
MCP anthropic.com
A one-line entry in the Claude Code v2.1.200 changelog, released July 3, 2026, changed something fundamental about how the tool behaves the moment a developer installs or updates it. Anthropic changed Claude Code's default permission mode from Auto to Manual across every surface where the tool runs — the CLI, the VS Code extension, the JetBrains plugin, and the built-in --help output. No blog post, no press release, no announcement. Just a changelog line and a consequential shift in who authorizes what.
That shift matters more than it looks. An AI coding agent that can write files, execute shell commands, and make network calls is not just a developer convenience — it is a system in which the question of human authorization is architecturally unavoidable. Anthropic's quiet default change puts that question back where it belongs: with the human.
Claude Code shipped with a conservative default: require explicit human sign-off before every file write, shell command, or network call. In theory, that made the human a meaningful checkpoint in every consequential action. In practice, Anthropic's own anonymized telemetry told a different story. Users approved roughly 93% of permission prompts. The pauses were happening. The reviewing was not.
This is the well-documented failure mode security researchers call approval fatigue — the same phenomenon that plagues security operations centers where analysts faced with a thousand alerts stop distinguishing real ones from noise. When every consequential action triggers an approval dialog, the dialog stops being a decision point and becomes a reflex.
Anthropic had already begun addressing this before v2.1.200. The March 24, 2026 launch of Auto mode introduced a two-stage ML classifier running on Claude Sonnet 4.6 that evaluates each tool call before it executes. The classifier is reasoning-blind by design: it sees only user messages and tool calls, not Claude's own text responses or the content of tool results. That architecture is intentional — it prevents hostile content embedded in files or web responses from manipulating the safety layer directly by poisoning the transcript the classifier reads.
The pipeline works in two stages. A fast single-token filter handles the clear cases, clearing the 91.5% of safe actions in milliseconds. When that filter flags an action, a slower chain-of-thought reasoning call activates. Anthropic's engineering data puts the deployed false-positive rate at 0.4% and the false-negative rate — cases where an overeager action slipped through — at 17%. The classifier's primary failure mode is one Anthropic describes candidly: it identifies the danger correctly but misjudges whether prior consent in the conversation covers the specific blast radius of the action. "Clean up the PR" was said. The classifier finds approval-shaped evidence. It misses whether that approval covers a force-push.
Claude Code's permission system operates as a spectrum of five distinct modes, each representing a different point on what researchers compare to the SAE autonomy classification scale for self-driving vehicles — from full human control to full autonomous operation.
Manual mode (previously called "default," renamed in v2.1.200) is human-in-the-loop in the formal sense: Claude pauses and requires explicit user authorization before any file write, shell command, or network call. Nothing consequential executes without a positive human action.
acceptEdits mode auto-approves file edits and common filesystem operations inside the working directory while still pausing for shell commands and network access.
Plan mode is read-only: Claude investigates and proposes, but touches nothing until explicitly approved.
Auto mode delegates authorization to the Sonnet 4.6 classifier. The human is no longer in the loop on individual actions — they are on the loop, able to override, but not required to authorize each step. This is the mode that raises the 17% miss-rate question.
bypassPermissions (the --dangerously-skip-permissions flag) removes authorization entirely. Anthropic's own engineers — including a researcher on the Safeguards team who ran 16 parallel agents in a loop to build a Rust-based compiler — explicitly will not use this flag on bare metal. It is designed for isolated containers with no sensitive credentials mounted, no real filesystem access, and no network egress. Its name is descriptive, not dramatic.
The OS-level sandbox (Seatbelt on macOS, bubblewrap with seccomp namespaces on Linux) is a separate security layer from these permission modes. It operates at the operating system level and constrains what Bash commands can physically reach, regardless of which mode is active. The sandbox and the permission modes are complementary, not redundant.
Read more: Claude Code Dynamic Workflows Go GA: Pro Users Can Now Spawn 1,000 Parallel Agents
The formal taxonomy of human-AI control, developed in military and weapons-systems research, distinguishes three configurations: human-in-the-loop (a human must authorize the action), human-on-the-loop (a human may abort), and human-out-of-the-loop (no human action involved). That taxonomy entered US federal law in the National Defense Authorization Act for Fiscal Year 2025, which includes a requirement that positive human actions must authorize consequential decisions — specifically in the context of nuclear weapons employment. It is now, quietly, also the frame that applies to a developer's agentic coding tool.
When Claude Code shipped Auto mode as the default, the out-of-box configuration placed developers as human-on-the-loop: present, capable of intervening, but not required to authorize. The v2.1.200 change moves the default to human-in-the-loop: positive human authorization required for every state-changing action, unless the developer explicitly opts out.
Anthropic has described this design priority directly in its engineering documentation. The company uses "blast radius" — the maximum damage if something goes wrong — as the organizing concept for agentic safety. The v2.1.200 default change shrinks the blast radius for every new install and every developer who hasn't explicitly configured a more permissive mode. It also aligns Claude Code's out-of-box behavior with guidance from the OWASP LLM Top 10, which recommends human-in-the-loop checkpoints for high-stakes agent actions, and with NIST's preliminary IR 8596, which states that a human should be assigned responsibility for the actions of an AI system.
On July 7, 2026 — the same day this article publishes — Radware announced enhancements to its Agentic AI Protection solution that explicitly extend enterprise security coverage to developer-hosted AI agents including Claude Code. The Radware release is framed around alignment with ISO 42001, the EU AI Act, and the NIST AI Risk Management Framework. The EU AI Act's full obligations for high-risk AI systems take effect August 2, 2026. Enterprise security vendors are building governance products on the assumption that agentic coding agents require the same oversight infrastructure as other enterprise AI deployments — and the Manual-mode default makes that governance significantly easier to enforce.
The v2.1.200 change is not disruptive for interactive development. For developers working session-by-session, the new default makes the tool's behavior more visible and more predictable. The approval prompts are real decision points, not reflexes.
The disruption is real for teams running Claude Code in automated or headless continuous integration environments. Any pipeline that previously relied on Claude Code operating in its default autonomous behavior — ingesting a prompt and executing changes without human intervention — will now stall on approval prompts that cannot be satisfied in a headless context.
There are documented real-world consequences of exactly this kind of autonomous operation gone wrong. In April 2026, a GitHub issue filed against Claude Code reported production server outage, data loss, and revenue loss from a session that misinterpreted instructions and deleted the wrong files. Microsoft Security researchers published findings in June 2026 demonstrating that Claude Code GitHub Action could be manipulated through prompt injection to expose CI/CD workflow secrets including ANTHROPIC_API_KEY and other runner credentials. These incidents are not arguments against agentic coding tools — they are arguments for understanding what authorization model is actually in place.
Teams running Claude Code in automated pipelines now need to make that authorization decision explicitly. The path to restoring prior behavior requires one of two changes:
Pass --permission-mode auto on the CLI at startup to use Auto mode's classifier-based authorization for that session.
Set "defaultMode": "auto" in the project's .claude/settings.json to make Auto mode the persistent default for that project.
Teams that need full unattended operation in a controlled environment can use --permission-mode bypassPermissions, but Anthropic's own guidance is unambiguous: this mode belongs inside isolated containers with no sensitive credentials, not in CI runners with repository access and cloud credentials mounted.
Enterprise administrators have a third option: deploy a managed managed-settings.json file that sets permissions.defaultMode at the organization level. This cannot be overridden by user or project settings, giving security teams a definitive control plane.
Read more: Claude Enterprise Spend Controls Arrive as Agentic AI Bills Blow Past Budgets
For interactive development sessions, no action is required. The Manual-mode default works as designed for session-by-session work, surfacing what the agent is doing at each consequential step.
For CI/CD pipelines that relied on prior autonomous behavior: audit existing configurations immediately. Add --permission-mode auto to pipeline startup commands, or set "defaultMode": "auto" in the project settings file, and document that decision for the team. The choice of Auto mode means the Sonnet 4.6 classifier is making authorization decisions — with a 17% miss rate on its own test set for overeager actions — rather than a human. That is a deliberate tradeoff, not an absence of one.
For security teams conducting agentic tool reviews: this update creates a cleaner governance baseline. Manual mode's requirement for positive human authorization aligns with OWASP, NIST, and ISO 42001 guidance for high-stakes agent actions. Use it as the foundation for permission policy and layer Auto mode only where the business case for reduced friction justifies accepting classifier-level authorization.
The Alberta Government's deployment of Claude Code for cybersecurity remediation offers a practical model: Claude Code suggested fixes, engineers reviewed and approved them before deployment, and specialized Claude agents ran continuous security checks alongside human-verified changes. That is human-in-the-loop at production scale.
The v2.1.200 change is the first time a major agentic coding tool has shipped with human authorization — not classifier authorization — as the explicit default. Whether the industry follows is a question the enterprise governance tools building around Claude Code this week are already beginning to answer.
Manual mode requires explicit human authorization before Claude Code executes any file write, shell command, or network call. It is the "human-in-the-loop" configuration in the formal sense: nothing consequential happens without a positive human action. Anthropic made it the default in v2.1.200 (July 3, 2026) because its own telemetry showed that 93% of permission prompts under prior defaults were being approved reflexively rather than reviewed deliberately — a phenomenon security researchers call approval fatigue. Setting Manual as the default restores genuine human authorization as the baseline, rather than asking developers to manually configure it on top of an autonomous default.
Pass --permission-mode auto when starting Claude Code from the CLI, or set "defaultMode": "auto" in your project's .claude/settings.json. This switches authorization from human approval to the Auto mode classifier, a separate Sonnet 4.6 model that reviews each action before execution. The classifier has a 0.4% false-positive rate and a 17% false-negative rate against Anthropic's overeager-actions test set — meaning roughly one in six cases where Claude exceeded what was asked, the classifier allowed it through. For fully unattended pipelines in isolated containers with no sensitive credentials, --permission-mode bypassPermissions removes all checks, but Anthropic's own engineers use this only in sandboxed environments.
The choice of default permission mode determines where human authorization sits in the action chain for an AI system that can write files, execute shell commands, and make network calls. Formal research on autonomous systems distinguishes between human-in-the-loop (authorization required), human-on-the-loop (override possible), and human-out-of-the-loop (no human action). The v2.1.200 change moves Claude Code's factory default from the second category to the first. This alignment matters because OWASP's LLM Top 10, NIST's preliminary AI guidance, and the EU AI Act's governance framework — whose high-risk obligations take effect August 2, 2026 — all emphasize human-in-the-loop checkpoints for AI systems that can take consequential real-world actions. Enterprise security vendors expanded their Claude Code governance coverage on the same day this article was published.
Auto mode shifts authorization from a human to a Sonnet 4.6 classifier — it does not eliminate the authorization question. The classifier's known limitation, which Anthropic discloses openly, is a 17% false-negative rate on overeager actions: the classifier correctly identifies danger in these cases but misjudges whether prior consent in the conversation covers the specific action's blast radius. Security researchers have noted that Auto mode does not protect against supply chain attacks via unpinned dependencies, because the classifier operates at the intent level rather than the package-trust level. Anthropic's own guidance is to use Auto mode in isolated environments as a second layer of defense, not as a replacement for environmental containment.
