Claude Tag brings Claude into Slack as a teammate that can follow a thread, use organization-provisioned tools, and continue work asynchronously. For product, engineering, operations, and support teams, that can accelerate real work. For security, platform, legal, and FinOps teams, the core question is different: what can Claude Tag access, under whose identity, and where do the controls actually apply?
This guide separates the opportunity from the architectural boundary. Claude Tag does not run inside your AWS account. Sessions run in ephemeral sandboxes hosted by Anthropic; outbound requests leave through Anthropic's Agent Proxy; and connected services must be reachable from the internet, even when protected with an IP allowlist. PrivateLink and VPC peering are not supported for Claude Tag connections.
That does not make AWS irrelevant. It changes AWS's role. IAM, CloudTrail, encryption, data classification, controlled APIs, and resource policies protect the systems and data the agent can reach. They do not automatically control Claude Tag memory, Anthropic's runtime, channel configuration, spend limits, or product audit records.
Claude Tag at a glance
| Question | Practical answer |
|---|---|
| What is it? | A Claude experience in Slack where users mention @Claude in channels, DMs, or the assistant panel to delegate work. |
| Who can use it? | According to Anthropic, Claude Tag is in beta for Claude Team and Enterprise plans. |
| What changes in channels? | In channels, Claude uses organization-provisioned service credentials, not the personal credentials of the person who tagged it. |
| What about direct messages? | In DMs and the assistant panel, Claude uses the capabilities enabled in the individual user's Claude account. |
| Where does it run? | In ephemeral sandboxes hosted by Anthropic, with outbound calls routed through Agent Proxy. |
| What is the network constraint? | Connected services must be reachable from the internet. The network requirements documentation says PrivateLink and VPC peering are not supported. |
| How is spend controlled? | Claude Tag administration includes an organization spend cap, per-channel limits, alerts at 75% and 95%, and per-channel analytics. |
| Does AWS Marketplace change the architecture? | No. AWS says Claude Enterprise Marketplace customers receive the same setup, capabilities, and controls as first-party Claude Enterprise. |
What changed from the earlier Claude in Slack
The earlier Claude in Slack experience was closer to a conversation surface. Claude Tag is more operational: it can receive a task in a thread, work with authorized tools, keep relevant context, and return outcomes in the channel. Anthropic also says the earlier Claude in Slack experience is scheduled to switch to Claude Tag on August 3, 2026.
The critical enterprise change is not only the interface. It is identity. When Claude Tag operates in channels, it uses credentials provisioned for the agent by administrators. That enables shared collaboration, but it also creates a simple security rule:
If someone can participate in the channel, they can ask the agent to use the scope assigned to that channel.
That is why channels, Access bundles, service accounts, and connected tools should be designed as production architecture, not as a simple app install.
Where AWS controls apply
AWS matters when the agent reaches systems, APIs, data, or workflows your organization controls. It does not turn Claude Tag into a workload running inside your VPC.
| Layer | Primary control owner | What to review |
|---|---|---|
| Slack workspace and channels | Customer + Slack | Channel membership, public/private classification, app installation, retention, and workspace governance. |
| Claude Tag runtime, memory, and Agent Proxy | Anthropic + customer configuration | Sandboxes, channel memory, spend limits, product audit records, and access configuration. |
| Agent identity | Shared responsibility | Dedicated service accounts, Access bundles, allowed hosts, channel scope, and revocation. |
| AWS resources and APIs | Customer | IAM, API authorization, resource policies, CloudTrail, encryption, data classification, and environment separation. |
| Operating model | Customer | Use-case approval, human review, FinOps, incident response, and periodic recertification. |
Amazon Bedrock Guardrails, CloudWatch, and AWS Budgets can be part of a control architecture when you place an AWS API, proxy, integration, or workload in the path. They do not automatically govern all Claude Tag traffic. For example, Bedrock Guardrails apply when content is evaluated through Bedrock APIs or the ApplyGuardrail API; your architecture has to send the content through that path.
When Claude Tag is a good fit
Claude Tag tends to be a good first option when the goal is fast, visible collaboration in Slack, with corporate tools that can accept internet-reachable access and risks that can be managed through scope, review, and service accounts.
| Good fit | Wait or choose another architecture |
|---|---|
| Ticket triage, incident summaries, approved documentation research, and internal task follow-up. | Workflows that require execution inside your VPC, private-only connectivity, or network isolation Claude Tag does not provide. |
| Reversible actions with human review and low data sensitivity. | Irreversible production actions, financial changes, unapproved deployments, or broad access to sensitive data. |
| Tools with dedicated service accounts, their own logs, and channel-level scope. | Tools that only support personal credentials, broad permissions, or weak auditability. |
| Teams that accept a clear SaaS boundary and want speed inside Slack. | Organizations that need to control orchestration, inference, networking, retention, and policy enforcement in their own infrastructure. |
Choose a low-risk pilot
The first pilot should not prove that Claude Tag is powerful. It should prove that scope, identity, cost, and auditability are manageable.
| Workflow | Risk | Minimum controls |
|---|---|---|
| Summarize approved public or internal documentation | Low | Private pilot channel, limited source set, no external actions. |
| Triage bugs and suggest next steps | Medium | Dedicated ticketing service account, no bulk-change permission, reviewable logs. |
| Read operational metrics and draft a report | Medium | Intermediary API with specific endpoints, aggregated data, rate limits, and CloudTrail where AWS is touched. |
| Open a pull request or change configuration | High | Mandatory human review, protected branch, minimum scope, repository audit trail. |
| Execute production changes | Avoid at first | Consider an AWS-native architecture or governed integration layer before delegating this kind of action. |
How to roll out Claude Tag safely
1. Prepare
Pick one workflow, classify the data, list the channels, assign Security, Engineering, Legal, and FinOps owners, and create dedicated service accounts for each connected tool. Do not start in a broad channel.
2. Pilot
Use a private channel, a limited Access bundle, and tools with least-privilege permissions. Test the least-privileged member in the channel: if that person can invoke the agent to retrieve something they should not see, the scope is wrong.
3. Validate
Review Claude Tag, Slack, connected-tool, and AWS logs when AWS resources are in the path. Correlate the requested task, identity used, external calls made, data consulted, and result returned.
4. Expand
Add channels or tools only when there is evidence on usage, cost, and risk. Each expansion needs an owner, spend limit, data scope, and revocation plan.
5. Operate
Recertify channels, credentials, tools, limits, and memory periodically. Risk changes when a channel gains new members, a tool receives more permissions, or the agent starts taking more sensitive actions.
Costs and FinOps
A monthly cap is not the same as economic control. According to Claude support documentation, channel usage is billed to the organization, while direct messages are billed to the user's own Claude account. Product administration supports organization caps, channel limits, alerts, and per-channel analytics.
For FinOps, separate four numbers:
- Claude Tag spend. Usage by channel and workflow.
- Connected-system cost. Queries, APIs, storage, logs, traffic, and AWS workloads triggered by the agent.
- Operating cost. Review, governance, credential maintenance, and incident response.
- Delivered value. Completed tasks, time saved, avoided rework, and outcome quality.
Claude Tag or an AWS-native agent?
| Requirement | Claude Tag | AWS-native agent |
|---|---|---|
| Shared work directly inside Slack | Strong fit | Requires implementation |
| Runtime inside your AWS environment | No | Can be designed that way |
| VPC-only or PrivateLink connectivity | Not supported for Claude Tag connections | Can be designed where services support it |
| Channel memory and routines | Built into the product | Must be built |
| Full orchestration control | Limited to product controls | Higher customer control |
| Operating burden | Lower | Higher |
Use Claude Tag when speed and Slack collaboration matter more than controlling the runtime. Consider an AWS-native design when private connectivity, custom policy enforcement, direct execution control, or specific retention requirements are mandatory.
Canadian deployment considerations
For Canadian organizations, do not treat AWS Canada resources as evidence of Claude Tag data residency. The location of your AWS systems and the processing behavior of a SaaS product are separate questions. For workflows involving personal information, review the applicable privacy regime, contractual terms, cross-border processing, retention, necessity, proportionality, and safeguards before expansion.
The practical question is: what data enters the channel, what data reaches Claude Tag, which tools can it call, which records remain in each system, and what contractual and policy controls cover each flow?
Frequently asked questions
Does Claude Tag run inside our AWS account?
No. Anthropic's documentation describes sessions in Anthropic-hosted sandboxes. AWS remains important for governing the AWS resources and APIs the agent can reach.
Does buying through AWS Marketplace change the technical controls?
Not architecturally. AWS says Claude Enterprise Marketplace customers receive the same setup, capabilities, and controls as first-party Claude Enterprise. Marketplace can help procurement and billing; it does not move the runtime into your VPC.
Are IAM and CloudTrail enough?
No. They help control and audit actions inside AWS. A complete trail also needs who invoked Claude in Slack, which scope was used, which service credentials were available, which external calls occurred, and what result returned to the channel.
Do Bedrock Guardrails automatically protect Claude Tag?
No. Bedrock Guardrails apply when your architecture sends content to Bedrock for evaluation or through the ApplyGuardrail API.
How Elevata can help
The right review starts with the workflow, not a generic product demo. Bring one candidate use case, the channels involved, the tools the agent would need to access, the data classification, network constraints, and audit requirements.
Elevata can help determine whether to use Claude Tag with its native controls, reduce channel and credential scope, create a governed AWS integration layer, delay the workflow until controls are ready, or build an AWS-native alternative.
Ready to assess Claude Tag precisely? Talk to Elevata about reviewing access control, risk, and the design of your first pilot.
