First, the update. Microsoft’s latest update details how Windows 11 is beginning to integrate experimental agentic AI features, giving users the ability to delegate multi-step digital tasks to autonomous software agents in a controlled and secure environment. The company outlines two key components now rolling out to Windows Insiders: Copilot Actions, which can perform actions across applications, and a new “agent workspace,” a contained session where agents can interact with apps and files without accessing a user’s primary desktop. Microsoft emphasizes that these features are being introduced gradually, with strict boundaries around authorization, data access, logging and oversight, and a security model designed to evolve as agentic capabilities expand.
“Security in this context is not a one-time feature,” read a blog post announcing the update. “It’s a continuous commitment.”
But that commitment was doubted and even criticized in several corners. To mitigate the new security risks introduced by autonomous agents, Microsoft describes a layered model built around dedicated agent accounts, limited permissions, trusted signing and privacy-preserving design principles. These controls work in tandem with the new agent workspace, a contained Windows environment that isolates agent activity and lets users authorize, monitor, and override actions at any point. The company frames these steps as part of a broader, ongoing effort to ensure Windows remains a secure and trustworthy platform as AI agents become integral to everyday work.
Doubts and Criticism
But that commitment was doubted and even criticized in several corners. A post on ExtremeTech explains that while Windows 11’s new agentic AI features promise hands-free automation—from sorting photos to sending emails—they also introduce meaningful security concerns that Microsoft is addressing cautiously. AI agents run in isolated “agent workspaces” under separate identities, but the company warns that these systems remain vulnerable to cross-prompt injection attacks, where malicious text or UI elements could trick an agent into leaking data or performing harmful actions. Because of that risk profile, Microsoft requires administrator approval before agentic AI can be enabled and keeps the feature off by default, while also maintaining secure audit logs so users can review every action agents take.
“There are token safeguards: the ‘agent workspace’ is disabled by default and can only be enabled by someone with admin privileges,” read another post in gaming blog Rock Paper Shotgun. “But it’s hardly reassuring when the only way to use these features safely is to not use them, at all. And you would stay at effectively zero risk of XPIA attacks if you didn’t, as these types of malware are engineered to target large language models (LLMs) rather than humans.”
Advertisement: Scroll to Continue
For the non-techy executives in the digital economy, the issues are a reinforcement and a reminder that agentic AI will need a human in the loop in these early days of its deployment. As stated in a recent Wolters Kluwer article, while agentic AI can automate complex, multi-step processes by planning, reasoning, and acting with a high degree of autonomy, it still requires human oversight to ensure safety, reliability and sound judgment.
Even with guardrails such as restricted APIs, controlled query types and fallback mechanisms, the article stresses that human validation remains the most critical safeguard, especially in domains where an AI error could carry significant real-world consequences. The author emphasizes that agentic AI should augment, not replace, expert decision-making, and that organizations must design systems where humans validate key steps before actions proceed. Success, the article concludes, will depend on pairing AI’s efficiency with human judgment at critical checkpoints.
“Agentic AI’s dual nature as both a tool and coworker creates new dilemmas,” reads a paper released last week by MIT. “A single agent might take over a routine step, support a human expert with analysis, and collaborate across workflows in ways that shift decision-making authority. This tool-coworker duality breaks down traditional management logic, which assumes that technology either substitutes or complements, automates or augments, is labor or capital, or is a tool or a worker, but not all at once. Organizations now face an unprecedented challenge: managing a single system that demands both human resource approaches and asset management techniques.”
