Anthropic launched Claude Dispatch on March 17th as a research preview inside Claude Cowork. The premise is simple: send a task from your phone, and Claude runs it on your desktop while you’re away. It’s a remote orchestration layer that lets administrators or mobile users trigger actions on Cowork endpoints without anyone sitting at the keyboard.
That changes the security model. If an agent can act on a machine without the user present, security teams need to know what it’s doing, what it’s accessing, and whether any of that violates policy.
Why Dispatch Matters From a Security Perspective
Claude Cowork already expanded the AI attack surface beyond developers. It gives business users a multi-agent system with access to local files, the ability to browse the web, fill out forms, and interact with enterprise applications. Dispatch takes that a step further by removing the requirement that a user is actively present when the agent acts.
Dispatch can trigger any action that Cowork has permission to perform. That includes reading, moving, and editing local files. It includes invoking MCP servers and tools. It includes running plugins and interacting with connected applications. All of this can now happen remotely, initiated from a phone, routed through Anthropic’s servers to a local sessions bridge, and executed by the desktop agent autonomously.
For security teams, it’s critical to understand whether you have visibility into what’s being triggered, by whom, and whether the actions being taken are within policy.
Where Noma Fits in
Noma provides security coverage across every Claude product surface: Claude Code on developer machines, Claude Cowork for business users, Claude Managed Agents in the cloud, and now Claude Dispatch.
This isn’t a new integration. Actions triggered via Dispatch run through the same Cowork session on the local machine, not a separate traffic path. Cowork exports its full session activity as OpenTelemetry (OTEL) events over an OTLP pipeline to Noma. Because Dispatch actions execute within that session, they’re captured by the same telemetry automatically. The result is no new connectors, extra configuration, or changes to your users’ workflow.
What Noma Does With That Data
Collecting telemetry is table stakes. Noma’s AI Detection and Response engine acts on it: monitoring AI interactions in real time, enforcing security and compliance policies at the point of execution, and analyzing prompts, responses, tool calls, and agent behaviors to detect, mask, or block threats before they cause damage.
That breaks down into three areas:
Discovery and Risk Assessment
Most enterprises don’t know how many Claude instances, MCP servers, tools, and local agents are running across their environment. Noma provides a real-time inventory of the full footprint: every installation, every connected MCP server, every tool and skill, mapped to individual developer or user identities.
That inventory feeds into supply chain risk detection. Noma flags MCP servers that expose secrets, pull from unvetted sources, or violate organizational policy. It also detects servers operating with overly broad permissions or using shared API keys instead of individual credentials.
The Agentic Risk Map gives security teams a visual topology of every agent and its connected components (MCP servers, tools, data sources, downstream systems) so you can immediately see the blast radius of any single compromised component.
Access Control and Governance
Right now, users adopt new MCP servers and tools on their own. There’s no approval workflow and no way to enforce policy. Noma addresses this with a centralized registry: enterprises define which agents, MCP servers, tools, and skills are approved, which require review, and which are blocked.
Before any MCP server reaches production, Noma evaluates the permissions it requests, the data it can access, and the trustworthiness of its source. Think of it as software composition analysis for the agentic AI stack.
These policies are more than just configuration, as they are enforced at runtime. If a user connects to an unapproved MCP server, Noma blocks the connection before any data flows. If a tool attempts to execute outside the registry, the policy catches it at execution time.
Runtime Detection and Response
Even when everything is approved and properly configured, things can go wrong. Agents can drift from their intended task, execute unintended commands, leak sensitive data, or get manipulated through prompt injection. Noma’s D&R policies watch the full interaction chain (prompt, model response, tool execution, downstream system impact) and intervene when something is off.
For Dispatch, intervening means telemetry arrives via OTEL, and Noma operates in a detection mode for Cowork and Dispatch: identifying threats in real time, generating alerts, and feeding enforcement decisions back to the policy layer. Active pre-execution blocking, where Noma intercepts a tool call before it fires, is available for Claude Code through a hooks-based integration that sits directly in the execution path. Both modes run simultaneously in organizations that use both products.
Prompt injection is a particular concern for Dispatch workflows. When a task is initiated remotely, the agent may fetch documents, browse pages, or query data sources that contain attacker-controlled content. Unlike a standard Cowork session where a user is watching, there’s no human in the loop to notice when Claude’s behavior shifts. Noma detects both direct and indirect prompt injection as it happens, including cases where malicious instructions are embedded in fetched content and designed to override the original task. If an injection attempt causes Claude to modify its tool-calling behavior, Noma surfaces it as a threat in the AI-DR dashboard.
Data leakage prevention monitors every interaction for sensitive data leaving the environment through AI-powered channels. Behavioral anomaly detection flags when an agent deviates from its expected operating pattern: accessing production databases, modifying system configurations, or taking actions it has never performed before.
Every interaction (prompts, responses, commands, file operations, tool calls) is captured for audit. If something goes wrong, you have the forensic trail. If a regulator asks, you have the compliance evidence.
Figure 1. The Noma session timeline for a Dispatch-triggered Claude Cowork task, showing each user prompt, the agent’s tool calls, and the exact commands executed, giving security teams full visibility into what was initiated remotely and what the agent did in response.
The Full Anthropic Coverage Picture
Dispatch is the latest addition, but Noma’s coverage spans the complete Anthropic product ecosystem:
Claude Code – Full discovery, inventory, and runtime protection for developer machines. Every Claude Code installation, MCP server, tool, and skill is continuously discovered, risk-assessed, and governed through access control and runtime D&R policies.
Claude Cowork – Visibility into Cowork usage and capabilities across the organization, with runtime guardrails for monitoring and blocking risky actions. Dispatch actions are captured through the same pipeline.
Claude Managed Agents – Cloud-hosted agents managed by Anthropic. Noma is actively building coverage for these, consistent with the agent builder platforms we already support, including AWS Bedrock Agents, Microsoft Copilot Studio, and Salesforce AgentForce.
Across all three surfaces, Noma covers the complete lifecycle: discovery and risk assessment, access control and governance, and AI detection and response. Runtime is the enforcement stage where both access control policies and threat D&R policies are actively enforced, every time an agent, tool, or MCP server is invoked.
Figure 2. Noma covers the full Anthropic surface, from endpoint agents to AI gateway traffic, feeding a single engine for monitoring, enforcement, and threat prevention.
What Comes Next
We’re introducing session-level awareness, where enforcement decisions are made with full knowledge of the session, who triggered it, what the agent’s purpose was, what tools called it, and in what sequence, so that drift between intent and action gets caught, not just individual events in isolation. When you can see the full arc of a session alongside the user’s identity and intent, you can make better enforcement decisions and generate far fewer false positives. The next generation of Noma is leading this innovation.
AI agents are gaining autonomy faster than most security programs can keep up with. Dispatch is a good example: a practical capability that also introduces governance questions your existing tools aren’t built to answer. Who authorized the task? What did the agent access? Did any interaction violate policy?
These are answerable questions, but only if you have the instrumentation and enforcement in place before the capability is widely adopted.
If you want to see how Noma provides AI runtime protection across the Anthropic ecosystem, reach out for a demo.
