AI Just Got Easy. Project Delivery Just Got Risky

Anthropic built a tool in ten days that could make project delivery genuinely easier. The security vulnerabilities discovered within 48 hours should give us pause.

Anthropic's Cowork tool strips away the command line interface from Claude Code, leaving just a folder and a conversation. Point the system at files on your computer, describe what you need, and the tool handles implementation. No coding knowledge required. No terminal commands to memorise. Just natural language instructions and autonomous execution.

This simplicity is deliberate. For years, powerful AI capabilities remained locked behind technical barriers that excluded the majority of potential users. Cowork removes those barriers entirely, making agentic AI accessible to anyone willing to pay £20 to £100 monthly for a Claude Pro or Max subscription.

The timing is interesting. Anthropic launched Cowork as a research preview on 12 January. By 15 January, security researchers at PromptArmor had documented a file exfiltration vulnerability that allows attackers to steal sensitive documents through prompt injection attacks. The flaw uses the same attack vector Johann Rehberger disclosed in October 2025 regarding Claude Code. Anthropic acknowledged the vulnerability but didn't fix it before shipping Cowork to a broader audience.

For project delivery professionals, this sequence tells a more important story than the technology itself. When capability becomes accessible at speed, the friction that once protected organisations from premature adoption disappears. The question isn't whether teams will use tools like Cowork. It's whether they'll understand the risks before those risks materialise.

What Happens When Complexity Becomes Conversational

Cowork operates through a sandboxed environment, mounting selected folders into a containerised workspace. The system uses Apple's Virtualization Framework with a custom Linux root filesystem to isolate operations from the broader system. That architectural choice limits potential damage, but it doesn't eliminate risk.

Early adopters are already discovering use cases:

• Converting receipt screenshots into expense spreadsheets

• Reorganising chaotic download folders with intelligent file naming

• Drafting reports from scattered notes across multiple documents

• Analysing datasets without manual data entry

  
  

The applications are straightforward. The implications extend further. When non-technical staff gain access to tools that can autonomously manipulate files, traditional approval workflows become optional rather than required. Junior team members suddenly possess automation capability that bypasses established processes. Site personnel can implement solutions without coordination. The work happens faster. The governance catches up later, if at all.

This framing positions the tool as collaborative delegation rather than step-by-step instruction. Anthropic acknowledges that "since there's always some chance that Claude might misinterpret your instructions, you should give Claude very clear guidance around things like this." It assumes users will know when to steer, what signals indicate incorrect direction, and which outcomes warrant intervention.

The Security Reality Behind the Research Preview Label

The prompt injection vulnerability works through a deceptively simple attack chain:

1. User connects Cowork to a folder containing confidential files

2. Attacker introduces a document with hidden malicious instructions

3. When Cowork analyses the file, the injection triggers automatically

4. The system uploads sensitive documents to the attacker's Anthropic account

5. No additional user approval is required at any stage
   

PromptArmor demonstrated this exploit using both Claude Haiku and Claude Opus 4.5. Even Anthropic's most capable model, specifically hardened against manipulation, succumbed to the attack. The researchers successfully exfiltrated financial documents containing partial Social Security Numbers and other personally identifiable information.

Anthropic's response has been transparency rather than immediate remediation.

The admission is honest. It's also insufficient for organisations making deployment decisions about tools that will handle confidential project information.

We think the vulnerability matters less as a technical flaw and more as a delivery pattern signal. Anthropic built Cowork in roughly ten days using Claude Code itself.  Boris Cherny, head of Claude Code, confirmed the entire application was constructed through AI-assisted development. That velocity is impressive. It also suggests security considerations took second place to capability demonstration.

Where Broader Access Meets Governance Lag

The pricing structure creates an interesting adoption dynamic. At £20 monthly for Claude Pro, Cowork falls below most organisational approval thresholds. Individuals can subscribe without procurement involvement. Teams can equip themselves without budget discussions. By the time IT security becomes aware of usage, practice patterns are already established.

This isn't unique to Cowork. We've seen similar patterns with:

• Cloud collaboration tools in the 2010s

• Personal productivity apps in the 2000s

• Spreadsheet software in the 1980s
  

Each technology wave followed the same trajectory. Individual adoption outpaced institutional preparation. Organisations that adapted successfully didn't attempt top-down control. They established lightweight frameworks: minimum standards, practical guidance, clear boundaries around sensitive information. Then they let usage evolve within those constraints.

The challenge with agentic AI tools is the expanded consequence surface. A spreadsheet with incorrect formulas creates analytical errors. An AI agent with compromised instructions can delete files, exfiltrate data, or execute malicious code. The stakes are categorically different.

Three Governance Questions That Need Immediate Answers

Organisations deploying tools like Cowork need clarity on:

Data classification: Which project information can flow through third-party AI platforms? Which requires on-premise processing? The default position shouldn't be universal permission or blanket prohibition. It should be explicit categorisation with obvious boundaries.

Output verification: What level of review applies to AI-generated content? Code needs different validation than prose. Client-facing materials need different scrutiny than internal notes. Standards should match risk profiles, not impose uniform rules regardless of context.

Incident detection: How do teams recognise when AI behaviour indicates compromise rather than normal operation? PromptArmor researchers noted that Anthropic's recommendation to "monitor Claude for suspicious actions" places unrealistic burden on non-technical users who lack the literacy to identify manipulation indicators.

Capability Development in the Post-Barrier Era

Using AI tools effectively isn't intuitive. Writing prompts that consistently produce useful results requires practice. Recognising when outputs are plausible but incorrect demands judgement. Understanding which tasks suit automation versus which need human oversight takes experience.

The removal of technical barriers doesn't eliminate the need for capability development. It changes what capability looks like. Instead of learning coding syntax, users need to learn prompt construction. Instead of understanding algorithms, they need to understand limitations. Instead of debugging code, they need to debug instructions.

Our perspective is that delivery literacy for AI tools centres on architectural understanding rather than technical implementation. Teams don't need to know how Cowork's sandboxing works at the kernel level. They do need to know:

• What the sandbox protects and what it doesn't

• Which file operations carry genuine risk

• How prompt injection manifests in practice

• When to escalate unusual behaviour

  
  

The difference between technical literacy and delivery literacy is significant. Technical literacy requires depth in specific domains. Delivery literacy requires breadth across risk surfaces. For project organisations, breadth matters more.

Why This Matters Beyond Cowork Specifically

Anthropic's tool represents a pattern rather than an isolated case. Microsoft is developing Copilot for enterprise productivity. OpenAI is expanding ChatGPT's capabilities beyond conversation. Google is embedding Gemini across its application suite. The direction is clear: AI tools will become everyday workplace infrastructure, accessible to everyone, operating autonomously.

The speed of that transition determines whether organisations adapt thoughtfully or reactively. Cowork went from concept to release in ten days. The security vulnerability was documented within 48 hours of launch. The timeline between capability and consequence is compressing.

For project delivery, this creates a familiar challenge at an unfamiliar velocity. Teams need to understand what they're adopting before adoption becomes embedded practice. Standards need to exist before they're required to prevent problems. Training needs to happen before incidents force recognition that training was necessary.

The future isn't no-code. It's know-enough delivery. The threshold for "enough" is rising faster than traditional training cycles can accommodate.

Understand how AI tools are reshaping delivery literacy requirements. Subscribe to Project Flux for analysis that keeps pace with change.

All content reflects our personal views and is not intended as professional advice or to represent any organisation.