Feature Request: Model allowlist/denylist in managed-settings.json for enterprise

Resolved 💬 2 comments Opened Feb 3, 2026 by talatiamops Closed Mar 5, 2026

Feature Request

Summary

Add modelAllowlist and/or modelDenylist configuration options to managed-settings.json to allow enterprise administrators to restrict which models users can access.

Use Case

As an enterprise administrator, I need to:

  • Control costs by restricting access to expensive models (e.g., only allow Haiku for routine tasks)
  • Enforce compliance by ensuring only approved models are used
  • Manage resources by preventing unnecessary usage of high-cost models

Proposed Configuration

{
  "modelAllowlist": ["haiku", "sonnet"],
  "modelDenylist": ["opus"]
}

Or alternatively:

{
  "models": {
    "allowed": ["haiku", "sonnet"],
    "denied": ["opus"],
    "default": "haiku"
  }
}

Current Workaround

The only current option is remapping model aliases via environment variables:

{
  "env": {
    "ANTHROPIC_DEFAULT_SONNET_MODEL": "claude-haiku-4-5-20251001"
  }
}

This is insufficient because:

  • Users can still explicitly request models by full name
  • No true blocking capability
  • No audit/enforcement mechanism

Expected Behavior

  • If a model is not in allowlist (or is in denylist), Claude Code should:
  • Reject the request with a clear error message
  • Suggest using an allowed model instead
  • Settings in managed-settings.json should be unoverridable at user/project level

Environment

  • Claude Code CLI
  • Enterprise deployment via MDM (Jamf/Intune)
  • macOS/Linux/Windows

Additional Context

This is critical for enterprise adoption where cost control and compliance are requirements. Many organizations cannot deploy tools without proper administrative controls over resource usage.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗