Home > All Posts > Anthropic launches Auto Mode for Claude Code

Anthropic launches Auto Mode for Claude Code

May 5, 2026
by Mike Gingerich
Anthropic launches Auto Mode for Claude Code

Anthropic launched auto mode for Claude Code in late March 2026, introducing a new permission system that allows developers to run extended AI coding sessions with fewer manual approvals while maintaining safety guardrails. The feature enables multi-step software development workflows with reduced manual intervention, combining automated execution with layered safety mechanisms, including input filtering, action evaluation, and two-stage classification, while maintaining human approval checkpoints for sensitive operations.

Layered safety mechanisms for automated execution: input filtering, action evaluation, and safe guardrails protecting AI a...

The release addresses a persistent friction point in AI-assisted development. Previously, Claude Code relied on a permission-based model where users had to approve most actions, such as running commands and modifying files. While this provided strong safety and control, it introduced friction in longer sessions due to repeated confirmations, leading to approval fatigue where users spent more time managing prompts than focusing on development work.

How Auto Mode Works

Auto mode uses two layers of defense: one for what Claude reads, one for what Claude does. At the input layer, a server-side prompt-injection probe scans tool outputs before they enter the agent’s context. When content looks like an attempt to hijack behavior, the probe adds a warning to the agent’s context before the result is passed along.

At the output layer, the transcript classifier (running on Sonnet 4.6) evaluates each action against a set of decision criteria before it executes, acting as a substitute for a human approver. The classifier runs in two stages: a fast single-token filter (deciding ‘yes’ to block or ‘no’ to allow), followed by chain-of-thought reasoning only if the first filter flags the transcript.

In auto mode, the spinner now turns red when a permission check is triggered, giving a clear visual signal that Claude is pausing for approval. The system uses a two-stage classification approach to balance efficiency and coverage. A fast initial filter processes most tool calls, allowing safe actions to proceed with minimal overhead. Only uncertain or potentially risky operations are escalated to deeper analysis. This improves recall for edge cases while controlling latency and compute cost, while maintaining consistent enforcement of safety and intent alignment.

What Gets Blocked and What Doesn’t

Most actions are allowed prior to the classifier by standard Claude Code allow rules. A fixed allowlist includes tools that can’t modify state, including file reads, text and file-pattern search, code navigation, todo and plan-mode transitions. Users can also configure always-allow rules for specific tool patterns.

The classifier focuses on specific high-risk categories. A classifier reviews each tool call before it runs. Actions deemed safe proceed automatically, while those flagged as potentially destructive (such as mass file deletions, data exfiltration, or malicious code execution) are blocked. If Claude repeatedly attempts blocked actions, it eventually escalates to a manual permission prompt.

Anthropic keeps an internal incident log focused on agentic misbehaviors. Past examples include deleting remote git branches from a misinterpreted instruction, uploading an engineer’s GitHub auth token to an internal compute cluster, and attempting migrations against a production database. Each of these was the result of the model being overeager, taking initiative in a way the user didn’t intend.

Availability and Access

Auto mode was released on March 24, 2026 as a research preview for Team plan users, with rollout to Enterprise and API users in coming days. The feature works with both Claude Sonnet 4.6 and Opus 4.6.

Developers can enable auto mode through multiple interfaces. Developers enable it via `claude –enable-auto-mode` in the CLI, toggling with Shift+Tab, or through settings in VS Code and desktop apps. Enterprise admins can disable it organization-wide with “disableAutoMode”: “disable” in managed settings.

Limitations and Recommendations

Anthropic has been transparent about the feature’s constraints. The classifier may still allow some risky actions when user intent is ambiguous or when Claude lacks sufficient context about the developer’s environment. The company recommends using auto mode in isolated environments and notes a small impact on token consumption, cost, and latency.

Auto mode is a middle path that lets developers run longer tasks with fewer interruptions while introducing less risk than skipping all permissions. Before each tool call runs, a classifier reviews it to check for potentially destructive actions like mass deleting files, sensitive data exfiltration, or malicious code execution. Actions that the classifier deems as safe proceed automatically, and risky ones get blocked, redirecting Claude to take a different approach. If Claude insists on taking actions that are continually blocked, it will eventually trigger a permission prompt to the user.

Auto mode reduces risk compared to –dangerously-skip-permissions but doesn’t eliminate it entirely, and Anthropic continues to recommend using it in isolated environments. The classifier may still allow some risky actions: for example, if user intent is ambiguous, or if Claude doesn’t have enough context about the environment to know an action might create additional risk.

Broader Context

The auto mode launch arrives alongside other recent Claude ecosystem developments. Amazon recently rolled out Claude Code and OpenAI’s Codex to all employees via Amazon Bedrock following internal demand, standardizing access without special approvals. Meanwhile, Anthropic released Claude Design, an AI tool for generating app mockups and website prototypes, and Prismatic launched an open-source plugin for Claude Code to accelerate integration development.

The Figma MCP integration with Claude Code enables bidirectional workflows between designs and code, supporting design systems and editable frames from screenshots. These developments collectively point to an expanding ecosystem of tools designed to reduce manual intervention in software development workflows while maintaining necessary safety controls.

Key Facts

  • Auto mode launched March 24, 2026 as a research preview for Claude Team plan users
  • Uses a two-stage classification system: fast single-token filter followed by chain-of-thought reasoning for flagged operations
  • Compatible with Claude Sonnet 4.6 and Opus 4.6 models
  • Blocks high-risk actions including mass file deletions, data exfiltration, and malicious code execution
  • Enterprise and API access planned for release within days of initial launch
  • Anthropic recommends using auto mode in isolated environments due to potential false positives and negatives
  • Classifier runs on Sonnet 4.6 and operates server-side before actions execute

Sources

Sources

  1. Inside Claude Code Auto Mode: Anthropic’s Autonomous Coding System with Human Approval Gates – InfoQ
  2. Claude Code auto mode: a safer way to skip permissions
  3. Anthropic launches auto mode for Claude Code
  4. Anthropic Expands Claude Code with Auto Mode
  5. Claude Updates by Anthropic – May 2026 – Releasebot

Related Posts

Subscribe Now