One of the most important principles in a governed Cowork deployment is that permissions belong on the system side of the connector, not the LLM side. If a role shouldn't be able to delete records in the CRM, you don't tell Claude "never delete records." You configure the connector so the delete operation doesn't exist for that role. The LLM can't do what the system won't let it do.
API-level access control
This maps directly to standard API access control patterns. Role-based permissions, scoped API keys, operation-level restrictions — these are well-understood techniques from traditional software development. Applying them to the connector layer means you get deterministic enforcement without relying on the LLM's compliance. Claude operates within the boundaries that the connectors define.
The practical benefit is reliability. You don't need to worry about prompt injection, jailbreaking, or edge cases where Claude might misinterpret a rule. If the connector doesn't expose the operation, it's physically impossible for Claude to perform it. This is what separates a properly governed deployment from one that relies on LLM-level promises.