Anthropic has taken another step toward making AI agents genuinely autonomous infrastructure rather than chat sessions that die when you close the tab. On June 9, 2026, the company announced that Claude Managed Agents can run on a schedule and securely access command-line tools and other authenticated services, with both capabilities now in public beta on the Claude Platform.
The two features, scheduled deployments and environment variables stored in vaults, target the unglamorous plumbing that has kept many enterprise agent projects stuck in pilot mode: who triggers the agent when no human is around, and how does it log into anything without leaking credentials? For teams that have been hand-building schedulers and secret stores around the Claude API, this update deletes that work; for everyone else, it marks the week AI agents on Anthropic's platform formally became cron jobs.
What Did Anthropic Ship on June 9?
A scheduled deployment attaches a cron schedule to an agent. Each time the schedule fires, the agent starts a fresh session and completes its task, with no scheduler for the customer to build or host, according to Anthropic's announcement. The company pitches it for recurring work like a nightly data sync, a weekly compliance scan, or a daily digest. Once a deployment is live, administrators can pause, resume, or archive it at any time, or trigger additional runs on demand.
That sounds mundane, and that is the point. Until this week, teams that wanted a Claude agent to run unattended at 3 a.m. ET had to stand up their own job scheduler, wire it to the API, and babysit the infrastructure. Anthropic is absorbing that layer into its Managed Agents platform, the agent-hosting product the company introduced at its Code with Claude conference in May 2026, as reported by InfoQ.
Early customers are using the schedules in revealing ways. Rakuten, the Japanese e-commerce and fintech group, runs spreadsheet analysis on a timer. "Teams across Rakuten use scheduled deployments to analyze data in a spreadsheet and produce a report or deck on a weekly or monthly schedule," said Yusuke Kaji, Rakuten's general manager of AI for business, in the announcement. "Our power users put it on production logs and metrics, so a product manager can see the health of their application without creating an analytics dashboard."
Actively AI, which builds agentic sales-research tools, said it deleted the scheduling infrastructure it had built in-house and replaced it with the new deployments, simplifying its stack. Ando, a startup automating hiring and sales workflows, uses scheduled agents to watch channels for proposed next steps, follow up when they are due, and send meeting reminders.
How Do Vault-Stored Environment Variables Keep API Keys Away From the Model?
The second feature answers a security question that haunts every agent deployment: how do you let an autonomous model use authenticated tools without handing it your API keys? Anthropic's answer extends its vaults feature to support environment variables. A customer registers an API key together with an environment variable name and the list of domains the key is allowed to reach. Command-line interface tools installed in the agent's sandbox can then make authenticated calls through that variable.
The architectural detail that matters: the agent never sees the real key. The sandbox holds only a placeholder, and the actual secret is attached at the network boundary, only on requests to domains the customer has explicitly allowed. When a key needs rotating, the customer updates it in the vault, and running sessions pick up the new value on their next call. Anthropic says most CLIs that send keys in HTTP requests work with the scheme, naming the Browserbase, KERNEL, Notion, Ramp, and Sentry CLIs. The Browserbase and KERNEL integrations also give Managed Agents browser capabilities for the first time, letting agents navigate and interact with the web alongside their other tools.
This placeholder-and-proxy pattern matters for anyone worried about prompt injection. If a malicious webpage or document tricks an agent into revealing its credentials, there is nothing to reveal: the model's context contains a stand-in, not the secret, and the real key only travels to allowlisted domains. The scheme protects the key itself, though an injected agent could still misuse an allowlisted tool within its permissions; domain allowlists narrow that blast radius without eliminating it.
Notion, an early adopter, cited exactly that property. "Environment variables in vaults let us securely roll out the Notion CLI, meeting our security team's strict guidelines by ensuring sensitive API tokens are never handed to agents," said Quan Nguyen, Notion's public API lead, in the announcement. Browserbase used the mechanism to build its public catalog of browser skills with its browse CLI, then pointed a scheduled deployment at the catalog to validate it periodically, a tidy demonstration of both features working together. Milana, which sells an AI product engineer, said vault-held variables let its agent invoke private APIs through a CLI against customer codebases without exposing credentials.
How Does Anthropic's Move Compare With OpenAI's Workspace Agents?
Anthropic's update lands in the middle of an industry-wide race to make agents persistent, scheduled workers rather than interactive assistants. OpenAI has introduced workspace agents in ChatGPT for business customers, agents that live in a shared workspace and handle delegated tasks. The economics of that rival approach are about to crystallize: according to OpenAI's help center pricing documentation, workspace agent runs will draw on a token-based credit system expected to take effect on July 6, 2026, with no fixed per-run cost. OpenAI's worked example prices a GPT-5.5 workspace agent run consuming 20,000 input tokens, 80,000 cached input tokens, and 5,000 output tokens at roughly 7.25 credits, and the company says a typical end-to-end run may consume between 5 and 25 credits.
The contrast frames a question every buyer will ask this summer: scheduled agents are no longer a science project, so what does each run cost, and who carries the infrastructure burden? Anthropic's pitch is that the scheduler, the sandbox, and the secret store are all part of the managed platform, billed through existing Claude Platform usage; the June 9 announcement attaches no separate price to scheduled deployments. OpenAI's pitch is metered flexibility inside ChatGPT's workspace. Both companies are betting that the next wave of enterprise AI spending goes to agents that work overnight, unattended, on schedules their owners set once and forget.
Why Are Companies Deleting Their Own Agent Infrastructure?
The pattern across the customer stories is consistent: companies are deleting glue code. A job scheduler is undifferentiated infrastructure; a secrets-injection proxy is undifferentiated infrastructure; both are exactly the kind of code that gets written hastily under deadline pressure and then breached or broken later. Moving them into the platform shrinks the attack surface and the maintenance bill at the same time. "We replaced the scheduling infrastructure we'd built ourselves with scheduled deployments, which greatly simplified our stack and improved our product cycles," said Mihir Garimella, co-founder of Actively AI, in the announcement.
There are limits worth noting. Scheduled autonomy raises the stakes on agent reliability, because nobody is watching the 3 a.m. run in real time, and the public beta label means interfaces and behavior can still change. Output quality on unattended runs still needs review loops, which is why several customers pair schedules with human checkpoints downstream.
Still, the direction is unambiguous. Eighteen months ago, an AI agent was a demo you supervised. As of this week, on Anthropic's platform, it is a cron job with a credential vault, and it does not need you awake.
Frequently Asked Questions
What are scheduled deployments in Claude Managed Agents?
They are agents attached to a cron schedule on the Claude Platform. Each time the schedule fires, the agent starts a new session and completes its task; customers can pause, resume, archive, or trigger extra runs on demand. Anthropic announced the feature in public beta on June 9, 2026.
How do vault-stored environment variables protect API keys?
The agent's sandbox holds only a placeholder, and the real key is attached at the network boundary, solely on requests to domains the customer allowlists. Even if an agent is manipulated through prompt injection, the model's context never contains the actual secret.
How much do scheduled AI agents cost to run?
Anthropic attached no separate price to scheduled deployments; they run under existing Claude Platform usage. OpenAI's rival workspace agents move to token-based credit pricing expected on July 6, 2026, with a typical GPT-5.5 run estimated at 5 to 25 credits.
Which tools work with the new vault environment variables?
Anthropic says most CLIs that send keys in HTTP requests work, naming Browserbase, KERNEL, Notion, Ramp, and Sentry. Browserbase and KERNEL also give Managed Agents browser control for the first time.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
