Enterprise settings framework
A starting point for configuring Claude Cowork in a company. Eight questions, each with a recommended answer. Bring this to your IT, security, and legal teams to align on a posture before turning anything on.
Baseline concerns this framework addresses
The realistic risks the eight questions are designed to cover.
- An employee pastes confidential customer data into a prompt.
- Claude sends an email or Slack message without anyone reviewing it.
- Company strategy ends up in a conversation used for model training.
- Claude accesses shared drives and modifies or deletes a file.
- Claude drafts a wrong answer and it goes straight to a client.
- A new employee connects every app and lets Claude take actions on day one.
Two background notes
Context that shapes the recommendations below.
On zero retention vs. risk of prompting customer data.With enterprise zero retention and training off, the data isn't exposed to Anthropic or other customers. The risks that remain are real but different in shape:
- Downstream amplification — once Claude has the data in a session, it can paste it into Slack, attach it to a Jira ticket, or write it to a connected drive, broadening exposure inside your tenant.
- Contractual/regulatory — many customer DPAs, HIPAA BAAs, and financial-services agreements restrict which sub-processors are permitted to handle the data at all, regardless of retention.
- Tenant-internal exposure— the prompt sits in the user's transcript history, may appear in admin audit logs, and may be shared via shared sessions or scheduled tasks.
Zero retention solves the “trained-on” risk, not the “where does it travel next” or “are we contractually allowed to send it” risks.
On training and retention windows.Training on your data: almost no enterprise upside (you'd be improving a model others use); the right answer is essentially always off. Retention window: real upside — incident investigation, compliance/eDiscovery, debugging failed automations, and proving what an action actually did. The honest enterprise posture is training off, retention on but minimized — typically 30–90 days, admin-only access.
The framework
Eight questions, each with a recommended answer.Which data classes are permitted in prompts?
Recommended
Tiered allow/deny.
- Public and internal: allowed.
- Customer PII: allowed only where the underlying customer agreement permits AI sub-processing.
- Regulated data (HIPAA-protected, full SSNs, financial account numbers, payment cards): prohibited.
Pair with input-side PII detection that warns the user before submit.
Training and retention posture?
Recommended
Training on enterprise data: off. Conversation retention: 30–90 days, admin-only access, with a documented eDiscovery process. This preserves the ability to investigate incidents without leaving sensitive content sitting indefinitely.
Default action permissions for outbound communications and code execution?
Recommended
Send email, post to Slack/Teams, run code, make purchases — all blocked by default at the tenant level. Claude may compose drafts in those tools but the human clicks send. Per-user upgrade requires manager approval and is logged.
File-system actions — how to allow productivity without enabling destructive mistakes?
Recommended
- Read and edit allowed within the user's personal namespace (their own Drive/OneDrive folder, their own inbox).
- Deletes route to trash only — never permanent.
- Bulk operations above ~10 files require per-action confirmation.
- Shared team drives default to read-only; write access requires admin opt-in.
- Designated folders (Finance, Legal, Customer Data) are non-writeable by Claude regardless of user role, so version history always provides recovery.
Connector catalog — who can install what?
Recommended
Admin-curated allowlist; users cannot self-install MCPs or plugins. Each catalog entry ships pre-scoped (see #6). New connectors require a security review before being added to the catalog. This puts governance in the catalog, not in a per-employee approval queue.
Default permission scope for each connector?
Recommended
- Read-only on first connection.
- Communication tools (Gmail, Slack, Calendar) are draft-only.
- Write scopes are limited to the user's personal namespace.
- Send, post, delete, and purchase capabilities require an explicit per-connector upgrade approved by a manager.
- No connector ships with full access on by default.
New-user defaults and progressive access?
Recommended
Three tiers.
- Day one (Observer): read-only connectors, no actions, no external communication.
- After short training module + 30 days (Contributor): scoped-write on personal namespace, drafts-only on comms.
- By manager request (Operator): expanded scopes, individually approved and logged.
Auto-revert to the lower tier after 90 days of inactivity in the higher tier.
Audit, monitoring, and incident response?
Recommended
Log every prompt, tool call, file touched, and message drafted or sent (retention per #2). Flagged events — deletes, external sends, PII detection hits — reviewed within 24 hours by IT security. Incident playbook: revoke session, revoke connector, restore via version history, notify legal if external data was involved.
Concern-to-question coverage map
Which questions address which baseline concern.
| Baseline concern | Primary question(s) |
|---|---|
| Confidential customer data in prompts | 1, 2 |
| Claude sends messages without review | 3, 6 |
| Strategy in training data | 2 |
| Claude modifies or deletes shared files | 4, 5, 6 |
| Wrong draft reaches a client | 3, 6 |
| New employee with full access on day one | 5, 6, 7 |
| Cross-cutting verification of all the above | 8 |