The promise of enterprise AI agents is straightforward: Let the model think, Let the code run, and keep everything under your control.Until now, this promise was hard to deliver. If you wanted Claude to write and execute code for your team, you had 2 options: Run everything on the cloud and accept that your data, your code, and your execution environment live outside your perimeter. Build the entire orchestration stack yourself and lose the intelligence that makes managed agents valuable.Anthropic's self-hosted sandboxes for Claude Managed Agents change that equation. Effectively, this capability outsources the “thinking” while keeping the “doing” on your own infrastructure.We tested this with OpenShell, an open source project started by NVIDIA where Red Hat is an active contributor. The integration works out of the box, on both a developer laptop with Podman and a Red Hat OpenShift AI cluster. Here is what we learned.Outsource the thinking, keep the doingAnthropic runs the orchestration layer, including the Claude model, conversation management, tool routing, and retry logic. You run the execution layer, an environment worker on your infrastructure that polls for tasks, executes them locally, and posts results back.LayerWhere it runsReasoning and orchestrationAnthropic's cloudCode execution and file accessYour infrastructureYour data, your files, and your execution results stay on your infrastructure. The model reasons in Anthropic's cloud and sends tool calls to your worker. Everything that matters stays inside your perimeter.Self-hosting is the right fit when agents need to operate on data that cannot leave your network, reach internal services that are not publicly routable, or run under your organization's own audit controls.Greater security posture for execution (the where)Anthropic's self-hosted model solves where code executes but it doesn’t address the security needs of the execution itself. The documentation describes the worker model and session lifecycle, but isolation, policy enforcement, and credential protection within the sandbox are the customer's responsibility.That is the gap OpenShell fills.OpenShell is an open source sandbox runtime for AI agents, started by NVIDIA, where Red Hat is an active contributor and maintainer. It wraps the execution environment with kernel-enforced defense, including Landlock file system restrictions, seccomp system call filtering, network namespace isolation, per-binary Open Policy Agent (OPA)/Rego network policy, and L7 HTTP inspection through Transport Layer Security (TLS) interception.Agent-generated code runs more safely, even if the agent itself gets prompt-injected. Here is what that looks like in practice.Per-binary network policy. OpenShell identifies the exact binary making each outbound connection, verifies its SHA-256 hash, and evaluates policy. A rule can allow the agent runtime to reach api.github.com but deny curl from reaching the same host. If a compromised agent spawns a subprocess to exfiltrate data, the proxy catches it because the subprocess has a different binary hash. Standard containers tell you which pod made a request. OpenShell tells you which binary inside the pod made a request to which URL path.Credential isolation. Secrets are never stored inside the sandbox. OpenShell's inference routing proxy intercepts outbound model API calls and injects credentials at the network boundary. The agent calls a local endpoint that carries no keys. Even if the agent is compromised, there is nothing to exfiltrate.Deny-all by default. Every sandbox starts locked down. All network egress denied. All file system paths restricted. All credentials removed. You explicitly grant access to what the agent needs. This posture works in air-gapped environments where the only permitted egress is the poll endpoint for Anthropic's work queue.Structured denial intelligence. Blocked connections are not silently dropped. OpenShell deduplicates denials by host, port, and binary, then generates policy proposals with confidence scores. Security teams get visibility into what agents are attempting, and the sandbox learns from its own denials over time.