Anthropic's Claude Tag for Slack Uses Shared Access Model, Requiring Careful Admin Configuration
Anthropic's Claude Tag AI agent for Slack operates on a unique shared-access model, where administrators configure a single access bundle for the agent rather than relying on individual user credentials.

Anthropic has introduced Claude Tag, an AI agent for Slack designed to operate within channels using a distinct access model that differs significantly from traditional per-user integrations. Instead of leveraging individual user credentials or OAuth tokens, Claude Tag utilizes a shared, admin-configured access bundle. This service-identity pattern means that a single bundle governs the agent's access to connected services, such as GitHub or Google Drive, for all users within a given Slack channel.
This approach positions Claude Tag similarly to other service-identity tools like deploy bots or workflow automations, where a centralized identity manages permissions. When a user tags @Claude in a channel where the agent is present, the agent acts on behalf of this shared identity, not the individual user. Consequently, any user in the channel can interact with Claude and see its output, but the agent's capabilities are strictly defined by the access bundle configured by an administrator.
Administrators play a crucial role in securing Claude Tag deployments. They can meticulously restrict which specific repositories or services Claude Tag can access on a per-channel basis. Furthermore, organization-level controls, such as mandatory claude.ai logins and role-based access control (RBAC), can be enforced to govern who is permitted to interact with the agent. Importantly, simply being invited to a channel where Claude Tag is active does not grant any new permissions to the invited user; their access is solely determined by the admin-configured bundle and organization-level policies.
Claude Tag's operational model contrasts with standard Slack integrations, such as Slack's own GitHub integration. While the latter uses each user's personal GitHub OAuth token, allowing the integration to act with the user's specific permissions, Claude Tag operates differently. In shared channels, the agent is granted its own identity with predefined permissions. For GitHub integrations, this typically involves a Claude GitHub App installation token scoped to an allowlist of repositories specified by the organization owner. For other OAuth connectors like Google Drive, the bundle reuses the OAuth credential of the administrator or owner who initially connected the service.
The access model for Claude Tag is structured in three layers: the Claude Tag installation bound to a Slack workspace, access bundles that group connector credentials, and scopes that define where these bundles are available. An access bundle can be attached to a specific Slack channel, limiting its scope to that channel's context. Anthropic's documentation emphasizes that attaching a bundle to a public channel grants its access to anyone who joins that channel, underscoring the importance of channel join policies as an effective access control mechanism. Elevated credentials should therefore be confined to private channel scopes.
This shared-access paradigm presents both opportunities for streamlined AI integration and potential security challenges if not managed properly. The ability for any channel member to direct an agent with potentially broad access necessitates robust administrative oversight. By carefully configuring bundles, scopes, and organization-level controls, organizations can harness the collaborative power of Claude Tag while mitigating risks associated with unauthorized access or data exposure.
Tenable Research, in collaboration with Anthropic's security team through coordinated disclosure, has provided insights into this access model. Their analysis highlights the critical need for administrators to understand the implications of shared credentials and to implement appropriate security measures to ensure Claude Tag operates within defined boundaries.