A comprehensive, evidence-backed guide covering models, plans, features, prompting, governance, risk, and role-specific applications. This second edition adds independent counter-evidence, a threat model, a total-cost-of-ownership frame, portability considerations, and an explicit “where not to use Claude” section. Current as of July 2026.
Is Claude AI making your team faster?
Not automatically. Anthropic's own research reports an average 80% reduction in task time. An independent randomized trial found AI made experienced developers 19% slower, though they felt 20% faster. The honest takeaway: generation speeds up, review often doesn't — measure your own delta, not vendor benchmarks.
What's the biggest security risk with Claude Code and other AI coding agents?
Indirect prompt injection. Instructions hidden in a GitHub README, a fetched web page, or a connector's returned data can hijack an agent with tool access. Documented incidents include a proof-of-concept reverse shell and a CVSS 7.8 supply-chain vulnerability in Claude Code's GitHub Action. Least-privilege access and sandboxing are essential.
Should Claude be used for legal, financial, or medical decisions?
No. Claude can draft, summarize, or check human work in these areas, but final legal, financial, and medical decisions carry high error costs and low error detectability. Delegating them to a model hides human accountability. Use Claude as an assistant under professional supervision, never as the decision-maker.
Is MCP (Model Context Protocol) a vendor lock-in risk?
No — MCP is an open standard Anthropic released in 2024 and later donated to the Linux Foundation; OpenAI, Google, and Microsoft all adopted it. The real portability risk is elsewhere: Claude's Skills format and Project structure are vendor-specific and don't transfer to other AI platforms.
What does Claude actually cost beyond the license fee?
More than the seat price suggests. Real cost includes verification labor to check AI output, onboarding time, prompt and Skill authoring, security engineering against prompt injection, and governance work. Faros AI data shows AI-heavy teams saw review time rise 91% — often the single largest hidden cost.
1. Two views of the data — and why both matter
Two data sets need to sit next to each other before you decide anything.
The optimistic view comes from Anthropic's own Economic Index, which uses privacy-preserving analysis of millions of real conversations. Analysis of ~100,000 conversations found an average 80% reduction in task time; 93% of Claude conversations produce a recognizable artifact; complex, college-level tasks get a ~12x speedup versus ~9x on high-school-level tasks (Economic Index, January 2026; June 2026). The methodology is public and defensible, but the source is not neutral.
The skeptical view comes from independent research. METR — a nonprofit AI evaluation lab — ran a randomized controlled trial in early 2025 with 16 experienced developers on 246 real tasks in mature repositories they already knew (avg. 22k+ stars, 1M+ lines). The AI arm used Cursor Pro with Claude 3.5/3.7 Sonnet. The result was the opposite of everyone's expectation: AI made experienced developers 19% slower, even though those developers felt they were 20% faster (METR RCT, arXiv:2507.09089; METR blog). Faros AI's telemetry across 10,000+ developers found that high-AI-adoption teams merged 98% more pull requests but their code review time went up 91% and DORA delivery metrics stayed flat (Faros AI).
The Anthropic data tells you the ceiling. The METR data tells you the floor. The gap between the two is a management problem, not a technology problem.
2. What Claude is — and what it is not
Claude is a family of large language models built by Anthropic and the surfaces built on top of them. Given a natural-language instruction plus any context (documents, examples, connected tools), it produces an output.
Used well, it can:
- Analyze long, technical documents — architecture specs, contracts, log files, filings
- Produce structured output — tables, reports, JSON, code, presentations
- Synthesize across sources into comparative analysis
- Write, review, debug, and test code
- Connect to enterprise systems and execute multi-step work
What it is not: a search engine (by default it works from training data through a knowledge cutoff; for current facts, web search must be enabled), a source of truth, and — critical for this guide — a substitute for the reviewer downstream of it.
3. Where Claude should not go: an error-cost matrix
Before the “how,” decide the “whether.” The trigger is not how good the model is; it is how expensive a wrong answer is and how detectable that wrong answer is.
| Task type | Error cost | Error detectability | Claude's role |
|---|---|---|---|
| Marketing copy, internal briefs, drafts | Low | High | Primary author. Fast iteration wins. |
| Code, tests, migrations | Medium–High | Medium (CI catches some, not all) | Co-author with review gate. No merge without human review + tests. |
| Data extraction from documents | Medium | Medium (spot-checkable) | Assist with sampled verification. |
| Financial calculations, tax, accounting | High | Medium (a rounded cell looks fine) | Do not delegate. Use only to check human work, not replace it. |
| Legal drafting and interpretation | High | Low | Do not delegate. Draft only under attorney supervision. Never for final advice. |
| Medical, diagnostic, or clinical decisions | Very high | Low | Do not delegate. Assistive summarization only, under licensed clinician review. |
| Security-critical decisions (access, keys, prod deploys) | Very high | Low–Medium | Do not delegate. Human decision, machine assistance only. |
| Hiring, firing, performance reviews | Very high (legal + ethical) | Very low | Do not delegate. Assistive drafting only, with human accountability. |
| Anything with regulatory penalty exposure | Very high | Varies | Route through compliance, not the model. |
4. The model family and choosing a plan
As of July 2026, the publicly available lineup and API pricing (claude.com/pricing) is:
| Model | Character | Input (MTok) | Output (MTok) |
|---|---|---|---|
| Haiku 4.5 | Fastest and cheapest; high-volume routine work | $1 | $5 |
| Sonnet 5 | High-performance for coding and agents | $2* | $10* |
| Opus 4.8 | Flagship for complex agentic coding and enterprise work | $5 | $25 |
| Fable 5 | Mythos-class model for long-horizon autonomous agent work | $10 | $50 |
*Sonnet 5's $2/$10 is introductory pricing through August 31, 2026; standard $3/$15 afterwards.
Claude Mythos 5 is the same underlying model as Fable 5 with certain safeguards removed; it is not generally available and is deployed only through Anthropic's Project Glasswing to a small number of vetted organizations, primarily for defensive cybersecurity (Fable 5 / Mythos 5 announcement; Project Glasswing). Both were released June 9, 2026, briefly suspended under a US export-control directive, and restored on July 1, 2026 (Redeploying Fable 5). For anyone in a vendor-selection role, this sequence is a concrete reminder that frontier-model access can be subject to regulatory conditions and belongs in your supply-chain risk register.
Plans (claude.com/pricing):
| Plan | Best for | Starting price |
|---|---|---|
| Free | Trial and low-volume | $0 |
| Pro | Heavy individual users; Claude Code, Cowork, Research included | $17/mo (annual) |
| Max (5x / 20x) | Power users needing much higher usage limits | From $100/mo |
| Team | 5–150 seats, central billing, SSO | Standard seat $20/mo (annual) |
| Enterprise | SCIM, audit logs, custom retention, HIPAA-ready | $20/seat + usage at API rates |
Start with Free for evaluation, move to Pro when Claude enters daily workflow. For teams, the Team vs. Enterprise decision turns on your security and compliance requirements (Section 14).
5. Access surfaces: where each type of work belongs
| Surface | What it's for |
|---|---|
| claude.ai (web) | General-purpose chat, file analysis, Projects and Artifacts |
| Claude Desktop | Unified Chat, Cowork, Code |
| Mobile apps | Quick questions, monitoring in-progress Cowork tasks |
| Claude API / Platform | Embedding Claude in your own products |
| Claude Code | Agentic coding in terminal, VS Code, JetBrains, or Slack |
| Claude Cowork | Multi-step work with access to local files and connected apps |
| Claude for Chrome | Browsing agent (navigation, forms, clicks) |
| Claude for Excel / PowerPoint / Word / Outlook | In-Office use cases |
Sensible progression: web UI first, add desktop when files become daily, then mobile. Technical roles move to Claude Code early; product and program roles move to Cowork and Office integrations early.
6. Prompting that works: techniques with evidence behind them
Anthropic's official documentation frames prompt quality as the biggest lever on output quality (Prompt Engineering Overview; Prompting Best Practices). The techniques worth adopting:
- Be clear and direct. Vague instructions are the most common cause of weak output.
- Use a context + task + format + tone + limit checklist. These five slots cover almost every professional prompt.
- Put long documents first, instructions last. Anthropic's own testing reports up to 30% improvement on complex multi-document inputs.
- Show, don't just tell. One or two examples of the format you want improves consistency more than any instruction.
- Let the model expose its steps. Ask for assumptions and reasoning before the conclusion; this makes the output reviewable.
- Give explicit permission to say “I don't know.” Reduces hallucination on ambiguous inputs.
- Assign a role. A one-sentence role framing aligns tone and technical depth.
- XML tags are optional now. Modern models handle clear headings and whitespace; tags still help with many-document prompts.
Weak: “Look at this log file.”
Strong: “Analyze this Nginx access log. Extract 5xx errors into a table (timestamp, endpoint, likely root cause). Summarize the three most frequent error signatures. Mark uncertain root-cause guesses as ‘tentative’.”
7. The discipline of iteration — and the verification burden it creates
Iteration produces better outputs but has an operational cost that most guides quietly skip.
The standard follow-up moves:
| Problem | Follow-up |
|---|---|
| Too long | “Cut this in half. Keep the core message.” |
| Wrong format | “Convert to a table: topic, action, owner, date.” |
| Missing information | “Before answering, ask me the three questions you need clarified.” |
| Reliability concern | “Separate your assumptions and points of uncertainty.” |
| Source verification | “For each statistic, state the source; if unsure, say so.” |
But here is the honest part. If every output needs a senior reviewer, a chunk of the 80% speedup gets absorbed by the review burden. The Faros AI telemetry across 10,000+ developers made this concrete: high-AI-adoption teams merged 98% more PRs while review time went up 91% and DORA delivery throughput stayed flat. The generation step accelerated; the review step, which was already a constraint, got worse. Michael Truell, Cursor's CEO, said essentially the same thing when Cursor acquired Graphite: writing production code got faster, code review looks the same as three years ago.
The operational implication:
- Budget review capacity, not just generation capacity. If your bottleneck was already code review or approval, AI moves the pressure onto that bottleneck, not off it.
- Reduce PR size, not just PR count. AI-assisted work tends to produce larger diffs; keep them small enough to actually review.
- Automate reviewable checks. Static analysis, tests, security scans, style bots — every additional automated gate is one less senior-human hour.
- Track net throughput, not gross output. Lines of code accepted is a vanity metric; the real number is DORA-style throughput and defect escape rate.
Section 16 puts this into a full TCO frame.
8. Working with files, data, and images
Claude natively processes PDFs, Word, Excel/CSV, plain text, and images. Value comes from structured requests:
- PDF: “Convert this into a 10-point executive summary followed by a table: finding, risk level, recommended action, owner.”
- CSV/Excel: “Flag anomalous rows, list likely causes, suggest what additional data to pull.”
- Log / config: “Flag insecure defaults in this Kubernetes manifest and propose a fix per issue.”
- Screenshot: “Explain what's happening and list likely root causes.”
Sensitive data warning: check your data classification policy and confirm the retention and model-training settings for your plan (Section 14).
9. Projects, Artifacts, and Skills: when to use which
Projects hold context. Skills standardize a process. Artifacts produce output.
Projects are persistent workspaces. Reference documents, style guides, and instructions attach once; every new conversation starts pre-loaded. When Project content approaches the context-window limit, Claude switches to retrieval-augmented generation so only the most relevant material is pulled in per query (Claude Enterprise Administrator Guide).
Artifacts are substantial standalone outputs — documents, code, tables, diagrams, mini interactive tools — that appear in a dedicated panel. Trigger: output longer than ~15 lines, self-contained, and likely to be edited or reused (Help Center — Artifacts).
Skills are reusable procedure files. Format is shared across claude.ai, Claude Code, Cowork, and the Excel/PowerPoint/Word/Outlook add-ins, and Claude applies them automatically when the task matches (Help Center — Skills). Encode a repeat process once, run it everywhere.
The strongest pattern combines all three: Project holds the context, Skill runs the process, Artifact delivers the result.
10. Connectors and MCP: openness, portability, and vendor risk
Connectors let Claude read from and act on enterprise systems — Google Drive, Gmail, Slack, Jira, Notion, Microsoft 365 — through the Model Context Protocol (MCP).
- Introduced as open source by Anthropic in November 2024
- Adopted by OpenAI (March 2025, across Agents SDK, Responses API, and the ChatGPT desktop app), Google DeepMind (April 2025, Gemini), Microsoft, AWS, Cloudflare, Bloomberg, Salesforce, and ServiceNow
- ~97 million monthly SDK downloads by March 2026; over 10,000 active public MCP servers
- Anthropic donated MCP to the Linux Foundation in December 2025, under the new Agentic AI Foundation co-founded with Block and OpenAI. Governance sits outside Anthropic (Anthropic donation announcement; Wikipedia — Model Context Protocol)
Concretely: a GitHub MCP server built today works with Claude, Cursor, ChatGPT, and Gemini. The work invested in MCP servers is portable across model vendors.
The real portability risks lie elsewhere:
- Skills format. Claude's Skills are cross-surface within the Claude ecosystem but are not a portable standard. OpenAI's AGENTS.md is analogous but separate. A Skills library represents Claude-specific investment.
- Projects data. The RAG index and system-prompt behavior around Projects is Claude-specific.
- Prompt libraries. Prompts optimized for one model family often need re-tuning on another.
- Fine-tuned expectations of tool behavior. Downstream code that expects specific refusal patterns,
stop_reasonvalues, or artifact conventions couples to Claude's implementation. - Recent 30-day retention rule for Fable 5 and Mythos 5. All traffic to these covered models carries 30-day retention even for customers with zero-retention agreements (Redeploying Fable 5) — a real, model-specific data-governance implication.
Mitigation posture: keep your enterprise integrations on MCP; keep prompts in version control; treat Skills as automation you can rewrite for another agent runtime; run parallel evaluations on at least one competing model quarterly so you have a real fallback, not a hypothetical one.
Recent examples of usage: the Microsoft 365 connector now goes beyond search — Claude can draft and send email, manage calendar events, and create/update files in OneDrive and SharePoint (Help Center — Release Notes). Enterprise plans can restrict which users get which connectors via custom roles — an essential guardrail.
11. Research: systematic, cited investigation
Research is agentic: Claude runs multiple searches that build on each other, decides what to investigate next, and produces a thorough, cited answer in minutes (Help Center — Use research on Claude). Web search must be enabled; if Google Workspace connectors are on, internal sources come in alongside the web.
Two operational notes: Research is on paid plans only, and it burns usage limits faster than normal chats because it retrieves many sources per session.
12. Claude Code: a developer and DevOps perspective
Claude Code is Anthropic's agentic coding tool for terminal, VS Code, JetBrains, and Slack. Salient features for developers, DevOps, and Linux admins (Claude Code Docs — Security):
- Layered permission model. Read-only by default; anything mutating the system requires explicit approval per-invocation or persistently.
- Sandboxed bash tool. Bash can run inside a filesystem/network-isolated sandbox.
- Network request approval and isolated context. Web fetches use a separate context window to defend against prompt injection from fetched content.
CLAUDE.mdfiles. Org-wide or repo-specific standards Claude reads automatically. Also a real prompt-injection attack surface — see Section 15.- Enterprise deployment. Runs via AWS Bedrock, Google Vertex AI, or Microsoft Foundry, integrating with VPC, IAM, and CloudTrail (Claude Code for Enterprise).
- Security certifications. SOC 2 Type II and ISO 27001 — inventory at Anthropic Trust Center. These are compliance hygiene, not application-level defenses (see Section 15).
- Usage analytics. Enterprise Analytics API for adoption metrics.
Example: “Scan this Django-Ninja service for N+1 queries; propose select_related/prefetch_related fixes and summarize in a single PR description.”
13. Claude Cowork: multi-step, semi-autonomous work
Cowork gives Claude access to a specified local folder and to connected apps for longer, more autonomous work. Now on web and mobile in addition to desktop; sessions can run remotely so work continues with your laptop closed and scheduled tasks fire without a device online (Help Center — Release Notes).
Live artifacts are persistent, interactive HTML dashboards that pull from connected apps (Slack, Linear, calendar) and refresh with current data — a working project tracker, a competitive-intelligence board, a morning brief (Help Center — Live Artifacts). A research-preview computer-use capability lets Claude drive dev tools on your behalf.
Cowork's autonomy is where the threat model in Section 15 becomes acute. Any connected data source can carry an injection payload.
14. Enterprise governance and security (for CIOs and CTOs)
Data flow, access, and retention — the core Enterprise posture:
| Topic | Enterprise plan posture |
|---|---|
| Model training | Enterprise data not used to train models by default |
| Identity | SSO with domain capture; SCIM for automated provisioning |
| Access control | Fine-grained role-based access; custom roles |
| Auditing | Audit logs |
| Compliance tooling | Compliance API for DLP, eDiscovery, SIEM |
| Retention | Configurable, 1 day to indefinite (Fable 5 / Mythos 5 carry a mandatory 30-day retention) |
| Healthcare | HIPAA-ready with BAAs available |
| Network controls | IP allowlisting and Tenant Restrictions |
| Data residency | US-only inference at 1.1x standard pricing |
| Certifications | SOC 2 Type II, ISO 27001, CSA STAR |
Sources: Claude Enterprise Plan; Claude Enterprise Administrator Guide; Security and Compliance Collection; Anthropic Trust Center.
Prebuilt Compliance API integrations exist for Proofpoint, Check Point, and several SIEM/DLP vendors, so Claude activity flows into existing security tooling without custom collectors (Compliance API Integrations).
15. A threat model for agentic AI: prompt injection, exfiltration, supply chain
The largest unaddressed risk when Claude has tool access is not a broken SOC 2 control — it is that any text Claude reads can act as an instruction. This is well-documented and has produced real, credited exploits.
Direct prompt injection
The user (or someone acting as the user) types malicious instructions. Easier to defend against; largely handled by Claude's own classifiers.
Indirect prompt injection — the dangerous class
Instructions are hidden in content Claude reads: a fetched web page, a GitHub README, a document, a Slack message, a scanned PDF. Claude sees them as legitimate context. Documented incidents:
- Mozilla 0DIN proof-of-concept: A clean-looking GitHub repository silently opened a reverse shell on a developer's machine via Claude Code — no malicious code visible in the repo. The reverse shell was three indirection steps away from anything Claude Code actually evaluated (an error message it trusted → a fetched script → a DNS record it never saw) (Cybernews report).
claude-code-actionGitHub Action vulnerability (RyotaK / GMO Flatt Security, disclosed January 2026, public June 1, 2026): an authorization bypass composed with indirect prompt injection and environment-variable exfiltration produced a complete supply-chain attack starting from a public GitHub issue and ending with malicious code pushed into the action's source repository. CVSS 4.0 score: 7.8 (CSA Research Note).- HiddenLayer research: indirect injection that caused Claude to execute
rm -rf /on a workstation. - GitHub MCP vulnerability: poisoned README files used to exfiltrate data through the GitHub MCP integration.
Concrete attack surfaces to model
CLAUDE.mdin a cloned repository. Contributor adds hostile instructions; Claude reads them as authoritative on next session start.- Fetched web content. Any URL Claude reads can carry an injection payload — including cached copies and archives.
- Connector-returned data. Elasticsearch results, Snowflake rows, Slack messages, Notion pages, Jira ticket bodies, meeting transcripts — all are attacker-controllable.
- Documents in shared drives. Especially
.docxand.pdfwhere hidden text or metadata can carry instructions. - Tool output. A shell command's
stderrcan contain injected instructions that steer the next tool call.
Minimum controls to put in place before agentic use
- Least-privilege tool access per session. Only expose the tools the current task needs. A code-review agent that also has database write access is an agent that can be injected into modifying records.
- Approval gates for state-changing actions. Do not run Claude Code with permission flags that skip all confirmations in a repo you did not write yourself.
- Sandbox the bash tool. Use the built-in isolation; do not run agents with your personal shell privileges.
- Isolate web fetches. Keep Claude's isolated-context defaults; do not disable them.
- Treat
CLAUDE.mdas code. Enforce code review on it; scan for suspicious instructions in CI. - Egress controls. Restrict what network destinations the agent can reach. Reverse shells need somewhere to phone home.
- Secret hygiene. No secrets in the repo, in shell environment variables the agent can see, or in files the agent can read.
- Log everything. Route Claude activity through the Compliance API to your SIEM and set alerts for exfiltration-shaped behavior (large outbound requests, base64 in URLs, unexpected DNS lookups).
- Red-team quarterly. See below.
Red-teaming, briefly
Treat Claude the way you treat any privileged application: run adversarial testing against it. Concretely:
- Plant benign-looking repositories, PDFs, and web pages with escalating injection payloads and see whether the agent follows them.
- Attempt prompt exfiltration — get the model to leak the system prompt or connector credentials via crafted inputs.
- Try connector escalation — a request that would need to reach across connector boundaries (e.g., read from Slack, write to GitHub) and confirm your least-privilege setup blocks it.
- Test your detection — do your SIEM rules actually fire on the exfiltration attempts?
Vendors including Lasso Security, Pluto Security, MintMCP and the OWASP LLM Top 10 project publish current threat catalogs; use them.
16. Total cost of ownership: what the license price hides
Seat price is a small share of the real cost. A complete TCO frame:
| Cost line | Typical impact | How to size it |
|---|---|---|
| Subscription / API cost | Visible line item | Plan sheet |
| Verification labor | Often 20–50% of gross generation time | Time-to-approve per PR; time-per-report review |
| Rework from AI errors | Depends on task class | Defect escape rate before/after adoption |
| Onboarding and training | 4–20 hours per person | Formal enablement + informal ramp |
| Prompt/Skill authoring | 20–100 hours per template that goes live | Author + review + tune |
| Governance and policy work | 40–200 hours initial + ongoing | Legal, security, DPO time |
| Security engineering | 40–200 hours initial + ongoing | Threat model, controls, red-team |
| Observability and audit | Ongoing | Compliance API integration, SIEM tuning |
| Integration engineering | Variable | MCP servers, connector configuration |
| Model portability insurance | Often overlooked | Parallel evals on at least one alternate model |
Two things this frame surfaces that a license comparison hides:
- The verification line is real and often the largest. Faros AI's 91% longer review times, mapped to your reviewer costs, gives you an order-of-magnitude estimate. If Claude tripled your PR throughput but your review capacity is fixed, your effective delivery velocity did not triple.
- The productivity gain shows up where your bottleneck wasn't. If your constraint was code review, AI made it worse before it made it better. Sequence your investments accordingly — automated checks and reviewer capacity before rolling out generation broadly.
17. Cognitive discipline: keeping the humans sharp
Two independent findings should sit at the center of any enablement program:
- The perception gap. In METR's RCT, developers felt 20% faster while being 19% slower. Self-report is not a reliable signal.
- Sentiment decline alongside adoption. Stack Overflow's 2025 developer survey showed AI-tool usage rise to 84% while positive sentiment fell from 70% to 60% and trust in AI accuracy dropped from 43% to 33%. Developers are increasingly using tools they trust less.
The risk to guard against is skill atrophy in the parts of the job the AI now handles. Concretely, the pattern to avoid:
- Engineers who stop reading unfamiliar code because “Claude will explain it”
- Analysts who stop learning the domain because Research produces a summary
- Managers who stop writing their own thinking because a draft is a click away
Practical countermeasures a team can adopt:
- AI-off days or blocks. A regular window (a day a sprint, a morning a week) where core tasks are done without AI. Keeps the underlying skill live.
- Reasoning before generation. Team norm: write your outline or hypothesis first, use Claude to critique or expand, not to originate.
- Peer review of AI-assisted output as first-class work. Reviewers are trained to review AI-generated code and text the same way they review a new hire's — assume nothing.
- Rotate high-judgment work back to humans. Architecture decisions, hiring calls, incident post-mortems, customer escalations — keep them human-led even when AI could draft them.
- Track calibration. Ask people how confident they are in an AI-produced answer, then check against ground truth. Calibrated skepticism is a trainable skill.
- Include “solve without AI” in interviews and promotions. Otherwise you promote AI operators, not engineers.
The Anthropic Economic Index also found that high-tenure Claude users are more collaborative and iterative than newer users, not more directive — which is a good sign that iteration is a skill people improve at with practice. But that skill only develops if the underlying craft is still there. Cognitive discipline is a management responsibility, not a personal one.
18. Role-based quick-start table
| Role | Primary surface and features | Example first task |
|---|---|---|
| CIO / CTO | Enterprise security, Compliance API, Analytics API | “Summarize Claude Code adoption over 30 days by team. Flag teams with low adoption and quantify PR volume vs review-time trend.” |
| DevOps | Claude Code, sandboxed bash, CLAUDE.md | “Scan this Terraform module for insecure defaults. Draft a PR description with proposed fixes. Do not push.” |
| Python Developer | Claude Code, Artifacts | “Find missing input validation in this Django-Ninja endpoint. Propose fixes with tests.” |
| Linux Admin | File analysis, Claude Code | “Analyze this journalctl output for recurring crashes. List root-cause candidates ranked by probability.” |
| DBA | File/CSV analysis, Connectors | “Review this query plan. Identify the three costliest steps and propose indexing changes.” |
| Project Manager | Cowork, Skills, live artifacts | “Extract decisions, actions, owners, dates from this week's sprint notes. Turn that into a Skill.” |
| Product Manager | Research, Artifacts | “Research features shipped by our three closest competitors over the last 90 days. Produce a positioning table with sources.” |
19. A rollout plan: first week and first 90 days
First week (individual evaluation)
- Day 1–2: Real but low-stakes tasks in claude.ai.
- Day 3: PDF or CSV with structured output.
- Day 4: Open a Project for a recurring topic, load reference docs.
- Day 5: Try a role-appropriate task in Claude Code or Cowork.
- Day 6: Enable Research on an open-ended question; verify sources.
- Day 7: Encode your most-repeated task as a Skill.
First 90 days (team or organization rollout)
- Weeks 1–2. Formalize security and compliance requirements. Choose Team vs. Enterprise on that basis. Complete a threat-model exercise (Section 15) before broad connector rollout.
- Weeks 3–4. Select a pilot team (5–10). Write your data-classification and connector-access policy. Baseline current DORA metrics and review-time capacity so you can measure the AI delta honestly (Section 16).
- Weeks 5–8. Standardize role-based Skills and Project templates. Define
CLAUDE.mdstandards for Claude Code and putCLAUDE.mdunder code review. Run first internal red-team round. - Weeks 9–12. Wire the Compliance API into your SIEM. Report on the full TCO (Section 16), not just license and hours saved. Institute AI-off blocks (Section 17) and calibration checks.
- Standing. Quarterly parallel evaluation on one competing model to keep portability real. Quarterly red-team refresh.
The logic under this plan: the upside is real, but reliability drops with complexity, review capacity is the true bottleneck, and agentic tool access opens a distinct new attack surface. Measurement, verification, and threat modeling belong in the process from day one.
20. Closing thoughts and references
Using Claude well is a management problem more than a prompting problem. The generation side is easy to buy. The review side, the security side, the governance side, and the cognitive-discipline side are what determine whether the license spend produces measurable outcomes or just measurable output.
References
Anthropic official documentation
- Prompt Engineering Overview
- Prompting Best Practices
- Plans & Pricing
- Claude Enterprise Plan
- Claude Enterprise Administrator Guide
- Claude Code for Enterprise
- Claude Code Docs — Security
- Anthropic Trust Center
- Claude Fable 5 and Claude Mythos 5
- Redeploying Claude Fable 5
- Project Glasswing
- Donating MCP to the Linux Foundation
Claude Help Center
- What are artifacts and how do I use them?
- Use skills in Claude
- Use research on Claude
- Use live artifacts in Claude Cowork
- Release Notes
- Security and Compliance Collection
- Get started with Claude Compliance API integrations
Anthropic Economic Index
Independent research (counter-evidence and validation)
- METR, Measuring the Impact of Early-2025 AI on Experienced Open-Source Developer Productivity (arXiv: 2507.09089)
- Faros AI, What METR's Study Missed About AI Productivity in the Wild
Security research and threat modeling
- Cybernews, Mozilla flags indirect prompt-injection risk in Claude and other coding agents
- Cloud Security Alliance, AI Agent Prompt Injection: The New CI/CD Supply Chain Threat
MCP as open standard
- Wikipedia, Model Context Protocol
What are your thoughts on this topic?
Every article is an open conversation. Whether you have a counter-argument, a local example, or a different perspective based on your own experience, your contribution makes this space better.

0 Comments