Anthropic shipped Remote Control for Claude Code today — and developers are losing their minds over it. You can now kick off a complex coding session at your desk, walk away, and keep full control from your phone. It’s genuinely impressive engineering.
But before you forward this to your dev team as a cool new tool, your security organization needs to have a very different conversation. Because what just shipped is remote, autonomous, AI-assisted access to local filesystems, tool configurations, and internal integrations — all controllable from a mobile device — in a research preview that already has a known bug on day one.
Let’s talk about what this means for your environment.
What Remote Control Actually Does
Before we critique it, let’s make sure we understand it. Remote Control is a synchronization layer — not cloud computing. Your code never leaves your machine. Anthropic routes a secure tunnel between your local terminal session and the Claude mobile or web interface, so you can see what Claude is doing, redirect it, or shut it down from anywhere.
Here is the documentation on their web site.
Here’s what that looks like technically:
- Session origin: Your local machine. The terminal stays open, your filesystem stays local, and your MCP servers, tools, and project configs remain fully active.
- Connection model: Outbound HTTPS only. No inbound ports open on your machine. Traffic routes through the Anthropic API over TLS using multiple short-lived, scoped credentials.
- Access method: Run ‘claude remote-control’ or ‘/rc’ in a session. A QR code or session URL is generated. Scan it with your phone or open it in any browser.
- Availability: Research preview for Claude Max subscribers ($100–$200/month). Pro access coming soon. Notably absent from Team and Enterprise plans at launch.
On paper, the security architecture is thoughtful. Outbound-only, TLS, short-lived credentials. Anthropic made real choices here. The problem isn’t the architecture. The problem is how this will actually be used in your environment.
The Five Risks Your Security Team Needs to Know
Risk 1: Agentic AI with Persistent Local Access, Now Reachable from Any Mobile Device
Claude Code isn’t a chatbot. It’s an autonomous agent that can read files, execute commands, modify code, and interact with connected systems — all without a person watching every step. That was already a governance challenge when it was desktop-only.
Remote Control extends that access surface to whatever mobile device the developer happens to be using. A personal iPhone. A tablet on a coffee shop WiFi network. A phone that hasn’t had a security update in six months. The session running on your corporate workstation is now reachable from all of those.
If that mobile device is compromised, lost, or borrowed by the wrong person — someone has a window into an active, autonomous agent that has full access to local files and configurations.
Risk 2: Session URLs Are the Only Access Control
Here’s a sentence from Anthropic’s own documentation that should make every security professional pause: the session URL should be treated like a password.
That’s not MFA. That’s not device binding. That’s not a conditional access policy. It’s a URL. URLs get pasted into Slack. They end up in browser history. They get forwarded “just this once” to a contractor who needed to take a quick look.
In an enterprise context, a single shared credential with no device verification, no user re-authentication, and no IP scoping is not a security model. It’s a convenience feature wearing security’s clothes.
Risk 3: Shadow Usage with Zero Organizational Visibility
This is the one that should keep CISOs up at night.
Remote Control is not available on Team or Enterprise plans right now. That means the developers most likely to use it — the ones with complex local environments, custom tool configurations, and access to sensitive internal systems — are using it on personal Pro or Max subscriptions, on corporate machines, with no organizational logging, no DLP coverage, and no audit trail your security team can see.
Your CASB probably isn’t tuned to Anthropic API traffic patterns. Your DLP solution likely has no policy for Claude Code session handoffs. Your acceptable use policy almost certainly doesn’t mention agentic AI tools with mobile remote access. All of that became a gap today.
Risk 4: MCP Server Exposure
MCP — Model Context Protocol — is how Claude Code connects to external tools. Databases. Internal APIs. Third-party services. Code repositories. Productivity tools. When a developer has MCP servers configured locally, Remote Control keeps all of them active and available during a remote session.
That means whoever has session access doesn’t just have access to the code on disk. They potentially have access to everything those MCP integrations can touch. And because Claude is an autonomous agent, it can interact with those integrations on its own — not just when a human explicitly types a command.
This is also where prompt injection risk becomes real at scale. If an attacker can influence what Claude Code reads during a remote session, they can potentially influence what it does.
Risk 5: Research Preview Means Immature Security Posture
Anthropic shipped this today with a known bug: individual Pro and Max subscribers are hitting ‘Contact your administrator’ errors when running the remote-control command. It’s been acknowledged on GitHub. That’s a normal part of any research preview rollout.
But here’s the security framing: research preview software, by definition, has not completed the hardening cycle. Edge cases haven’t been fully exercised. The automatic session reconnection after network drops — while great for developer experience — raises real questions about session persistence, timeout behavior, and what happens when a machine reconnects to a network after being offline.
You’re not evaluating a finished product. You’re evaluating a fast-moving capability that will be in your environment whether you approve it or not.
What Security Leaders Should Do Right Now
I want to be clear about something before I get to the action items: this feature solves a real problem for developers. Decoupling AI-assisted coding from a fixed workstation is genuinely useful. Blanket prohibition without engaging your dev teams will just push the behavior underground. That’s not a win for anyone.
The goal is informed governance, not reflexive restriction. Here’s where to start:
• Update your acceptable use policy today. If your AUP doesn’t specifically address AI coding agents with remote access capabilities and agentic execution on local systems, it’s already behind. This is a new category of tool, not a variation of an existing one.
- Add Claude Code Remote Control to your shadow IT inventory. It’s going into your environment whether you greenlight it or not. Getting visibility now is better than discovering it in an incident review.
- Review MCP server configurations for developers using Claude Code locally. Understand what integrations exist, what systems they touch, and what the blast radius looks like if a session were compromised. Do this before a remote session exposes them.
- Talk to your development teams proactively. Ask them if they’re using it. Ask them how. Build a policy together rather than dropping one on them from above. Security programs that engage developers as partners get far better compliance than those that treat them as the threat.
- Ask your CASB and DLP vendors about Anthropic API visibility. If they can’t tell you what Claude Code traffic looks like in your environment, that’s a gap you need to plan around.
- Watch the Team and Enterprise rollout closely. When Anthropic extends this to those plans, you’ll want organizational controls in place before it lands — not after.
The security model Anthropic designed here isn’t reckless. TLS, outbound-only connections, short-lived credentials — these are real choices that reflect real engineering judgment. But ‘reasonable for a developer tool’ and ‘acceptable enterprise security posture’ are not the same sentence, and confusing the two is how incidents happen.
Developers who want this capability aren’t going to wait for your policy to catch up. Some of them are already using it. The question isn’t whether Remote Control enters your environment. It’s whether your security program is positioned to see it, govern it, and respond to it before something goes wrong.
Get ahead of it.
What controls does your organization have in place for agentic AI tools with local filesystem access? I’d like to hear how security teams are approaching this.
