Anthropic moved Claude Cowork from research preview to general availability in early May 2026. Cowork is the agent product that takes a delegated task (research a customer, draft a contract, summarize a week of Slack) and runs the work over your connected accounts. Pro, Team, and Enterprise plans all get access. Enterprise also gets role-based access control, group spend limits, usage analytics, and OpenTelemetry export of the agent's operational events.1

Right behind Cowork is Orbit, which Anthropic launched at its Code with Claude developer conference in San Francisco on May 6, 2026 (with follow-on dates in London May 19 and Tokyo June 10).2 Orbit is a proactive briefing tool. You don't have to prompt it. It pulls from Gmail, Slack, GitHub, Calendar, Drive, and Figma on its own and surfaces what you should pay attention to. Anthropic explicitly aimed it at "product creators" (developers, designers, product managers) rather than at the executive-inbox audience that OpenAI's competing Pulse and Google's Gemini briefings target. The GitHub-and-Figma connector list is the tell.

This is the article that asks the question the launch coverage skipped: when an AI assistant reads your inbox continuously, what is your data-egress posture, what gets logged, and what does the vendor see?

What "proactive" actually means in technical terms

For Cowork to deliver on its premise, the agent has to hold standing OAuth access to the connected services and read from them on its own schedule. For Orbit specifically, the read schedule is continuous in the sense that the agent decides when to pull and what to look at. This is materially different from a chat assistant that only sees what you paste into the box.

The standing access is the foundation of three things you should think about before granting it.

Read scope. The OAuth grant for "Gmail" typically means all of Gmail. Read scope on Drive can mean every document in the workspace. Calendar read scope means every event including private ones. Vendors are good at scoping these grants narrowly when they have to; most do not have to.

Inference scope. The model reads a thread, builds a summary, and that summary becomes part of its working context. The summary is then available to the agent on its next turn, possibly its next task, possibly its next session, depending on how the vendor implements memory. If Orbit summarizes a confidential acquisition email at 9 a.m. and you ask Cowork an unrelated question at 3 p.m., the question is whether the morning summary is in the prompt that goes to the model.

Vendor access. Whatever the agent reads, the vendor's logging infrastructure may also retain. Anthropic's enterprise data-handling commitments are stronger than the consumer plan's, but they are not zero retention. The conservative reading is that anything the agent reads is, at minimum, transient on Anthropic's infrastructure.

The audit-log gap nobody is talking about

This is the part that should land for any business with a compliance posture. As of the May 2026 GA, and as of the Orbit launch ten days later, Claude Cowork activity remains excluded from all three of Anthropic's enterprise compliance mechanisms: Audit Logs, the Compliance API, and Data Exports. That exclusion applies across every plan tier, including Enterprise.3 Anthropic's own current guidance is to not use Cowork for regulated workloads until native audit coverage exists.

You can stream Cowork events to your SIEM via OpenTelemetry, which gives security teams visibility into tool calls, file accesses, and human approval decisions. That is genuinely useful for runtime security monitoring. But it is not the same thing as a compliance audit log. If your business is subject to HIPAA, GLBA, PCI, attorney-client privilege, SOC 2, or any standard that requires a forensic audit trail of who saw what data and when, the OTel stream is not, by itself, a substitute for the audit log.

Anthropic will close this gap. Vendors close it eventually because customers demand it. But the question is whether they have closed it by the time you are operating under a regulator's expectations of you. The Cowork GA shipped the gap. The Orbit launch shipped on top of it. As of right now, it is still open.

Where this fits in the "should we use cloud AI at all" question

This is not an argument against using Cowork or Orbit. The productivity case is real. A small business owner who spends two hours a day on email triage and gets that down to 20 minutes is recovering meaningful time. The companion piece on the small business case for local AI inference covers what the alternative looks like (running the model on hardware you control), and the trade-offs are real in both directions.

The argument here is narrower: a continuous-read AI agent has a different threat model from a chat assistant, and the controls you put around it should reflect that difference. Most businesses currently treat the two as the same thing. They are not.

Five questions to ask before you grant Orbit access to your accounts

1. Which connections are necessary, and which are convenient

The Orbit pitch is to connect everything. The defensive posture is to connect the minimum that delivers most of the value. Calendar plus one inbox is a good starting set. Adding Drive, GitHub, and Figma multiplies the read scope. Each additional connection should justify its inclusion against a specific use case.

2. Whose data is in those accounts

Your inbox contains other people's communication. Your Drive contains documents authored by clients and vendors who did not consent to AI processing. The grant is yours to make, but the obligation is to think about whose information you are putting through the model on someone else's behalf.

3. What's your audit story if a regulator asks

If you operate under a compliance framework that requires an audit trail of data access, the current Cowork audit-log gap means you cannot answer the question "show me every record the AI read in March" with the vendor's tools. Decide what that means for your posture before you grant access, not after.

4. What happens when an Orbit briefing is wrong

The model will summarize incorrectly some non-trivial fraction of the time. A briefing that misstates a customer's intent, misattributes a quote, or invents a deadline will land in your morning routine and you will act on it. The mitigation is to treat briefings as drafts, not facts, and to verify before acting on anything consequential. The piece on AI for your business: the real cost of doing it yourself covers the broader pattern of trusting AI output too much.

5. What's the off-switch, and how fast

If something goes wrong (an account is compromised, a client objects, a regulator inquires), how fast can you revoke Orbit's access to a specific connection? The answer should be "in one click, and the revocation is logged." If the answer is "I'll have to check," you are not ready to grant the access yet.

The pattern of this generation of AI products is that the productivity feature ships first and the controls follow. That is normal. The owner's job is to know which side of the gap they're on at any given moment, and to make the access decision deliberately rather than by reflex.

What to do this month

If you're already on a Claude paid plan, Cowork is sitting in your account and Orbit is rolling out connector by connector. The five questions above are worth running before you flip on additional connectors. The audit-log gap is worth a separate note in your security or compliance file, with a calendar reminder to recheck it in 90 days.

If you're not on a Claude plan but are considering one for the team, the ROI argument is real. So is the read-scope argument. Both are true at the same time. The decision worth making is which connections start enabled and which start disabled, not whether to use the product at all.

The Bottom Line

  • Claude Cowork went GA in early May 2026 across Pro, Team, and Enterprise plans, with role-based access control, group spend limits, usage analytics, and OpenTelemetry export added for Enterprise.
  • Orbit, Anthropic's proactive briefing tool, launched May 6, 2026 at the Code with Claude developer conference. It pulls from Gmail, Slack, GitHub, Calendar, Drive, and Figma on its own without explicit prompts, generating briefings continuously. Anthropic positioned it at developers, designers, and product managers rather than the executive-inbox audience.
  • As of May 2026 (and unchanged after the Orbit launch), Cowork activity is excluded from Audit Logs, the Compliance API, and Data Exports across every plan tier including Enterprise. OpenTelemetry export gives runtime visibility but is not a compliance audit log substitute. Anthropic's own guidance is to not use Cowork for regulated workloads.
  • A continuous-read AI agent has a different threat model than a chat assistant. The controls should reflect that difference: minimum necessary connections, awareness of whose data is in those accounts, a planned audit story, treatment of briefings as drafts not facts, and a fast off-switch.
  • The decision worth making is which connections start enabled, not whether to use the product at all. The ROI is real and the read-scope concerns are real at the same time.

If you're rolling out Claude Cowork or thinking about Orbit access, the connector-by-connector review is the kind of work covered by my AI agent security review. The default is "connect everything." The right answer is almost never that. Connect on LinkedIn.

Keep reading: The Small Business Case for Local AI Inference covers the alternative posture of keeping the model on your own hardware. Your Small Business Is Already Running AI You Don't Know About covers the version of this problem that's already in your business. Colorado's AI Law Was Stayed, Repealed, and Replaced in 16 Days covers the state-AI-regulation backdrop.

Sources

  1. Claude Cowork GA, RBAC, group spend limits, OpenTelemetry export. Per The New Stack's coverage, TechRadar, and Lilting Channel's release analysis.
  2. Orbit launch at Code with Claude, May 6, 2026; connector list and audience positioning. Per Phemex's launch coverage, Simon Willison's live blog of Code with Claude 2026, and TestingCatalog's pre-launch coverage of the connector set (Gmail, Slack, GitHub, Calendar, Drive, Figma). London and Tokyo conference dates May 19 and June 10.
  3. Cowork excluded from Audit Logs, Compliance API, and Data Exports (unchanged after Orbit launch). Per MintMCP's audit-gap analysis (May 2026), Harmonic Security's practitioner guide, and Repello AI's enterprise deployment guide. The exclusion applies across every plan tier including Enterprise. Anthropic's current guidance is to not use Cowork for regulated workloads. OpenTelemetry export is available but does not substitute for compliance audit logging.