Home > All Posts > Anthropic Adds Auto Mode to Claude Code

Anthropic Adds Auto Mode to Claude Code

Mar 25, 2026
by Mike Gingerich
Anthropic Adds Auto Mode to Claude Code

Anthropic unveiled a new “auto mode” feature for Claude Code on March 24, 2026, enabling the AI coding assistant to make permission decisions autonomously while relying on safety guardrails to prevent destructive actions. The feature is available as a research preview for Team plan users, with Enterprise plan and API user access rolling out in the coming days. Auto mode represents a middle path that lets developers run longer tasks with fewer interruptions while introducing less risk than skipping all permissions.

Claude Auto Mode balanced path: fast performance vs safe security with AI automation control interface

Addressing the Permission Approval Problem

Claude Code’s default permissions are purposefully conservative, requiring approval for every file write and bash command, which means developers cannot kick off a large task and walk away since Claude will request frequent human approvals along the way. This design created a dilemma for developers who needed uninterrupted workflows.

While some developers choose to bypass permission checks with the –dangerously-skip-permissions flag, skipping permissions can result in dangerous and destructive outcomes and should not be used outside of isolated environments. The new auto mode feature aims to eliminate this problematic trade-off between safety and productivity.

How Auto Mode Works

Before each tool call runs, a classifier reviews it to check for potentially destructive actions like mass deleting files, sensitive data exfiltration, or malicious code execution. Actions that the classifier deems as safe proceed automatically, and risky ones get blocked, redirecting Claude to take a different approach. If Claude insists on taking actions that are continually blocked, it will eventually trigger a permission prompt to the user.

The classifier runs on Claude Sonnet 4.6, even if the main session uses a different model. This design choice ensures consistent safety evaluations regardless of which model handles the primary coding tasks.

Trust Boundaries and Configuration

Anthropic notes the classifier trusts the local working directory and configured remotes within a git repository, while treating all other resources, including company source control systems, cloud storage, and internal services, as external until they are explicitly defined as trusted. If auto mode blocks routine actions such as pushing to an organization’s repository or writing to a company storage bucket, it may be because the classifier does not recognize those resources as trusted.

Limitations and Recommendations

Anthropic acknowledges that the system is not perfect. Auto mode reduces risk compared to –dangerously-skip-permissions but doesn’t eliminate it entirely, and the company continues to recommend using it in isolated environments. The classifier may still allow some risky actions, for example if user intent is ambiguous, or if Claude doesn’t have enough context about the environment to know an action might create additional risk.

The company says it currently only works with Claude Sonnet 4.6 and Opus 4.6, and recommends using the new feature in isolated environments such as sandboxed setups that are kept separate from production systems, limiting the potential damage if something goes wrong. Auto mode may have a small impact on token consumption, cost, and latency for tool calls.

Availability and Access Control

Auto mode is available in Claude Code as a research preview for Claude Team users, and it works with both Claude Sonnet 4.6 and Opus 4.6. For organizations concerned about governance, administrators can disable auto mode for the CLI and VS Code extension by setting “disableAutoMode”: “disable” in managed settings. Auto mode is disabled by default on the Claude desktop app, and can be toggled on using Organization Settings, then Claude Code.

Developers can run `claude –enable-auto-mode` to enable auto mode, then cycle to it with Shift+Tab. On Desktop and in the VS Code extension, users must first toggle auto mode on in Settings, then Claude Code, then select it from the permission mode drop-down in a session.

Industry Context

The move reflects a broader shift across the industry, as AI tools are increasingly designed to act without waiting for human approval. The challenge is balancing speed with control, where too many guardrails slow things down, while too few can make systems risky and unpredictable. The feature builds on a wave of autonomous coding tools from companies like GitHub and OpenAI, which can execute tasks on a developer’s behalf. But it takes it a step further by shifting the decision of when to ask for permission from the user to the AI itself.

Auto mode comes following Anthropic’s launch of Claude Code Review, its automatic code reviewer designed to catch bugs before they hit the codebase, and Dispatch for Cowork, which allows users to send tasks to AI agents to handle work on their behalf.

Key Facts

  • Auto mode launched March 24, 2026 as a research preview for Claude Team plan users
  • Enterprise and API user access scheduled for rollout within days of initial launch
  • The safety classifier runs on Claude Sonnet 4.6 regardless of the main session model
  • Compatible with Claude Sonnet 4.6 and Opus 4.6 only
  • Administrators can disable the feature through managed settings
  • Anthropic recommends using auto mode only in isolated or sandboxed environments

Sources

Sources

  1. Auto mode for Claude Code | Claude
  2. Auto mode for Claude Code
  3. Anthropic trims action approval loop, lets Claude Code make the call – Help Net Security
  4. Anthropic hands Claude Code more control, but keeps it on a leash | TechCrunch

Related Posts

Subscribe Now