Anthropic Rolls Out Auto Mode for Claude Code: Introducing an AI Classifier for Smart Security Reviews
AI safety and research company Anthropic recently released a major update for its AI coding assistant, Claude Code: “Auto Mode.” Currently available as a Research Preview to users on the Team plan, this feature aims to resolve the core conflict between efficiency and security when AI coding agents execute tasks autonomously.
A Middle Path Between Efficiency and Security
Before the introduction of Auto Mode, Claude Code’s permission management operated at two extremes. The default mode required users to manually approve every action, such as file writes and shell command executions. While secure, this approach was inefficient for complex tasks involving many files, like code refactoring. At the other end was the --dangerously-skip-permissions mode, which bypassed all safety checks. It boosted execution speed but exposed the system to potential risks, such as the AI model being tricked into performing destructive actions after reading malicious file content.
Auto Mode emerges as an intelligent compromise between these two extremes. It allows the AI to autonomously assess the risk level of an operation, automatically executing safe actions while blocking and flagging high-risk ones, freeing the user from the role of a “human approval machine.”
The Independent Classifier: The Core of AI-Supervised AI
At the heart of Auto Mode is an independent AI classifier model. This classifier runs on Claude Sonnet 4.6 and operates separately from other models that might be used in the main user session, such as Opus 4.6. Its mechanism is not based on simple rule-matching but on a deep, contextual semantic understanding.
Whenever Claude Code is about to execute a tool call, the classifier receives the user’s original request and the command to be executed, evaluating it along several dimensions:
- Intent Alignment: Is the action consistent with the user’s initial instructions and the conversation’s context?
- Scope Adherence: Does the action go beyond the reasonable scope of the current task?
- Injection Risk: Are there any signs of “injection” or manipulation from malicious instructions within file or web page content?
A key security design is that the results of a tool’s execution (e.g., the content of a read file) are not sent back to the classifier. This isolation mechanism effectively prevents malicious content from influencing the security model via a feedback loop, ensuring the classifier’s judgments remain independent and objective.
Default Security Boundaries and Extensibility

Auto Mode provides a reasonable, out-of-the-box security policy, with common development operations pre-classified.
Default approved operations include:
- Reading and writing local files within the current working directory.
- Installing project dependencies declared in a lock file.
- Reading
.env files and using credentials to access corresponding API endpoints.
- Sending read-only HTTP requests.
- Pushing code to the current Git branch or a new branch created by Claude.
Default blocked high-risk operations include:
- Downloading and directly executing remote scripts (e.g.,
curl | bash).
- Sending sensitive data to unknown external endpoints.
- Deployments to production environments or database migrations.
- Performing bulk deletions in cloud storage.
- Changes to critical permissions like IAM.
- Force pushing or pushing directly to the main branch.
For enterprise users, if the classifier blocks a routine, trusted internal operation (like pushing to an internal repository), administrators can provide environmental context to the classifier via the autoMode.environment configuration. This informs the classifier about what constitutes trusted infrastructure.
Multi-Layered Protection and Fault-Tolerant Design
Auto Mode also incorporates multi-layered protection for Claude Code’s powerful subagent mechanism to handle risks that may arise in parallel tasks.
- Pre-Launch Review: Before a subagent is launched, the classifier assesses the safety of its task description.
- Runtime Monitoring: Every tool call made by a subagent during its lifecycle is evaluated by the same independent classifier used in the main session.
- Post-Completion Audit: After a subagent’s task is finished, the classifier reviews its entire operational history to identify any potential intent drift that occurred during execution.
Furthermore, the mode includes a built-in fault-tolerance mechanism. If the classifier blocks actions 3 times consecutively or 20 times in total within a single session, Auto Mode will pause and revert to manual confirmation mode. This design prevents the session from getting stuck due to repeated false positives. After a user manually approves a blocked action, the counter resets, and Auto Mode can resume. In non-interactive mode, hitting this threshold will terminate the session directly.
Deployment Requirements and Cost Considerations
To enable Auto Mode, users must use Claude Sonnet 4.6 or Claude Opus 4.6 as the main model. It does not currently support Haiku or models provided through third-party cloud platforms like Bedrock or Vertex AI. After an administrator enables the feature in the backend, users can activate it via the command line with claude --enable-auto-mode or through the settings in clients like VS Code.
In terms of cost, each call to the classifier is billed to the user’s token usage, just like the main session. However, since many read-only and local file editing operations are approved by default and don’t require a classifier call, the additional cost is primarily associated with actions like executing shell commands and making network requests. The added latency of a single network round-trip is negligible for long-running coding tasks compared to the time required for manual confirmation.