Safe File Access Patterns When Using LLM Assistants Like Anthropic's Claude Cowork

Hook: Why you should treat LLM assistants like privileged interns

LLM assistants such as Anthropic's Claude Cowork bring real productivity gains — and real risk. When you let an assistant view or modify files, you face two immediate threats: silent data exfiltration and accidental or malicious modification/deletion. For technology teams and IT admins, the priority is simple: enable the helper, but never hand it the keys to the kingdom.

Executive summary — critical controls up front

If you only remember three things, make them these:

• Least privilege and read-only by default: Give LLMs the minimum access they need — escalate only for narrowly-scoped tasks.
• Sandboxed workspaces with immutable backups: Run file manipulations inside isolated sandboxes and create immutable snapshots before any write action.
• Automated scanning and logging: Scan for malware and sensitive content before exposing files; record every read/write with tamper-evident logs.

2026 context: what's changed and why it matters

In late 2025 and early 2026, enterprise adoption of LLM assistants accelerated alongside improved guardrails. Cloud vendors and security researchers standardized patterns: ephemeral workspaces, per-session service accounts, and inline DLP checks. Confidential computing and hardware-backed attestation rose from niche to mainstream — enabling verifiable, isolated execution of assistants on-prem or in trusted cloud enclaves. But these improvements don't eliminate the need for disciplined file access controls; they make it possible to implement robust, auditable patterns at scale. For implementation and governance guidance, see governance tactics focused on preserving productivity while controlling risk (Stop Cleaning Up After AI: Governance tactics).

Core architecture: how to let Claude Cowork (or any assistant) touch files safely

Think of the assistant as a network call away from a secure middleware layer. Never point an LLM directly at an enterprise file system. Use a narrow API that mediates all file operations. Here's a compact architecture:

1. Client/UI: User interacts with the assistant (e.g., Claude Cowork UI or internal chat) and requests file operations.
2. Mediator Service (recommended): A hardened microservice that exposes a small, well-documented API for file operations. It implements ACL checks, DLP scans, backup orchestration, and audit logging.
3. Sandbox Execution Environment: Container/VM/gVisor/Kata sandbox where assistant-driven transformations run against copies of allowed files.
4. Storage & Backup: Source-of-truth storage (object store, NAS, or git) with immutable snapshots and checksums. Writes are promoted only after policy checks.
5. Monitoring & SIEM: Centralized logging for every file read/write, alerting on anomalies (large exfiltrations, unusual deletion commands).

Why a mediator service matters

The mediator enforces trust boundaries. It prevents the assistant from arbitrarily traversing the filesystem, enforces quotas, requires explicit user confirmations for destructive operations, and can perform dry-runs before applying changes. Replace direct file access with commands like "preview-transform(file-id, script)" and "commit-transform(job-id)" — never "rm -rf /" handed directly to the model.

Practical sandboxing options (concrete steps)

Choose the sandboxing level that matches your threat model. Below are concrete, reproducible options with commands and configuration patterns.

1) Minimal: Linux user isolation + strict ACLs

Use a dedicated service account and POSIX ACLs to limit access.

# Create ai-agent user
sudo useradd -r -s /usr/sbin/nologin ai-agent

# Create workspace and set ACLs: read-only by default
sudo mkdir -p /srv/ai-workspaces/project-123
sudo chown root:root /srv/ai-workspaces/project-123
sudo setfacl -m u:ai-agent:rx /srv/ai-workspaces/project-123
sudo setfacl -R -m o::- /srv/ai-workspaces/project-123

For write operations, create a dedicated write directory with tight quota and time-limited write tokens.

2) Intermediate: containerized sandbox + seccomp/AppArmor

Run transformations inside a container with a minimal syscall surface and a mounted read-only source plus an isolated write layer.

# Example: run a sandbox with Docker (read-only source, temporary write dir)
docker run --rm \
  --user 1001:1001 \
  --read-only \
  -v /srv/ai-workspaces/project-123:/workspace:ro \
  -v /tmp/ai-work-temp:/scratch \
  --security-opt seccomp=/etc/ai/seccomp.json \
  --network none \
  my-ai-sandbox:latest /bin/sh -c 'run_transform.sh /workspace /scratch'

Use seccomp to reject unexpected syscalls and AppArmor/SELinux profile to enforce file access rules. For teams managing low-cost inference or sandboxing alternatives, community builds and small-host clusters can be useful (Raspberry Pi clusters as inference hosts).

3) Strongest: VM-based ephemeral enclaves & confidential computing

For the highest assurance, run assistant code in ephemeral VMs or cloud confidential enclaves (AMD SEV, Intel TDX) that isolate memory and provide remote attestation. Mount only the minimal dataset and destroy the VM after the session.

Access control patterns and concrete ACL rules

Design ACLs to minimize blast radius. Use these patterns:

• Service accounts per session: Issue a unique short-lived account or token per assistant session. Revoke at session end.
• Read-only by default: All file mounts are read-only; writes go to a temporary, audited workspace.
• Break-glass with human approval: Any write/delete requires a digitally signed approval or second human confirmation.
• Scoped permissions: Allow access to directory trees or object prefixes — not entire volumes.

Examples — Linux and Windows ACL snippets

# Linux: grant read/execute only for ai-agent
sudo setfacl -R -m u:ai-agent:rx /srv/ai-workspaces/project-123

# Linux: create write-only temp area for ai-agent
sudo mkdir /srv/ai-workspaces/tmp-123
sudo chown ai-agent:ai-agent /srv/ai-workspaces/tmp-123
sudo chmod 0700 /srv/ai-workspaces/tmp-123

# Windows: grant read/execute to service account 'AIService'
icacls "C:\AIWorkspaces\Project123" /grant "DOMAIN\\AIService:(OI)(CI)(RX)"

# Windows: grant write only to a sandbox folder
icacls "C:\AIWorkspaces\Project123\scratch" /grant "DOMAIN\\AIService:(OI)(CI)(M)"

Malware scanning & file integrity — pipeline you can deploy now

Never expose files to an assistant without scanning. Here's a reliable pipeline pattern:

1. Ingress: Files uploaded to mediator are quarantined.
2. Static scanning: Run signature-based AV (ClamAV as baseline), and YARA rules for suspicious patterns.
3. Heuristic & ML scanning: Use a secondary cloud scanner or behavior-analysis sandbox for unknown binaries.
4. Sanitization: Strip macros, convert documents to sanitized PDF/text for previews.
5. Checksums & signing: Record SHA-256 and optional PGP signatures before and after processing.

# Compute and record SHA-256
sha256sum important-file.csv | tee /var/log/ai/file-checksums.log

# Quarantine scan example
clamscan --move=/var/quarantine --log=/var/log/ai/clamav.log uploaded-file.bin

Note: VirusTotal and other public services can help but may leak file contents to third parties. Avoid them for sensitive data.

Preventing data exfiltration — layered defenses

Data exfiltration is the attack you must assume. Implement layered protections:

• Network egress controls: Sandbox processes must have zero or tightly controlled network egress. Allow only required endpoints (e.g., internal APIs).
• Content-based DLP: Scan outgoing assistant responses for high-risk tokens (SSNs, API keys, PII). Use regex, tokenization, and NER models tuned for your data.
• Response filtering: Insert a final filter that redacts or blocks any output containing sensitive items before returning to the user.
• Rate-limits and size limits: Limit the amount of data the assistant can export per session.
• Watermarking & honeytokens: Embed unique, trackable markers in datasets so exfiltrated data can be traced.

Backups, snapshots, and safe commit patterns

Assume the assistant will make mistakes. Use defensive commit patterns:

• Immutable snapshots: Create a snapshot (zfs, btrfs, or cloud object lock) before any write. Tag snapshots with session ID and SHA256.
• Versioned commits: Apply changes as new versions (git, object versions) rather than destructive overwrites.
• Approval & dry-run: Require a dry-run review from the assistant, then human approval to commit. Store diffs as part of audit trail.
• Fast rollback: Keep automated rollback scripts that can restore the last known-good snapshot within seconds.

# Example: create a snapshot before modifications (ZFS)
sudo zfs snapshot pool/data@ai-session-20260117

# Example: create an S3 object lock before write
aws s3api put-object --bucket my-bucket --key project123/file.csv --body file.csv --object-lock-mode GOVERNANCE --object-lock-retain-until-date 2027-01-17

Auditing and tamper-evident logs

Logging must be central, immutable, and searchable:

• Log every file read/write with session ID, user, service-account, file SHA256, and action.
• Send logs to a remote SIEM with WORM retention to make tampering detectable.
• Use cryptographic chaining of log entries (hash chaining) for non-repudiation.

# Minimal audit record example (JSON)
{
  "timestamp": "2026-01-17T09:00:00Z",
  "session_id": "sess-abc123",
  "actor": "ai-agent-xyz",
  "action": "read",
  "file": "/srv/ai-workspaces/project-123/data.csv",
  "sha256": "e3b0c44298fc1c149afbf4c8996fb924..."
}

Policy recommendations — templates you can adopt today

Below are short policy templates. Implement them as machine-enforceable rules in your mediator service and IAM system.

Policy: AI_FILE_ACCESS (high level)

Default deny. All AI assistant file access requires explicit scoping to directories or object prefixes. Read-only by default. Write/delete requires signed human approval. Every session is logged and retains immutable snapshots for 30 days.

Policy: SESSION_SANDBOX

Each assistant session shall be issued a short-lived service token and an isolated workspace. Token TTL <= 1 hour. Workspace is destroyed and cryptographically shredded on session termination. Network egress disabled unless whitelisted.

Policy: CONTENT_DLP

All assistant outputs are filtered through DLP rules. If PII or secrets are detected, outputs are redacted and flagged for review. Any attempt to exfiltrate files > 1MB triggers an alert and requires additional verification.

Operational playbook — step-by-step for a safe assistant session

1. User requests assistant to modify a file via UI.
2. Mediator clones read-only snapshot into ephemeral sandbox and issues session token.
3. Automated malware and DLP scans run; report attached to session.
4. Assistant produces a dry-run patch (diff documented). Diff stored in audit log.
5. If patch is non-destructive and within scope, user approves via UI (2FA). Approval is recorded.
6. Mediator applies patch to working copy and runs post-commit checks (integrity, regressions, unit tests, linting).
7. Mediator commits change as a new version and tags snapshot. Old snapshot retained for rollback.
8. Session destroyed; logs shipped to SIEM and archived with WORM retention.

Real-world case study (concise)

Scenario: An SRE uses Claude Cowork to refactor a YAML pipeline with many secrets and templates. Instead of exposing the entire repo, the team created a small workspace containing only the pipeline YAMLs and a sanitized mock secret file. The mediator enforced read-only access to repo code, allowed write to the sandbox only, required the assistant to produce a patch, and forced a manual commit via a GitHub PR created by an automation bot (the bot's token scope was limited to repo:pull-requests only). The result: the assistant reduced edit time by 60%, and the team avoided any secret leakage or accidental deletion. For patterns that connect safe assistant sessions to observability and provenance, see work on supervised model observability (model observability).

Advanced strategies and future predictions (2026+)

Adopt these advanced controls as your maturity grows:

• Behavioral baselining: Build normal-activity models and block deviations (e.g., a session suddenly reading millions of lines or many different directories).
• Confidential auditing: Use confidential compute enclaves that produce attestation proofs for each session, enabling external verification of where and how the assistant ran.
• Policy-as-code for AI: Express file access policies in a high-level, verifiable language (Open Policy Agent or similar) and test them automatically.
• Trusted datasets and provenance: Maintain cryptographic provenance (signed manifests) of datasets so the assistant can attest to data lineage in responses.

Over the next two years, expect standardization around per-session attestation and universal metadata headers for AI-exposed files — making automated verification and compliance simpler.

Checksums, signatures, and verification — quick reference

Always record and verify. Minimal commands:

# Create SHA-256 checksum (Linux/macOS)
sha256sum file.csv > file.csv.sha256

# Verify checksum
sha256sum -c file.csv.sha256

# Sign a file with GPG
gpg --output file.csv.sig --detach-sign file.csv

# Verify signature
gpg --verify file.csv.sig file.csv

Common mistakes to avoid

• Giving the assistant broad filesystem mounts or root privileges.
• Trusting model outputs without deterministic verification steps.
• Using public file-scanning services for sensitive data.
• Skipping immutable backups and rollback plans.
• Failing to log or retain session artifacts for audits.

Final checklist — implement within 30 days

1. Deploy a mediator service and disable direct assistant file mounts.
2. Enforce short-lived service tokens per session.
3. Implement read-only default ACLs and scoped write areas.
4. Automate malware scanning + DLP for all incoming files.
5. Require human approval for all destructive actions and keep snapshots.
6. Ship logs to SIEM with WORM retention and hash chaining.

Closing thoughts — balance productivity with prudence

LLM assistants like Claude Cowork can transform workflows, but only if they’re integrated with robust operational controls. In 2026, the secure pattern is no longer "deny AI access" — it’s "enable with constraint." Design mediators, sandboxes, immutable backups, and layered scanning into your AI stack from day one. That way you capture the productivity upside without trading away security or compliance.

Call to action

Ready to harden your LLM file workflows? Download our ready-to-deploy mediator service blueprint and sandbox policy pack, or schedule a security review. Start with the 30-day checklist above — and if you want a tailored playbook for Claude Cowork integration, contact our team for a guided audit.

Related Reading

• Opinion: Identity is the Center of Zero Trust — Stop Treating It as an Afterthought
• On‑Device AI for Live Moderation and Accessibility: Practical Strategies for Stream Ops (2026)
• How to Audit Your Tool Stack in One Day: A Practical Checklist for Ops Leaders
• Mini-Me, Now in Bling: Matching Owner-and-Dog Jewelry Collections
• Eye Health From Your Plate: The Boots Opticians Campaign and Foods That Support Vision
• Raspberry Pi vs Cloud GPUs: When On-Device Inference Makes Sense
• Mitski Channels Grey Gardens: First Indie Albums Inspired by Gothic TV and Film
• How to Store and Protect Collectible Cards and LEGO Sets in a Kid-Friendly Home