TL;DR

Anthropic has released auto mode for Claude Code as a research preview. The feature sits between the tool’s conservative default permissions and the unrestricted skip-permissions flag, using a classifier to automatically approve safe actions and block risky ones during extended coding sessions.

A middle path for AI coding

Claude Code’s default setup asks developers to approve every file write and bash command — safe, but impractical for longer tasks. Some developers have been bypassing all permission checks with the --dangerously-skip-permissions flag, which Anthropic warns can lead to “dangerous and destructive outcomes.”

Auto mode introduces a classifier that reviews each tool call before it runs. Actions deemed safe proceed automatically, while those flagged as potentially destructive — such as mass file deletions, data exfiltration, or malicious code execution — are blocked. If Claude repeatedly attempts blocked actions, it eventually escalates to a manual permission prompt.

Limitations acknowledged upfront

Anthropic is being explicit about what auto mode does not solve. The classifier may still allow some risky actions when user intent is ambiguous or when Claude lacks sufficient context about the developer’s environment. It may also occasionally block harmless operations. The company recommends using auto mode in isolated environments and notes a small impact on token consumption, cost, and latency.

The feature works with both Claude Sonnet 4.6 and Opus 4.6, and is available now for Claude Team plan users. Enterprise and API access will follow in the coming days.

Looking forward

For UK development teams evaluating AI coding assistants, auto mode addresses one of the practical friction points — the constant approval cycle that makes AI pair programming feel more like AI micromanagement. The safety-first approach, with acknowledged imperfections, also reflects the broader industry debate about how much autonomy to grant AI tools that can modify codebases and execute system commands.