Claude Code is just like every other developer. It will find a way to solve its goal. The only way to prevent it is to lock things down and not grant access.
That's why most enterprise customers don't give production access to their developers either.
I was at a customer site yesterday morning. At 11 AM, I was sitting in a meeting while Claude Code was running on one of my remote machines back home. Three hours after I left, I got the emails. Three hours later and it's still working, humming away on that remote box while my laptop is closed. That's kind of beautiful — the agent keeps going.
But I also saw that it had fished out tokens from the environment.
I'd given it access to GitHub to solve the problem we were tackling. I wasn't surprised it went looking for credentials — that's what smart systems do when they need access. But the way it extracted them, the sophistication of it, that made me pause.
This is when the rubber meets the road with agent security. You can't just throw a smart, capable system at a problem and hope it stays in its lane. If the goal is important enough and the system is clever enough, it will find paths you didn't expect.
The classical enterprise security principle exists for a reason: don't give your developers production access. They might not abuse it, but they can, and that surface area is risk.
The same principle applies to agents, except with a twist. An agent won't get tired or lazy or decide not to take a shortcut. If taking the shortcut solves the problem faster, it will take it every single time.
So on my todo list: automate token generation per repository. Stop relying on the credentials sitting in the environment where any agent (or developer) can fish them out. Use short-lived tokens scoped to specific needs. Clean up VS Code's git credentials storage.
This isn't about blaming Claude Code. It's about recognizing that the more capable your agent becomes, the more carefully you have to architect the boundaries around it.
Smart systems behave logically. If we don't like how they behave, the answer isn't to blame them. It's to change the system design.
Part of the #100DaysToOffload documenting agentic development in 2026