What this post is really about.
The question that opens the Anthropic Engineering post is one of the oldest in computing: how do you design a system for "programs as yet unthought of"? It is the question that gave birth to operating systems — the insight that you cannot build infrastructure for every application that will ever run on it, so you build an abstraction layer that is stable enough for applications you cannot yet imagine. Managed Agents is Anthropic's answer to the same question, applied to AI agents: how do you build a hosting layer for harnesses, sandboxes, and models that haven't been written yet?
The answer they arrived at is conceptually clean: decouple the three components of an agent — the brain (Claude + harness), the hands (sandboxes and tools), and the session (the append-only log) — so that each can fail, evolve, or be replaced without disturbing the others. This is not a new idea in systems design. It is the idea behind the Unix file abstraction, the virtual machine, and the REST API. What's new is applying it to agents, where the "application" is a large language model and the "hardware" is a combination of inference, execution environments, and external service integrations.
The mental-models pass through this post is rich. Every classic systems-design principle gets a fresh illustration. Some assumptions baked into tightly coupled agent architectures turn out to be wrong. And the post contributes several models that belong in the latticework.
Models the architecture amplifies.
Each layer should own exactly one thing.
Separation of concerns is the architectural principle that each component of a system should be responsible for exactly one concern, and that concerns should not leak across boundaries. Managed Agents implements this three ways: the session owns durability; the harness owns the agent loop and tool routing; the sandbox owns execution and file state. When these were co-located in a single container, every concern leaked into every other. Decoupling made each layer debuggable, replaceable, and independently scalable.
execute(name, input) → string."Cattle survive; pets require nurses.
The pets-vs-cattle analogy is a classic in distributed systems: pets are named, hand-tended, irreplaceable; cattle are interchangeable, disposable, and easily replaced. Anthropic's coupled architecture adopted a pet: one container held the session, the harness, and the sandbox together. When it failed, everything failed. When the container was unresponsive, engineers had to open a shell inside a box that also held user data. Decoupling turned both containers and harnesses into cattle — replaceable by design, debuggable without touching user data.
provision({resources}). We no longer had to nurse failed containers back to health."Credentials should never touch the sandbox.
The principle of least privilege says: give each component exactly the access it needs, no more. In the coupled design, Claude's generated code ran in the same container as service credentials — a prompt injection only had to convince Claude to read its own environment. The structural fix was architectural: auth tokens are either bundled into resources during initialization (Git clones with access tokens already wired in) or held in a vault that the sandbox cannot access. The proxy that calls external services holds the credential; Claude never sees it.
The read() command doesn't know what a disk pack is.
Operating systems lasted decades by virtualizing hardware into abstractions — process, file, socket — general enough for programs that didn't exist yet. The read() command is agnostic to whether it's accessing a 1970s disk pack or a modern NVMe drive. Managed Agents follows the same pattern: execute(name, input) → string is agnostic to whether the "hand" is a Docker container, a phone, or (in the authors' words) a Pokémon emulator. The abstraction is designed to outlast the implementation.
Don't pay upfront for what you might not need.
In the coupled design, every session paid the full container setup cost before inference could begin — even sessions that would never touch the sandbox. Time-to-first-token (TTFT) included container provisioning, repo cloning, and process startup. Decoupling meant containers are only provisioned when a tool call requires them. Sessions that only need inference start immediately. The p50 TTFT dropped ~60%; p95 dropped over 90%. The architectural insight generalizes: don't initialize resources that might not be needed.
Models that tight coupling bends.
Close proximity is not always the faster path.
The engineering intuition is that co-located components communicate faster — file edits are direct syscalls, no service boundaries to cross. Anthropic's initial architecture followed this logic. The problem was that co-location created a pet: a named, irreplaceable server that became a debugging nightmare. The alternative — a thin interface execute(name, input) → string — added a network hop but gained elasticity, debuggability, and the ability to swap implementations. The total latency was lower, not higher, because startup costs were eliminated for sessions that didn't need the sandbox.
The session is not the context window.
The standard model of LLM agents treats the context window as the agent's working memory — everything the agent knows is in the prompt. For long-horizon tasks, this breaks: the task exceeds the window, context must be discarded, and every discard is an irreversible decision. Managed Agents separates these concerns: the session log is a durable, append-only record that lives outside the context window. The agent can interrogate it via getEvents() — fetching positional slices, rewinding, rereading. The context window becomes a view into a larger store, not the store itself.
getEvents(), allows the brain to interrogate context by selecting positional slices of the event stream."Many brains can share many hands.
The natural mental model for an AI agent is one-to-one: one model, one execution environment, one task. Early Managed Agents followed this: one container per brain. As tasks grew more complex, the constraint became apparent — the brain needed to reach into multiple execution environments simultaneously. Decoupling made each hand a named tool. Brains can now hold multiple hands (execute("container-A", ...), execute("phone-B", ...)), and brains can pass hands to one another. The one-to-one assumption was an artifact of implementation, not a requirement of the task.
Models worth adding to the latticework.
Brain-Hand Decoupling.
The architectural principle of separating the reasoning component (brain: the model + its control loop) from the execution component (hands: sandboxes, tools, external services) through a thin, stable interface (execute(name, input) → string). The brain doesn't know what hands exist; the hands don't know what brain called them. This enables: independent failure recovery, independent scaling, composition (many brains, many hands, brains passing hands to each other), and security isolation (credentials stay with the resource, not the brain). Generalizes beyond AI agents to any system where reasoning and execution have different scaling profiles or security requirements.
Harness Obsolescence Rate.
The observation that harnesses — the control loops wrapping LLMs — encode assumptions about model capability that go stale as models improve. A harness built for a model with "context anxiety" becomes dead weight on a model without it. The Harness Obsolescence Rate is the pace at which current harness assumptions need to be revisited as model capabilities change. The insight drives the Managed Agents design: build interfaces that are stable (session, sandbox, harness as separable concerns) and treat any specific harness implementation as ephemeral. A meta-harness is one that accommodates harnesses as yet unthought of.
Structural Credential Isolation.
The pattern of ensuring that credentials are architecturally unreachable from the untrusted execution environment — not by narrowing credential scope (which encodes assumptions about what the model can do with limited tokens), but by making the credential invisible to the execution environment entirely. Auth is bundled into resources during initialization (Git remote with token embedded), or held in a vault that the sandbox cannot query. The proxy pattern: Claude calls MCP tools via a proxy; the proxy fetches credentials from the vault; the sandbox never sees them. Generalizes to any system where generated or untrusted code runs alongside sensitive credentials.
When to reach for which.
Standing in front of an agent architecture decision, a distributed systems design, or a security review — which of these models tells you what to do?
The meta-harness idea.
The most conceptually ambitious claim in the post is that Managed Agents is a "meta-harness" — not a harness for any particular task, but a system that accommodates harnesses for tasks not yet conceived. This is the operating-system ambition, applied to AI. It is also, at bottom, a claim about what should be stable in a rapidly changing system.
We are opinionated about the shape of these interfaces, not about what runs behind them. — Anthropic Engineering, Managed Agents
The latticework lesson is older than AI: the most durable designs are those that identify the right level of abstraction — the level at which the interface can stay stable while implementations churn underneath. read() survived fifty years of storage technology changes. execute(name, input) → string is a bet that it can do the same for agent execution environments. Whether that bet pays off depends on whether the abstraction is at the right level — whether the true invariants of agent work are "a brain, some hands, and a session log" or something else entirely. That is the open question the post leaves on the table, honestly.