Claude Code auto mode: a safer way to skip permissions

2026-03-24 · Source: Anthropic Engineering Blog · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Software Development & Engineering, Cybersecurity & Data Privacy · Depth: Advanced, long

Summary

Anthropic has introduced "Auto mode" for Claude Code, a new feature designed to enhance safety and reduce user fatigue associated with approving agent actions. Historically, Claude Code users approved 93% of permission prompts, leading to "approval fatigue" and the unsafe use of the `--dangerously-skip-permissions` flag. Auto mode addresses this by using model-based classifiers to automate approval decisions, acting as a middle ground between manual review and no guardrails. This system employs a two-layered defense: an input-layer prompt-injection probe scans tool outputs for hijacking attempts, and an output-layer transcript classifier (running on Sonnet 4.6) evaluates each action against decision criteria before execution. The classifier operates in two stages, a fast filter followed by chain-of-thought reasoning for flagged actions, achieving a 0.4% false positive rate on real internal traffic but a 17% false-negative rate on real overeager actions. The system is designed to block overeager behavior, honest mistakes, and prompt injections, with customizable rules for trusted environments and block categories.

Key takeaway

For CTOs and VPs of Engineering evaluating AI agent deployment, Claude Code's Auto mode offers a critical safety enhancement by automating permission approvals. This reduces the risk of "approval fatigue" and the unsafe `--dangerously-skip-permissions` flag, making autonomous operations substantially safer than no guardrails. While it has a 17% false-negative rate on overeager actions, it's a significant improvement over completely unmonitored execution. You should consider implementing Auto mode for tasks where manual review overhead is high, but remain aware of residual risks for high-stakes infrastructure.

Key insights

Claude Code's Auto mode uses AI classifiers to automate action approvals, balancing safety with reduced user fatigue.

Principles

• Automate approvals to combat fatigue.
• Layer defenses at input and output.
• Tune classifiers to err on blocking.

Method

Auto mode employs a server-side prompt-injection probe at the input layer and a two-stage transcript classifier (Sonnet 4.6) at the output layer. The classifier uses a fast filter then chain-of-thought reasoning, evaluating actions against fixed rules and customizable environment/block criteria.

In practice

• Configure trusted domains and services.
• Review default block rules for customization.
• Monitor for residual risk in autonomous tasks.

Topics

• Claude Code
• AI Safety
• Permission Management
• Prompt Injection
• Classifier Performance

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Engineer, MLOps Engineer, AI Security Engineer

Related on AIssential

• Auto mode for Claude Code — Auto mode in Claude Code automates permission decisions, balancing safety with reduced interruptions for long-running tasks.
• Claude Code, Codex and Agentic Coding #7: Auto Mode — Auto Mode enhances agentic coding safety by selectively requiring human approval for high-risk actions.
• v2.1.113 — Recent Claude Code updates enhance security, performance, and agent capabilities through new features and bug fixes.
• Claude Code, Codex and Agentic Coding #8 — AI coding agents are rapidly advancing but require careful management to mitigate risks from autonomous actions.
• Claude Code Hooks: The Small Automation Layer Every AI Coding Project Should Have — Code hooks enforce development standards automatically, surpassing instruction-based guidance for AI coding agents.
• NEW Hidden Features You MUST Enable In Your Claude Code Setup! — Undocumented Claude Code features significantly enhance productivity and address common issues like memory management and UI stability.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Anthropic Engineering Blog.