Anthropic Deploys Claude Tag, an Always‑On AI Coworker Inside Slack Channels
What Happened — Anthropic announced Claude Tag, an “always‑on” instance of its Claude model that lives inside Slack. The AI can read channel context, join threads, remember prior interactions, and autonomously set and complete tasks when invited with @Claude. Each Slack channel can host an isolated Claude identity, and the feature can operate in reactive or proactive (“ambient”) mode.
Why It Matters for Compliance & Audit Readiness
- The continuous, channel‑wide access granted to an external AI model creates a new data‑processing boundary that must be captured in SOC 2 CC 1.1 (Security) and CC 5.2 (Privacy) controls.
- Organizations need evidence of consent, purpose limitation, and data‑retention policies for AI‑driven agents that ingest workplace communications—exactly the type of documentation Verisq’s CookiePLUS privacy module helps collect and attest.
- Monitoring the AI’s activity and ensuring it does not inadvertently expose or retain sensitive information aligns with the continuous‑control monitoring required for a defensible SOC 2 audit trail.
Who Is Affected — SaaS collaboration platforms (Slack, Microsoft Teams), AI service providers, and any enterprise that integrates third‑party agents into internal communication tools (tech, professional services, finance, healthcare).
Recommended Actions
- Conduct a privacy impact assessment for Claude Tag, mapping data flows to SOC 2 CC 5.2 requirements.
- Update Slack and Anthropic integration policies to require explicit user consent and define retention limits for AI‑generated content.
- Enable logging and continuous monitoring of Claude Tag interactions to provide audit evidence of access and data handling.
Technical Notes – Claude Tag operates as a single AI instance per channel, leveraging Slack’s API scopes (e.g., channels:read, chat:write). Anthropic states the model does not access private channels, but ambient mode allows it to “watch” all public channel activity. No CVEs are associated; the risk stems from misconfiguration of permissions and privacy‑policy gaps. Source: ZDNet Security