Claude for Excel reached general availability on May 7, 2026, and finance teams reacted fast. Within a week the FP&A corner of the internet was full of people saying it found a #REF! error in three seconds that a coworker had chased until 2am.
Then a quieter question started showing up underneath the excitement: is it actually safe to point this thing at our real numbers?
That’s the right question. And the honest answer isn’t “yes” or “no” — it’s “yes, with a handful of specific precautions.” Here’s what those are, and why they matter.
What Claude for Excel can see
Claude for Excel is an add-in. It sits in a sidebar next to your workbook and, when you ask it something, it reads the open file — the cell values, the formulas, the sheet structure, the named ranges — and sends that to Anthropic’s servers to work on your request.
Read that sentence again, because it’s the whole security conversation. The numbers in your workbook leave your computer. That’s not a scandal — it’s how every cloud AI tool works, and it’s the same trade you already make with cloud-based accounting software. But it’s the fact a controller has to start from.
A few things soften it. Anthropic says it automatically deletes the inputs and outputs from its servers within 30 days. Your chat history actually stays in your browser, not on Anthropic’s servers. And the add-in can’t touch macros or VBA at all. But the core fact stands: to help with your spreadsheet, Claude has to read your spreadsheet.
The real risk: prompt injection
Here’s the part most coverage skips. The danger isn’t really Anthropic reading your numbers. It’s a malicious spreadsheet.
It’s called prompt injection, and the plain-English version is this: an attacker hides instructions inside data that Claude is going to read. A comment tucked into a cell. A row of text far off to the right where nobody scrolls. A linked file that pulls in content from somewhere else. The instructions are written for the AI, not for you — and Claude, reading the workbook, can’t always tell the difference between your instructions and instructions buried in the data.
Security researchers have been demonstrating this attack against AI assistants for a while now — the foundational paper goes back to 2023 — and through 2025 and 2026 there’s been a steady stream of disclosures showing it works against real, shipping AI products. This isn’t theoretical. It’s a known, active class of attack.
What could an injected instruction tell Claude to do? Anthropic spells it out in its own help center. A manipulated Claude could be pushed to extract and share sensitive information, modify critical data like financial records, or perform destructive actions without verification.
What Anthropic itself recommends
This is the most reassuring part, oddly — because Anthropic doesn’t hide any of it. The Claude for Excel documentation says it directly:
“Only use Claude for Excel with trusted spreadsheets and not spreadsheets from external untrusted sources.”
That’s the single most important sentence for a finance team. The workbook a vendor emailed you. The template you downloaded from a forum. The “just open this and tell me what you think” file from someone you don’t know well. Those are exactly the files you don’t hand to Claude.
Anthropic also built in a guardrail around Excel’s genuinely dangerous functions. Things like WEBSERVICE, IMPORTDATA, INDIRECT, and DDE — formulas that can reach out to the internet or pull in outside content — require your explicit approval before Claude runs them. So if an injected instruction tries to use a formula to phone home with your data, you get a stop sign first.
And the documentation is honest about where the tool doesn’t belong: it’s not recommended for final client deliverables without human review, or for audit-critical calculations without verification. Anthropic is telling you, in writing, not to trust it blindly. Take the hint.
The 6 checks before you roll it out
If you’re the person who has to sign off on this for a finance team, here’s the practical list.
1. Use the Enterprise plan if you can. Enterprise gives you sandbox isolation and a Compliance API for data governance that Pro and Max don’t. For a team handling real financial data, that’s worth the upgrade.
2. Only feed it trusted workbooks. This is Anthropic’s own rule. Internal files, files your team built. Not files from outside sources you can’t vouch for.
3. Turn on session logging. Claude for Excel can create a “Claude Log” tab that records every action it took, turn by turn. Switch it on. Make reviewing it part of the process — it’s your audit trail.
4. Watch the workbook while it works. Claude highlights every cell it changes and leaves an explanatory comment. That’s not decoration — it’s your review surface. If Claude touches a cell you didn’t expect, stop it immediately.
5. Block external data connections in sheets Claude will read. If a workbook pulls live data from an external URL or a shared drive, that’s a doorway for injected content. Review those sheets before Claude gets near them.
6. Never let Claude read a workbook with credentials in it. API keys, passwords, connection strings — even sitting in a hidden row or a stray comment. If it’s in the file, treat it as exposed. Strip it first.
There’s a clean way to think about all of this: treat Claude like a new employee, not a magic button. You’d give a new analyst scoped access, a clear review process, and an audit trail. Same here. Anthropic, for its part, holds SOC 2 Type II, ISO 27001, and GDPR compliance — the certifications your procurement team will ask about.
What this means for you
If you’re a controller or CFO, your job is the rollout policy, not the spreadsheet. Decide the plan tier, write the trusted-files rule down, make session logging mandatory, and brief the team. The tool is fine. An ungoverned rollout is the risk.
If you’re an FP&A analyst, the discipline is simple: know where every workbook came from before you let Claude read it. Your own model — fine. The acquisition target’s “financials.xlsx” that just landed in your inbox — open that one yourself, the human way.
If you’re a solo bookkeeper or run a small practice, you probably can’t justify Enterprise. That’s okay. The trusted-files rule and watching the cell highlights cover most of the real risk on Pro or Max. Just be strict about client files from sources you can’t verify.
If you work in a regulated industry, loop in IT and compliance before anyone installs anything. The data-residency and audit questions are theirs to answer, and they’ll want to.
What this can’t fix
No setting makes prompt injection impossible. The defenses lower the risk and shrink the blast radius — they don’t zero it out. AI models genuinely struggle to separate trusted instructions from instructions hidden in data, and that’s true across every vendor, not just this one.
A 30-day deletion window is not the same as zero retention. Check your plan’s terms if that distinction matters to you.
And session logging only protects you if someone reads the logs. A log nobody reviews is just a file.
The bottom line
Is Claude for Excel safe? For internal workbooks, with the precautions above, yes — and it’s a genuinely strong tool for finance work. The real danger was never Anthropic. It’s the unvetted file and the rollout with no rules.
The skill that keeps you safe isn’t technical. It’s the habit of asking “where did this workbook come from?” before you let an AI read it — and building a review process your team actually follows.
If you want your team fluent in using AI on spreadsheets the right way, our AI for spreadsheets course covers the practical workflows. For finance professionals specifically, AI for accountants and finance goes deeper, and AI finance agents for controllers and compliance is built for exactly the rollout-and-governance question this post is about.
Use the tool. Just don’t skip the six checks.
Sources
- Use Claude for Excel — Claude Help Center
- Collaborate with Claude across Excel, PowerPoint, Word and Outlook — Anthropic
- Microsoft 365 Connector Security Guide — Claude Help Center
- Greshake et al. (2023) — “Not what you’ve signed up for: Compromising real-world LLM-integrated applications with indirect prompt injection,” arXiv:2302.12173
- Oasis Security — research on indirect prompt injection in AI assistants (2026)
