Claude Code Gets Orchestration, Microsoft Ships MCP Governance
Anthropic shipped the Workflow tool and Microsoft released MCP governance extensions in the same week. Here is what changed and why it matters.
By Springvanta
Two things happened in the same week that tell you where AI agent tooling is going. Anthropic shipped the Workflow tool in Claude Code v2.1.147, giving developers multi-agent orchestration with dependency tracking, pinned background sessions, and code reviews that post directly to GitHub PRs. Microsoft shipped the Agent Governance Toolkit MCP Extensions for .NET, adding tool scanning, policy enforcement, and response sanitization to MCP server connections.
One gives you more power. The other puts walls around it. You need both.
What Claude Code shipped this week
The May 19-22 releases were dense. Ten versions in one month.
Agent View and background sessions. claude agents opens a single dashboard for every session: running, blocked, or finished. You can dispatch a bug fix, a PR review, and a test investigation as separate rows, keep working in another window, and step in only when a row needs you. Pinned sessions (Ctrl+T) stay alive when idle and auto-restart after Claude Code updates.
The Workflow tool. Off by default behind CLAUDE_CODE_WORKFLOWS=1, it adds deterministic multi-agent orchestration. Agents can depend on each other. You get a structured pipeline instead of loose background tasks.
/code-review --comment. The renamed /simplify command now posts findings as inline GitHub PR comments. Previously you had to copy-paste the review output yourself. Now it goes straight to the PR conversation.
/goal and autonomous loops. Set a completion condition like "all tests in test/auth pass and the lint step is clean" and Claude keeps working across turns until a fast model confirms the condition holds. Works in interactive mode, -p, and Remote Control.
Security fixes across the board. Permission-prompt bypass for bare variable assignments in Bash. Git worktree sandbox covering the main repository root. PowerShell cd functions escaping workspace boundaries. These are the fixes that show up when real teams run agents against real codebases for weeks.
The v2.1.148 hotfix (May 22) fixed the Bash tool returning exit code 127 on every command, a regression from 2.1.147. If you updated on May 22 and your commands stopped working, update again.
What Microsoft shipped for MCP
On May 21, Microsoft released the Agent Governance Toolkit MCP Extensions for .NET. The toolkit addresses a real gap: agents connecting to external tool servers without consistent security controls.
The extensions add tool scanning (inspect what tools an MCP server exposes before allowing connections), policy enforcement (define which tools and actions are permitted), and response sanitization (strip sensitive data from tool responses before they reach the agent).
This matters because MCP adoption is outpacing MCP security. A May 16 ByteIota report found that 9 out of 12 enterprises surveyed had OAuth disabled on their MCP servers. Over 1,800 unauthenticated MCP servers were found running on the public internet. STDIO input sanitization vulnerabilities in first-wave MCP deployments allow injection attacks through tool parameters.
Microsoft building governance tooling for MCP is a signal that the protocol has moved from developer curiosity to something enterprises need to manage.
Why these two stories are one story
The Workflow tool lets you chain agents together and run them without supervision. Microsoft's governance toolkit lets you control what those agents can actually do when they connect to external services.
If you are building AI agent workflows for your business, you need the orchestration layer (Claude Code, Cursor, Codex, or your own) and the governance layer (MCP policy enforcement, permission boundaries, audit trails). One without the other is either risky or limited.
Anthropic added permission prompts, sandboxing, and managed settings in the same release cycle as the Workflow tool. Microsoft is building governance tooling for the protocol that connects agents to tools. The infrastructure for safe, productive AI agents is getting built from both ends at the same time.
What to do this week
If you use Claude Code, update to v2.1.148. Enable the Workflow tool with CLAUDE_CODE_WORKFLOWS=1. Try /code-review --comment on an open PR. Set up a pinned background session for a long-running task.
If you are building agent workflows that connect to MCP servers, audit your authentication setup. The Microsoft toolkit is .NET-only for now, but the governance patterns (tool scanning, policy enforcement, response sanitization) apply regardless of your stack.
Sources: Anthropic Claude Code changelog, Microsoft DevBlogs, ByteIota MCP Security Report, GitHub releases