Claude Cowork is the most capable AI agent we've put in front of professional-services teams — and also the one that demands the most setup discipline. It isn't a chat assistant on the side. It's a local desktop agent that does the work: opening files, running multi-step tasks, fetching live data from the web, and producing real output on a schedule. For firms that handle sensitive client information — accountants, advisors, law and finance teams — that capability is exactly what makes it valuable and exactly what makes setup non-negotiable.
This is our practical, opinionated walkthrough for getting Cowork productive without putting client work at risk. It's organized as a setup sequence: get the foundation right, make it genuinely productive, then lock it down. None of these steps is exotic. Skipping them is what gets firms into trouble.
Why Cowork Is Different — and Why Setup Matters
Most AI tools your team has used are cloud chat products: you type, they answer, everything lives on a server that someone else secures. Cowork breaks that model in a useful way. It runs on the local machine, so conversations, history, and the files it works with live on the workstation, not in a browser tab. That unlocks real capability — but it also moves the security boundary onto your own hardware.
The net-new risk of a local AI agent comes from three properties showing up at once. Hold these in mind; every setting later in this guide exists to manage one of them.
The three properties that make any local agent risky
It has access to sensitive things — client files, email, connected systems.
It can be exposed to untrusted things — a web page or an inbound email could carry instructions meant to hijack the agent.
It can communicate externally — it can send data out to the web or other services.
Any one of these alone is manageable. The three together are what require deliberate configuration. Good setup is mostly about deciding, per job, which of these the agent actually needs.
Step 1 — Start on the Right Plan
This is the most consequential decision and the easiest to get wrong, because the most popular consumer plans are the wrong answer for client work. There are really only two acceptable choices: Team or Enterprise.
The reason is commercial data protection. Business plans contractually keep your inputs out of model training; the consumer Pro and Max plans carry the highest personal usage limits — which is why power users love them — but they do not come with those commercial data-protection guarantees. In a firm that puts client data into the tool, that distinction is the whole game.
| Plan | Commercial data protection | Use it for client work? |
|---|---|---|
| Free | No | No |
| Pro / Max | No — high personal usage limits, but no commercial guarantees | No |
| Team | Yes | Yes |
| Enterprise | Yes — plus SSO, domain capture, and org-wide controls | Yes — the better fit once you're around 15+ users |
Start on Team if you're small. Move to Enterprise as you grow past roughly fifteen users or the moment you want the identity and governance controls in Step 7 — those are where Enterprise earns its keep.
Step 2 — Run the Desktop App, Not the Browser
Cowork is specifically the desktop application. It is not the version that runs in a browser tab. The conversations you have, the history, and the files it touches all live on the local machine — that locality is the point, and it's what enables Cowork to reach into folders and drive other apps.
A practical consequence: because everything is local, your Cowork conversations don't sync across devices the way cloud chat does. That's a feature for sensitive work, not a bug. It also means the two products serve different jobs, and knowing which to reach for keeps sensitive material in the right place.
Reach for Cowork
When the output is work — a workpaper, a reconciled file, a built document, a scheduled job. It runs locally, touches your files, and produces something of substance. This is the production tool.
Reach for Chat
When the output is words — a quick answer, a draft, a thinking-out-loud conversation. It's cloud-based and syncs across your phone and every computer. It's also the easier product to lock down (more on that in Step 7).
Step 3 — Default to Opus for Production Work
Model selection is the most important choice you make inside a task. For production and analytical work — anything where accuracy carries real consequences — default to the best Opus model. It's the most capable option and the one you want on client deliverables.
Reserve the lighter models deliberately. Haiku (and the mid-tier models) are fine for simple text generation, light drafting, or when you've hit your Opus usage limit and need to keep moving. The trade-off is real: Opus consumes your usage allowance faster, and if a few people on the team are running it hard, they will eventually bump into limits.
Usage limits reset on a rolling basis, which makes scheduling your cue. Push big, heavy jobs to run overnight (see Step 5) so they don't eat into the daytime allowance your team needs for interactive work. A little planning around when large tasks run goes a long way.
Step 4 — Prompt for Live, Authoritative Data
A large language model knows a great deal from training, but for client work you almost don't want it answering from memory — you want it pulling from authoritative sources. That is the single biggest lever for cutting hallucination, and it's controlled by how you phrase the request.
The difference is small and reliable. "What are the phase-outs for a 2025 IRA contribution?" invites an answer from memory. "Look up the phase-outs for a 2025 IRA contribution" triggers a web search. Better still: "Look it up on the IRS site." Verbs like look up, search, and check push Cowork to fetch current, citable information instead of recalling it.
Behind that phrasing, Cowork reaches the web three different ways. Knowing which is which tells you how much exposure each task actually carries — and which you may want to switch off in Step 7.
The lightest touch. Cowork sees basic search results — titles and snippets — not full pages. Enough to find and cite a source, with minimal exposure.
When it needs the detail on a page, Cowork fetches the whole thing. This is read-only — it pulls the page in, but doesn't act on it.
The most powerful and the most risky. Cowork takes over the browser, navigating and entering text and numbers. This is how it fills forms and acts in web apps — and it carries its own risk surface, covered in Step 7.
Step 5 — Isolate Work with Projects, Skills & Schedules
This is where Cowork stops being a clever assistant and starts becoming infrastructure for the firm. Three features stack together: projects isolate the work, skills make it repeatable, and scheduled tasks make it run without a human.
A project walls off a body of work from everything else: its own custom instructions, its own context (a set of folders and files), and contained memory that doesn't leak into unrelated conversations. Firms use them along two dimensions — one project per client (all their context in one place), or one project per repeatable workflow (a bookkeeping or workpaper template you run for many clients).
A skill is a plain-language description of a job you do over and over. The best way to build one isn't to design it up front — it's to let Cowork do a piece of real work, and once it nails something useful, say "turn that into a skill." There's even a skill-creator to do it for you. The payoff compounds: as you leave review notes, a skill can improve, so it makes the same mistake less often than a new hire would.
Plugins are collections of skills, and this is the high-leverage move: your strongest people build a workflow once, then push it to the whole team — available to install, or installed by default. Keep improving the underlying skill and the improvements propagate; the next time anyone runs it, it's simply better.
Tasks can run on a schedule — overnight, every morning, or when a project reaches a certain state. Combine skills with schedules and the work gets done before anyone sits down. (Because Cowork is local, the machine has to be awake for scheduled runs.)
The combination is what matters: skills plus scheduled tasks turn Cowork from something that assists your people into something that is part of the firm's plumbing — getting routine work done without anyone lifting a finger. That's the highest-leverage thing about it.
Step 6 — Guard File Access: Copies, Never Originals
When you grant Cowork access to a folder, it can read and modify what's in there. Deleting a file outright triggers a confirmation prompt — but in-place edits don't always behave the way you expect. Ask it to "improve" a document and it may rewrite the whole thing, and the original contents are simply gone.
The rule: give it copies
If you're handing Cowork a folder of client documents to work in, give it copies, not the originals. Treat the working folder as disposable. This one habit removes an entire class of "it overwrote the source file" incidents, and it costs you nothing but a duplicate folder.
Step 7 — Lock Down the Security Settings
This is the longest step because it's the one that lets you decide, deliberately, how aggressive you're willing to be. The goal isn't to turn everything off — it's to grant each capability only where a job actually needs it. Here's the posture we recommend across the controls that matter most.
| Control | Recommended posture |
|---|---|
| SSO & domain capture | Turn both on. Verify your email domain so anyone signing up under it is funneled into your org for approval, and have the team log in through your existing Google Workspace or Microsoft 365 accounts. The biggest real-world risk in any app is unauthorized access — SSO inherits the MFA you already enforce instead of adding one more credential to leak. |
| Cowork kill-switch | Know where it is. If your firm isn't ready for a local agent, you can disable Cowork org-wide and still put Chat — the cloud product, which is far easier to secure — in your team's hands. Starting with Chat-only is a legitimate posture. |
| Web search | Disable it for jobs that don't need it. If a workflow only chews on local files, the web is just extra exposure. Grant it only where live data is genuinely required. |
| Network egress | Restrict to approved package managers. This is the sweet spot — Cowork can still fetch trusted libraries to do more complex jobs, without being free to reach anywhere on the web. You can manually approve a specific additional source if a use case truly needs it. |
| User-created skills | Disable them; keep skills themselves on. This stops anyone from pulling a random skill off the web and running it without review. A malicious skill could quietly exfiltrate data — require a sign-off path instead of free rein. |
| Claude in Chrome | Allowlist specific sites; never enable it for the whole internet. This is one of the riskiest capabilities, especially inside an unattended scheduled task — a task can finish having visited somewhere it shouldn't, and you may never see it happen. Approve a short list of sites it's allowed to use. |
| Computer use | Sandbox machine only. Your main workstation is the worst place for an agent to drive the keyboard — you're an admin there with access to everything. If you enable computer use, put it on a dedicated, hermetically sealed machine (a spare Mac mini works) that has access to only what the job needs and nothing more. |
On "Is Cowork SOC 2 certified?"
It's the wrong question, in the same way "Is Microsoft Excel SOC 2 certified?" is the wrong question. Cowork runs on your local machine, so it inherits your machine's security — that's outside what the vendor can directly certify. The model traffic that goes back and forth to the cloud is SOC 2 Type 2 certified, and the cloud Chat product is locked down for sensitive use. The net-new risk lives locally, which is exactly why the controls above — not a certificate — are what make Cowork safe to run.
A Reference Setup
Pulling the seven steps together, here's a baseline configuration that gets a firm productive while keeping client-sensitive work defensible. Treat it as a starting point and tighten from there.
Plan: Team, or Enterprise at ~15+ users for SSO and org controls.
App: Desktop Cowork for production work; Chat for conversational, syncable, lower-risk tasks.
Model: Opus by default; Haiku for simple text or when usage limits bite.
Prompting: "Look up / search" phrasing for anything factual; name the authoritative source.
Structure: One project per client or per repeatable workflow; promote proven work into skills; distribute via plugins; schedule heavy jobs overnight.
Files: Copies in the working folder — never the original client documents.
Identity: SSO + domain capture, MFA inherited from Google or Microsoft.
Egress: Approved package managers only. Web search: on only where needed.
Skills: User-created skills disabled; additions go through review.
Chrome / Computer use: Allowlisted sites only; computer use confined to a dedicated sandbox machine.
The Bottom Line
Cowork is, in the most literal sense, like hiring a very capable new team member and asking them to go do the work — which means you have to trust some of how they do it, and draw clear lines around what they're allowed to touch. The capability is real and already here. So is the responsibility that comes with it.
The honest caveat is that none of this compresses neatly into a checklist. The right configuration depends on the specific job, the sensitivity of the data, and your firm's risk appetite — and getting it right usually means involving people who understand both AI and your regulatory context. That intersection is still thin on the ground. If you're working through it, the steps above are where to start, not where to stop.
Standing up Claude Cowork — or any local AI agent — for client-sensitive work? Our advisory lane covers secure deployment, skills and project structure, and the governance that keeps it defensible.
./see-advisory