Feature Request: Model allowlist/denylist in managed-settings.json for enterprise
Resolved 💬 2 comments Opened Feb 3, 2026 by talatiamops Closed Mar 5, 2026
Feature Request
Summary
Add modelAllowlist and/or modelDenylist configuration options to managed-settings.json to allow enterprise administrators to restrict which models users can access.
Use Case
As an enterprise administrator, I need to:
- Control costs by restricting access to expensive models (e.g., only allow Haiku for routine tasks)
- Enforce compliance by ensuring only approved models are used
- Manage resources by preventing unnecessary usage of high-cost models
Proposed Configuration
{
"modelAllowlist": ["haiku", "sonnet"],
"modelDenylist": ["opus"]
}
Or alternatively:
{
"models": {
"allowed": ["haiku", "sonnet"],
"denied": ["opus"],
"default": "haiku"
}
}
Current Workaround
The only current option is remapping model aliases via environment variables:
{
"env": {
"ANTHROPIC_DEFAULT_SONNET_MODEL": "claude-haiku-4-5-20251001"
}
}
This is insufficient because:
- Users can still explicitly request models by full name
- No true blocking capability
- No audit/enforcement mechanism
Expected Behavior
- If a model is not in
allowlist(or is indenylist), Claude Code should: - Reject the request with a clear error message
- Suggest using an allowed model instead
- Settings in
managed-settings.jsonshould be unoverridable at user/project level
Environment
- Claude Code CLI
- Enterprise deployment via MDM (Jamf/Intune)
- macOS/Linux/Windows
Additional Context
This is critical for enterprise adoption where cost control and compliance are requirements. Many organizations cannot deploy tools without proper administrative controls over resource usage.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗