Enterprise AI adoption has always had a chicken-and-egg problem. Security and compliance teams demand that no vendor personnel can access their data. Vendors respond with policy promises, audit reports, and contractual commitments. Then someone in IT asks the obvious question: how do we know?
Amazon’s Mantle inference engine — now supported by Claude Code v2.1.94 — replaces that conversation with an architecture. And architecture is harder to lie about than policy.
What Mantle Actually Is#
Mantle is AWS’s next-generation inference engine for Amazon Bedrock, designed from the ground up around a single constraint: zero operator access (ZOA). Not “minimal access.” Not “access by exception.” Zero.
The practical implementation is blunt: Secure Shell (SSH), AWS Systems Manager Session Manager, and serial consoles are not installed anywhere in Mantle. There is no interactive mechanism that would allow an AWS operator — or anyone else — to access a customer’s prompts or model completions. Not Anthropic. Not AWS. Nobody.
The security architecture has three layers that matter:
Cryptographic software verification. Every inference software update must be signed and verified before it deploys into Mantle. Only approved code runs. The supply chain for the inference engine itself is attested before it touches production.
NitroTPM-backed hardware attestation. The services handling model weights and running inference on customer prompts are backed by cryptographically signed attestation measurements from AWS Nitro Trusted Platform Modules. Auditors don’t have to trust a promise — they can verify the attestation chain.
Provider isolation. Anthropic has no access to the AWS-owned account where inference happens. Model providers supply the model; they don’t touch the runtime. The separation is structural, not contractual.
For standards like SOC 2, HIPAA, or ISO 27001, this changes the compliance conversation. Instead of “we promise our operators don’t look at your data,” auditors can confirm the architecture has no backdoors. That’s a different kind of assurance.
What Changed in v2.1.94#
Claude Code v2.1.94, released April 8, 2026, introduced native Mantle support with a single environment variable:
export CLAUDE_CODE_USE_MANTLE=1That flag routes Claude Code’s inference through the Mantle backend instead of the standard Bedrock path. Combined with the interactive setup wizard, the configuration path for enterprise deployments went from “manually set five environment variables and pray” to a guided flow that handles AWS credential selection, region configuration, and model availability verification in a single session.
The wizard lets you choose how you authenticate to AWS: a detected profile from ~/.aws, a Bedrock API key, explicit access key and secret, or ambient credentials already in your environment. It picks up your region, verifies which Claude models your account can invoke, and optionally pins the 1M context window during initial setup.
A regression in v2.1.94 caused Bedrock requests to fail with a 403 “Authorization header is missing” error when using AWS_BEARER_TOKEN_BEDROCK or CLAUDE_CODE_SKIP_BEDROCK_AUTH. That was fixed in v2.1.96. If you’re deploying from these changelogs, skip directly to .96 or later.
Also in v2.1.94: the default effort level reverted to high for API-key, Bedrock, Vertex AI, and Azure Foundry users — walking back the silent “medium effort” change from March 3 that generated the trust crisis covered here last week. Enterprise users running Claude Code through Bedrock now get high-effort reasoning by default without having to override it.
Why the Air-Gap Story Matters Now#
The Bedrock + Mantle combination unlocks Claude Code for a class of enterprise buyer that was previously unreachable: regulated industries and organizations with strict data residency requirements.
Think financial services firms running inside an AWS GovCloud boundary. Healthcare systems with PHI that cannot leave their AWS account. Defense contractors with audit requirements that preclude vendor access to inference infrastructure. For these buyers, the previous Claude Code story was “trust our policies.” The Mantle story is “verify our architecture.”
It also changes the enterprise procurement conversation. When a CTO asks “can your AI coding tool be deployed such that neither you nor any third party can see our code?”, the answer used to be a legal document. Now it’s a reference architecture with cryptographic attestation.
Claude Code’s deployment options now span three enterprise tiers:
| Tier | Infrastructure | Operator Access |
|---|---|---|
| Standard | Anthropic-managed | Anthropic zero-access policy |
| Bedrock | AWS-managed | AWS policy + Anthropic model isolation |
| Bedrock + Mantle | AWS-managed, ZOA | Hardware-attested zero operator access |
The Mantle tier is the one that passes an enterprise security review without a thirty-page risk exception.
The Competitive Angle#
Cursor runs entirely through its own cloud infrastructure, with no equivalent to running inside your AWS account boundary. GitHub Copilot Enterprise offers data residency options, but the inference infrastructure remains Microsoft-operated. Windsurf has no equivalent enterprise air-gap story.
Claude Code on Bedrock with Mantle is, as of this writing, the only major AI coding agent that can be deployed such that no vendor — not even the AI provider — has a technical path to access customer code during inference. That’s not marketing positioning. That’s an architectural fact that matters to the CISO who signs the vendor risk assessment.
For most developers, the distinction is academic. For the enterprise buyer trying to deploy AI coding tooling to 2,000 engineers at a regulated institution, it’s the difference between a signed contract and a blocked procurement.
Getting Started#
The AWS blog post on Claude Code deployment patterns with Amazon Bedrock covers the setup in detail. For teams that want the Mantle path specifically, the Claude Code docs at code.claude.com/docs/en/amazon-bedrock now include the Mantle setup flow.
The prerequisites are standard AWS fare: a Bedrock account with Claude model access enabled in your target region, IAM credentials with the right Bedrock permissions, and v2.1.96 or later of Claude Code. The wizard handles the rest.
For organizations where the compliance question has been the blocker, v2.1.94 is the release that removes it.
Sources: AWS Mantle ZOA deep dive · Claude Code v2.1.94 release notes · Claude Code Bedrock docs · AWS Claude Code deployment patterns · i10x Mantle ZOA overview · Claude Opus 4.7 on Bedrock