Anthropic imposes metered usage caps on Claude Managed Agents

Anthropic is tightening how customers consume Claude-powered agents as the economics of long-running AI workloads collide with flat monthly subscriptions. Axios reported on May 14 that the company is imposing new limits on what paying users can do with Claude subscriptions, part of a broader move to meter agent use rather than treat it as unlimited. (axios.com) The change lands weeks after Anthropic introduced Claude Managed Agents on April 8 as a hosted service for “long-horizon agent work” on the Claude Platform. (research.checkpoint.com) In that launch post, Anthropic described Managed Agents as a cloud service built around sessions, harnesses and sandboxes so developers can run agents on Anthropic’s infrastructure rather than their own. (anthropic.com) Security scrutiny has risen alongside that product push. CryptoBriefing reported this week that four research teams independently found trust-boundary problems across Claude-related surfaces, including findings tied to remote code execution and credential theft. (axios.com) ### What exactly is Anthropic changing in subscriptions? Axios reported on May 14 that Anthropic is putting Claude agents “on a meter” across subscriptions, tightening what paying customers can do under fixed-price plans. The report said the move gives rival OpenAI an opening to court heavy users as autonomous agents consume far more compute than ordinary chat usage. (anthropic.com) VentureBeat reported on May 14 that Anthropic had reinstated some third-party agent usage on Claude subscriptions, but with a credit-style constraint: inefficient agents would burn through a user’s Agent SDK budget faster instead of drawing unlimited value from a monthly plan. That report framed the change as a way to cap runaway usage from autonomous tools. (cryptobriefing.com) ### Why are agent workloads harder to price than normal chat? Anthropic’s own research and product posts describe a shift toward longer, more autonomous sessions. In a March research post on agent autonomy, the company said the 99.9th percentile Claude Code turn duration nearly doubled between October 2025 and January 2026, from under 25 minutes to over 45 minutes. (axios.com) Anthropic said on May 6 that it had doubled Claude Code’s five-hour rate limits for Pro, Max, Team and seat-based Enterprise plans, removed peak-hours limit reductions for Pro and Max, and raised API rate limits for Claude Opus models. In the same announcement, the company said a SpaceX compute deal would add more than 300 megawatts of capacity, or more than 220,000 Nvidia GPUs, within a month. (venturebeat.com) ### What is Claude Managed Agents, and why does it matter here? Anthropic said on April 8 that Managed Agents is a hosted Claude Platform service for long-running agents. The company said it virtualized three components — session, harness and sandbox — so underlying implementations can change without breaking the interface developers use. (anthropic.com) Anthropic’s product material for financial-services customers says Managed Agents includes long-running sessions, scoped permissions, managed credential vaults and cloud-hosted deployment. Those details matter because they show Anthropic is selling not just model access, but an operating environment for agents that can act over time and touch enterprise systems. (anthropic.com) ### What are the security researchers saying about trust boundaries? Check Point Research said on February 25 that vulnerabilities in Claude Code allowed attackers to achieve remote code execution and steal API credentials through malicious project configuration files. (anthropic.com) The researchers said hooks, Model Context Protocol servers and environment variables could be abused to bypass trust controls and redirect authenticated API traffic. Dark Reading reported that CVE-2026-21852 affected Claude Code versions prior to 2.0.65 and enabled API credential theft via malicious project configurations. CryptoBriefing said the broader pattern pointed to trust-boundary failures across multiple Claude surfaces, not just a single isolated bug. (www-cdn.anthropic.com) VentureBeat reported on May 12 that four security teams published findings within 48 hours that described the same “confused deputy” pattern across three Claude surfaces. That report said the issue was not limited to one interface, but recurred wherever Claude was allowed to act on behalf of a user with broad permissions. (research.checkpoint.com) ### Did Anthropic signal any next step beyond the caps? Anthropic’s May 6 update pointed to more capacity as one response. The company said the SpaceX agreement would improve capacity for Claude Pro and Claude Max subscribers, while separate Amazon, Google-Broadcom, Microsoft-Nvidia and Fluidstack deals would add more infrastructure through late 2026 and 2027. (darkreading.com) Anthropic’s own engineering posts point to ongoing changes in how agent systems are run. The April 8 Managed Agents post said the company had moved away from putting all agent components in a single container after finding that failure of one container could wipe out a session, and it described stable interfaces as a way to keep changing the underlying harness. (venturebeat.com) May 14 is the clearest public marker for the pricing shift, while version 2.0.65 is the key security patch marker cited by researchers. Anthropic’s next visible milestones are likely to appear in its pricing pages, product docs and release notes for Claude Code and Managed Agents. (axios.com) (anthropic.com 1) (anthropic.com 2)