For years, “AI on PCs” mostly meant small conveniences: a better webcam blur, a smarter search box, or a writing helper inside a single app. That era is giving way to something more ambitious,desktop agents that can plan, click, copy, summarize, file, and follow through while you keep working.
In early 2026, the industry’s language is shifting accordingly. AMD has started framing “Agent Computers” as a new category of PC built to run AI agents continuously, signaling a move from occasional AI features to always-on, task-executing companions that live on the desktop.
From “AI features” to always-on desktop agents
AMD’s March 2026 positioning of “Agent Computers” is notable because it treats the agent as a first-class workload. Instead of marketing a handful of isolated AI tricks, it suggests the PC itself is evolving into a machine that can host persistent agent processes,ready to act whenever you ask, or when a workflow triggers them.
This framing matters because “always-on” changes expectations. A desktop agent isn’t only about generating text; it can watch for events, coordinate steps across apps, and keep state over time,more like a personal operations layer than a single feature in a toolbar.
Practically, this pushes hardware and software together: local inference for responsiveness, better scheduling so background work doesn’t ruin interactivity, and new system-level permissions models that decide what an agent can see and do.
Windows 11’s “agent workspace” as a contained operating zone
Microsoft’s late-2025/early-2026 documentation introduces an agent workspace concept: a “separate, contained space in Windows” where users can grant agents access to apps and files so tasks can run in the background while the user continues working. The key idea is isolation,agents operate in a bounded environment rather than across the entire session by default.
This reflects a broader narrative (also echoed in coverage like Forbes’ “OS for AI agents” framing) that Windows is becoming more agent-capable without becoming purely “agent-first.” The goal is to enable automation while keeping governance, auditability, and user intent in focus.
If the model is right, the agent workspace becomes the desktop analogue of a sandboxed app container: powerful enough to interact with everyday tools, but constrained enough to reduce accidental or malicious reach.
Desktop access, by default: what agents can request in Windows
Permissions are the hinge point for useful desktop agents. Microsoft’s documentation says agentic apps (such as Copilot) can request or gain access to specific common folders while running in the agent workspace,explicitly naming Documents, Downloads, Desktop, Music, Pictures, Videos.
That scope explains why these agents can be genuinely helpful: they can find your draft in Documents, pull an attachment from Downloads, or assemble images from Pictures without you manually hunting through folders.
It also clarifies why desktop agents feel different from chatbot-in-a-browser experiences. Once you authorize file access, the agent is no longer operating only on pasted snippets,it can act on the real substrate of your work: files, filenames, and the structure of your personal information.
Agentic OS security: cross-prompt injection and expanded attack surface
Microsoft explicitly calls out a new class of risk for desktop agents: cross-prompt injection (XPIA). In its guidance, Microsoft warns that malicious content embedded in UI elements or documents could override agent instructions, potentially triggering unintended actions such as data exfiltration or even malware installation.
Media reporting picked up the seriousness of this. Windows Central noted that an agentic Windows workflow may expand the attack surface, particularly if attackers can abuse granted folder permissions. Tom’s Hardware similarly summarized Microsoft’s acknowledgement that agentic features introduce prompt-injection-like risks and discussed containment concepts like limited workspaces or profile-style boundaries.
The core problem is that desktop agents don’t just “read”,they do. When an agent can click buttons, run installers, or send messages, then manipulating its instructions via hostile content becomes materially dangerous. This is why containment, explicit approvals, logging, and least-privilege access become design requirements, not optional add-ons.
UI-layer agents: OpenAI and Anthropic bring “computer use” to the desktop
A major push behind desktop agents is the idea that an AI can operate at the user-interface layer, not just through APIs. OpenAI’s 2025 description of its Computer-Using Agent (CUA) positions it as a universal UI-layer approach: the agent can interact with “whatever computer environment is available,” targeting the long tail of tasks that lack specialized integrations.
In OpenAI’s API documentation (2026 crawl), this appears as the “computer use” tool powered by a model named computer-use-preview. That naming signals a distinct capability category: models tuned not only to respond in text, but to perceive screens and perform actions.
Anthropic documents a similar “computer use” tool: the ability to see and control desktop environments, distinct from bash or text-editor tools, typically executed via an agent loop pattern (observe → decide → act → observe). In a TechCrunch interview quote (Oct 2024), Anthropic described this as an “action-execution layer,” emphasizing that humans remain in control through prompts that direct the actions.
Benchmarks, multi-agent “AgentOS,” and the reliability problem
One reason “computer-using agents” are gaining credibility is that performance is being discussed in benchmark terms. WIRED (Oct 2024) reported Anthropic claiming strong results versus other agents on benchmarks including OSWorld (an agent’s capacity to use an operating system) and SWE-bench (software engineering tasks). Even if benchmarks are imperfect, they create a shared yardstick for capability beyond demos.
Academia is also pushing toward more systematic desktop automation. The 2025 UFO2 paper proposes a “multiagent AgentOS for Windows desktops,” aiming to make computer-using agents more practical at the system level by coordinating roles (for example: planner, executor, verifier) rather than relying on a single monolithic loop.
Reliability remains the central hurdle because GUIs are brittle: buttons move, dialogs change, and timing varies. Research like ComputerRL (2025) proposes an “API-GUI paradigm” that unifies programmatic API calls with GUI interaction,bridging the mismatch between machine agents and human-designed interfaces. Meanwhile, CUA-Skill (2026) introduces a large-scale library of engineered skills for common Windows applications to improve consistency and scalability, hinting at a future where agents rely on curated “skills” instead of improvising every click.
Files become agent-ready: OneDrive “.agent files” and competing desktop copilots
As agents move onto the desktop, vendors are also rethinking what a “file” is. TechRadar (Feb 2026) reported OneDrive introducing “agent files” (with a .agent extension) that carry context across multiple OneDrive documents, enabling summarization, Q&A, and deadline surfacing across sets of files,delivered via the web experience under Microsoft 365 Copilot licensing.
At the same time, competition is heating up around agents that operate directly inside your working set. VentureBeat (Jan 2026) described Anthropic’s “Cowork” as a Claude desktop agent intended to work in your files, positioning it as part of a mainstream race for AI productivity agents that do more than chat.
The ecosystem pressure is clear: once one platform proves it can reliably “do the work” across documents, email, browsers, and internal tools, users will expect that behavior everywhere. That expectation feeds back into OS-level agent workspaces, better permissioning, and richer audit trails,because the agent is now operating on the same assets you care about most.
Open-source packaging and the path to personal, self-hosted agents
Not all desktop agents will come from large vendors. Open-source and self-hosted “computer control” desktop apps are emerging as well, including GitHub projects that package a local app “powered by Claude’s computer use capability to control your computer.” Even when these tools rely on hosted models, the packaging trend shows how quickly agent experiences can be productized.
This matters for experimentation and customization. Self-hosted wrappers can integrate with niche workflows, internal systems, or privacy-sensitive environments where organizations prefer tighter control over logging, network access, and data paths.
It also raises the bar for safety literacy. When anyone can spin up an agent that can see screens and click through dialogs, best practices,least privilege, sandboxing, explicit confirmations for risky actions, and careful handling of prompt injection,become essential for hobbyists and IT teams alike.
Agent computers bring AI to the desktop by making action,not just insight,the center of the experience. The combined trajectory from AMD’s “Agent Computers” framing to Microsoft’s Windows 11 agent workspace suggests that PCs are being re-architected for persistent, background task execution with clearer boundaries and permissions.
The opportunity is enormous, but so is the responsibility. Microsoft’s explicit warnings about cross-prompt injection (XPIA) and the broader “agentic OS” attack-surface discussions show that the next generation of desktop productivity depends as much on containment, governance, and user control as it does on smarter models and faster chips.
