Claude Sonnet 4.6 in Production: A PSF Domain Assessment

XML-structured prompts, system-prompt steering, and constitutional-AI training give Claude Sonnet 4.6 the strongest input governance in the published cohort.

Anthropic explicitly trains Claude to respect XML-delimited structure inside prompts, which gives practitioners a clean way to separate trusted instructions from untrusted user content. Combined with the model's well-documented adherence to system-prompt directives — published evaluations show consistently higher instruction-following than the prior generation — Claude Sonnet 4.6 makes input governance architecturally clean. The model also reliably refuses to follow injected instructions that contradict its system prompt, which is the single most important property for any RAG or agentic deployment. The 84 reflects strong native capability; gaps remain at the deployment layer for semantic input classification and PII detection.

Tool-use schemas + structured outputs deliver high-fidelity format compliance; refusal behaviour provides useful semantic safety signal.

Claude Sonnet 4.6 supports tool use with JSON Schema validation and structured output formats. The model's adherence to declared schemas is consistently high — among the strongest in the cohort. More distinctively, Claude has been trained to express uncertainty calibrated to the difficulty of the task and to refuse confidently when asked to produce content it cannot validate. This makes the output stream more semantically self-validating than format-only mechanisms in other models. PSF Domain 2 requires both format and content validation; Claude provides format compliance natively and partial content validation through refusal/uncertainty signals.

Anthropic's default 30-day retention + zero-training-on-API-data policy is the strongest hosted-model data position; native PII handling still requires deployment-layer controls.

Anthropic does not train on API customer data by default and retains prompts for a maximum of 30 days for abuse monitoring. This is the strongest default data position among the major hosted-model providers. Enterprise customers can obtain zero data retention by contract. For GDPR and SOC 2 Type II compliance, Anthropic publishes a Data Processing Agreement and trust documentation. The model itself does not detect or redact PII in incoming content; that remains a deployment-layer responsibility. The 77 reflects best-in-cohort default data posture but acknowledges that hosted-API processing still places user data inside Anthropic's infrastructure boundary, which excludes deployment scenarios with strict on-premises or specific-jurisdiction residency requirements.

Per-call usage and stop-reason metadata are returned; trace-level observability requires a separate layer.

Like other hosted-model APIs, Claude returns usage data (input/output tokens, model version, stop reason) per call. The Anthropic Console exposes aggregate spend and request metrics. This is enough for cost monitoring. PSF Domain 4 requires more: structured logging of prompts and completions, per-request trace IDs, replay capability, and output-quality drift detection. None of this is in the API itself; production deployments need an observability layer (Langfuse, OpenTelemetry-based instrumentation, or Anthropic's own MCP-based tracing).

Highest human-oversight trigger reliability in the current cohort: Claude's refusal and uncertainty calibration is consistently more aligned with PSF Domain 6 expectations than alternatives.

Claude Sonnet 4.6's training under Anthropic's constitutional AI methodology produces refusal and uncertainty behaviour that is more useful as a routing signal than any other model in the cohort. The model refuses out-of-scope requests consistently, expresses uncertainty proportional to task difficulty, and surfaces ambiguity explicitly rather than defaulting to confident answers. For human-in-the-loop architectures, this means the model's own outputs are reliable triggers for escalation. The 85 reflects that Claude is the best fit in this cohort for deployments where the model's signal participates in oversight routing. The score does not exceed 90 because PSF Domain 6 maturity still requires deployment-defined consequence-based escalation independent of model confidence.

Versioned model snapshots, published deprecation policy, and Anthropic's transparent change communication make deployment-safety achievable; blast-radius controls remain practitioner-implemented.

Claude models are versioned with explicit snapshot identifiers, and Anthropic publishes deprecation timelines. Version pinning is straightforward — production deployments can lock to a specific Claude Sonnet 4.6 snapshot and only update on a tested cadence. The model's behavioural consistency across versions is high (Anthropic's published change notes reliably capture behavioural deltas). What remains the practitioner's responsibility: per-run step budgets, cost circuit breakers on agentic loops, blast-radius controls on tool use, and rollback procedures. The 78 reflects that the vendor side of deployment safety is well-handled and the gap is at the deployment architecture layer.

Constitutional-AI training delivers genuinely stronger prompt-injection resistance than the cohort average; indirect injection through retrieved content remains the highest-risk vector.

Published red-team evaluations (Anthropic's own + third-party academic work) consistently show Claude with stronger prompt-injection resistance than GPT-4 family and Gemini family at equivalent capability tiers. The XML-structured-prompts pattern (Domain 1) compounds this — when implemented correctly, the model treats content inside tags as data rather than instructions. Indirect prompt injection via retrieved documents remains the most effective attack vector against Claude in RAG configurations, but the rate of successful injections is meaningfully lower than alternatives. API key security is the standard deployment concern. PSF Domain 7 requires deployment-layer controls regardless of the model's training-time hardening.

Anthropic's multi-cloud availability (AWS Bedrock, Google Cloud Vertex AI) provides genuine vendor-resilience optionality; abstraction layer still recommended.

Claude is available via Anthropic's direct API, AWS Bedrock, and Google Cloud Vertex AI. This multi-cloud distribution materially reduces vendor-lock risk: a deployment running through Bedrock can move to direct Anthropic or Vertex with relatively low friction. Anthropic publishes a deprecation policy and provides advance notice on model lifecycle changes. The 79 reflects strong vendor posture, but achieving PSF Domain 8 maturity still requires a model abstraction layer so that the deployment can swap to non-Claude alternatives (GPT-4, Gemini, self-hosted Llama) when contractual, cost, or capability circumstances change.