- Windows 11 agentic AI features introduce system-level automation that allows the operating system to click, type, and perform actions on your behalf.
- While these features are powerful, they are still experimental and introduce meaningful security and privacy risks.
- For most users, enabling agentic AI today is not recommended.
Microsoft is beginning to test “agentic AI” inside Windows 11, a new system-level capability that allows artificial intelligence to act on your behalf by clicking, typing, and navigating applications like a human would. It is one of the most ambitious changes the operating system has made in decades. And while it promises powerful automation, the current implementation introduces security and privacy risks that most users are not prepared to handle.
If you see the new “Experimental agentic features” toggle inside the Settings app, you may wonder whether turning it on is worth the convenience. The short answer is no. At least not yet. Microsoft itself can’t guarantee its safety, and the company says that security isn’t a “one-time feature,” it’s a “continuous commitment,” meaning that mistakes and problems will be dealt with as they happen.
In other words, currently, for typical users, enabling agentic AI today opens the door to risks that outweigh any time-saving benefit.
AI that can act for you is also AI that can act against you
On Windows 11, the most significant shift is that AI is no longer limited to generating answers. Agentic features enable the system to perform tasks in a separate session of the operating system known as the “agent workspace.” That means the agent can open apps, manage files, and complete multi-step operations while you keep working in your main desktop session.
This is powerful, but it also creates a new form of attack. Unlike a chatbot, an AI agent can make changes to your system. If something goes wrong (an incorrect instruction, a user mistake, or a manipulated prompt), the consequences affect your actual files and apps, not just a conversation window.
It’s important to note that the agent workspace initially runs in a separate system session. However, in future releases, Microsoft plans to deploy agent workspaces as lightweight and secure virtual environments with distinct permissions and capabilities.
Cross-prompt injection is a real threat
Microsoft calls out a new class of attacks called cross-prompt injection, in which hidden text within webpages, documents, or app interfaces can hijack the agent’s instruction flow. A malicious website could embed instructions that silently tell the agent to download malware. Because the agent has permission to take system actions, this type of attack has more potential impact than traditional prompt manipulation.
This is not a theoretical risk. It’s a known weakness in agentic systems that researchers have demonstrated repeatedly. And Windows 11 is only at the beginning of figuring out defenses.
The agent has access to your personal folders
Once you enable the feature, agent accounts automatically gain read and write access to your files in the Documents, Downloads, Desktop, Pictures, Videos, and Music folders.
This is necessary for the agent to complete tasks, but it also means that any agent-side mistake, misinterpretation, or compromised instruction could affect personal data. Accidentally organizing the wrong folder is one thing. Accidentally deleting or moving large sets of files is another.
A lot of users are not prepared to manage the consequences of AI acting autonomously on their local data.
Hallucinations become system-level mistakes
AI models still hallucinate and misinterpret instructions. Usually, this is harmless, but with agentic actions enabled, a hallucination can lead to running the wrong app, unintentionally modifying or deleting files, navigating to unsafe websites, or performing incorrect steps in a workflow.
When AI gains physical control of the operating system, even small mistakes can have significant consequences.
It runs in the background, even when you forget
Currently, in this first preview, there are a few known issues. For example, if Copilot Actions is active, the system may refuse to sleep or shut down. You may even see warnings that “someone else is still using this PC.”
The fact that the agent continues working in the background without obvious visibility can lead to confusion, stalled updates, or lingering processes that persist long after the user believes they’ve stopped.
Your device becomes a multi-user system without you realizing it
Agentic AI on Windows 11 is an exciting idea. It represents a future where computers can automate everyday tasks, streamline workflows, and act more like intelligent assistants than passive devices. However, in its current form, the feature is unfinished, experimental, lightly protected, and vulnerable to new types of attacks.
That’s not a combination that belongs on a primary personal computer.
Conclusion
If you are a developer, a security researcher, or someone intentionally experimenting with the cutting edge of AI, turning on the agentic features may be worth exploring in a controlled environment. If you are an everyday user, especially someone storing personal or work-related files on your computer, leave the toggle off.
The risks are real, the protections are not mature, and the benefits are still limited. Windows 11 is laying the foundation for what could become a powerful automation layer, but right now, this technology needs more time before it’s ready for general users.
Mauro Huculak is a Windows How-To Expert and founder of Pureinfotech in 2010. With over 22 years as a technology writer and IT Specialist, Mauro specializes in Windows, software, and cross-platform systems such as Linux, Android, and macOS.
Certifications: Microsoft Certified Solutions Associate (MCSA), Cisco Certified Network Professional (CCNP), VMware Certified Professional (VCP), and CompTIA A+ and Network+.
Mauro is a recognized Microsoft MVP and has also been a long-time contributor to Windows Central.
You can follow him on YouTube, Threads, BlueSky, X (Twitter), LinkedIn and About.me. Email him at [email protected].