag&rsquo;s launch, at least five open-source alternatives appeared: OpenTag, Ankole, Elenchus, Earshot, and slack-claude-agent. OpenTag alone hit 672 GitHub stars. The community clearly wants a self-hosted, customizable version of this pattern.</p>
<p>I&rsquo;ve looked at the codebases of the most popular ones. The pattern is consistent: Python or TypeScript, Slack Bolt SDK, a LangChain or custom agent loop, and a single API key for tool access. Almost all of them replicate Claude Tag&rsquo;s Agent Identity model — the agent acts under its own identity with channel-scoped permissions.</p>
<p>The Arcade.dev team published a guide showing how to recreate Claude Tag&rsquo;s core pattern in about a day with Python, Slack Bolt, and their tool-access platform. Their recommendations are sensible: start with one bounded workflow (incident triage, not &ldquo;AI that can do anything&rdquo;), use restricted channels, dedicated identities, human approval for writes, and logging. But even their architecture uses a single agent identity per channel.</p>
<p>The open-source ecosystem is racing to replicate Claude Tag&rsquo;s functionality, but nobody&rsquo;s racing to build the trust layer. Everyone&rsquo;s building the feature that looks good in a demo. Nobody&rsquo;s building the one that prevents the demo from becoming a security incident.</p>
<h2 id="what-a-real-trust-layer-looks-like">What a Real Trust Layer Looks Like</h2>
<p>Based on what I&rsquo;ve seen working in production agent systems — and what&rsquo;s missing from every Claude Tag implementation I&rsquo;ve examined — a proper trust layer needs four components:</p>
<p><strong>1. Identity-aware authorization.</strong> Every action the agent takes must be attributable to the requesting user, not just the agent itself. This means the agent needs to pass user identity tokens through to downstream systems, and those systems need to enforce their own access controls. OAuth 2.0 token exchange (RFC 8693) is the right pattern here — the agent gets a user-asserted token for each action, not a standing agent credential.</p>
<p><strong>2. Action attestation.</strong> Every action the agent performs should produce a verifiable attestation: who requested it, what was done, what the input and output were, and whether any human approval gates were triggered. This isn&rsquo;t just logging — it&rsquo;s cryptographically signed evidence that can be used in compliance audits. The <a href="https://baeseokjae.github.io/posts/microsoft-agent-governance-toolkit-2026/">Microsoft Agent Governance Toolkit</a> is the closest thing to this I&rsquo;ve seen, with sub-5ms deterministic policy enforcement covering all 10 OWASP Agentic AI risks.</p>
<p><strong>3. Human-in-the-loop gates for high-risk actions.</strong> Not every action needs approval. Reading channel history? Fine. Writing to a production database? That needs a human to click &ldquo;approve.&rdquo; The gate should be configurable per action type, per user role, and per channel. The <a href="https://baeseokjae.github.io/posts/secure-ai-agents-least-privilege-2026/">least-privilege architecture I wrote about earlier</a> covers this pattern in detail — scoped tools, short-lived credentials, and approval workflows are the building blocks.</p>
<p><strong>4. Cross-system audit trails.</strong> The problem with Claude Tag&rsquo;s current audit logs is they only cover what Claude did inside Slack. If Claude called your CI/CD system, your deployment tool, and your monitoring stack, you need to trace that action across all three systems. That requires structured correlation IDs passed through every hop, and a centralized audit store that can join events from Slack, your agent runtime, and your infrastructure. The <a href="https://baeseokjae.github.io/posts/owasp-top-10-agentic-applications-2026/">OWASP Top 10 for Agentic Applications</a> lists &ldquo;Insufficient Audit Trail&rdquo; as a distinct risk category for exactly this reason.</p>
<h2 id="the-governance-gap--audit-trails-compliance-and-accountability">The Governance Gap — Audit Trails, Compliance, and Accountability</h2>
<p>Here&rsquo;s the uncomfortable question that every enterprise adopting Claude Tag needs to answer: if an AI agent makes a mistake that costs money or causes a compliance violation, who is accountable?</p>
<p>With Claude Tag&rsquo;s current architecture, the answer is murky. The agent acted under its own identity. The channel had permission. But Bob from marketing asked it to do something Bob shouldn&rsquo;t have been able to authorize. The downstream system saw a valid API call from a trusted agent. Everyone followed the rules as defined, and the result is still a problem.</p>
<p>This is the governance gap. It&rsquo;s not a bug in Claude Tag — it&rsquo;s a missing layer in the entire shared-agent paradigm. And it&rsquo;s the reason I&rsquo;m skeptical of the &ldquo;just deploy Claude Tag and see what happens&rdquo; approach I&rsquo;m seeing in a lot of enterprise Slack channels right now.</p>
<p>Anthropic has acknowledged some of this. The audit logs, token spend limits, and channel-scoped permissions are steps in the right direction. But they&rsquo;re not enough. The zero data retention policy was turned off with Fable 5, meaning chat transcripts are actively analyzed. Claude Tag runs on Opus 4.8 and is only available on Team and Enterprise plans — no free tier. The enterprise pricing implies enterprise-grade security, but the architecture doesn&rsquo;t deliver it yet.</p>
<h2 id="the-bottom-line--excitement-without-trust-is-a-liability">The Bottom Line — Excitement Without Trust Is a Liability</h2>
<p>Claude Tag is genuinely impressive. The ambient behavior, async task scheduling, persistent memory per channel, and multiplayer interaction model are well-designed. 65% internal code generation at Anthropic is a real signal that this pattern works. The open-source community&rsquo;s rapid response shows that the demand is real.</p>
<p>But the trust layer is missing. Not incomplete — missing. Agent Identity without per-user authorization is a confused deputy waiting to be exploited. Open-source clones that copy the same model are multiplying the risk, not solving it. And enterprises that rush to deploy shared AI agents without a proper trust layer are creating audit and compliance problems that will surface months later, when a regulator asks &ldquo;who authorized this action?&rdquo; and the answer is &ldquo;the Slack channel.&rdquo;</p>
<p>If you&rsquo;re building with Claude Tag today, here&rsquo;s my advice: restrict it to read-only channels first. Don&rsquo;t give it write access to anything that could cause real damage. Set up your own audit logging on top of what Anthropic provides. And before you give it production access, make sure you can answer the question &ldquo;who actually authorized this action?&rdquo; — not just &ldquo;which channel was it in?&rdquo;</p>
<p>The technology is ready. The trust layer isn&rsquo;t. And until someone builds it, every shared AI agent in Slack is a liability waiting to be discovered.</p>
<h2 id="faq">FAQ</h2>
<h3 id="what-is-the-confused-deputy-problem-in-claude-tag">What is the confused deputy problem in Claude Tag?</h3>
<p>Claude Tag&rsquo;s Agent Identity model gives each Slack channel a single AI identity with static permissions. Any user in the channel can ask Claude to perform actions using those channel-level permissions, even if the requesting user wouldn&rsquo;t normally have access. This is a classic confused deputy: a privileged program that can be tricked by a less-privileged user into abusing its privileges. The downstream system sees a valid API call from a trusted agent and has no way to enforce per-user access controls.</p>
<h3 id="what-is-agent-identity-in-claude-tag">What is Agent Identity in Claude Tag?</h3>
<p>Agent Identity means Claude Tag acts under its own persona per Slack channel, not under the requesting user&rsquo;s identity. Each channel gets an isolated Claude with separate memory, tool access, and permissions. This enables shared context and persistent memory — everyone in the channel interacts with the same AI coworker — but it creates audit and authorization challenges because the agent&rsquo;s identity is decoupled from the human who requested each action.</p>
<h3 id="what-open-source-alternatives-to-claude-tag-exist">What open-source alternatives to Claude Tag exist?</h3>
<p>At least five open-source Claude Tag alternatives emerged within weeks of launch: OpenTag (672 GitHub stars in 3 weeks), Ankole, Elenchus, Earshot, and slack-claude-agent. Most replicate Claude Tag&rsquo;s Agent Identity model rather than fixing its security limitations. The Arcade.dev team published a guide showing how to recreate the core pattern in about a day with Python and Slack Bolt, but even their recommended architecture uses a single agent identity per channel.</p>
<h3 id="what-should-a-proper-ai-agent-trust-layer-include">What should a proper AI agent trust layer include?</h3>
<p>A proper trust layer needs four components: identity-aware authorization (every action attributable to the requesting user, not just the agent), action attestation (cryptographically signed evidence of every action), human-in-the-loop gates for high-risk actions (configurable per action type, user role, and channel), and cross-system audit trails with structured correlation IDs passed through every hop.</p>
<h3 id="is-claude-tag-safe-for-enterprise-use-today">Is Claude Tag safe for enterprise use today?</h3>
<p>Claude Tag is safe for limited, read-only use cases. Restrict it to channels where it can observe and summarize but not write to external systems. Set up your own audit logging on top of what Anthropic provides. Before giving it production access, make sure you can answer &ldquo;who actually authorized this action?&rdquo; — not just &ldquo;which channel was it in?&rdquo; The enterprise pricing implies enterprise-grade security, but the architecture doesn&rsquo;t deliver it yet.</p>
]]></content:encoded></item></channel></rss>