Microsoft is revamping its Windows 11 operating system to align with the agentic AI era. This update will enable AI agents to manage tasks within the OS based on simple user commands. For instance, if a user wants to order a pizza online, the AI agent can open a web browser, search for a pizza place, and enter the user’s credit card information and address.
However, Microsoft acknowledges that this capability poses a potential security vulnerability. Upon installing the Windows 11 Build 26220.7262, in Settings > System, you will find a new toggle for “Experimental agentic features” inside the “AI Components.
Upon enabling this, Microsoft gives you a warning: “These features are still being tested and may impact the performance or security of your device.” And the latter is more true than the former, as the security is the number one thing that is of concern.
For AI agents, we are seeing the emergence of previously unknown security vulnerabilities. Cross-prompt injection attacks represent a significant example of this trend.
In these scenarios, attackers hide malicious directives within ordinary documents or interface elements, effectively hijacking the agent’s original instructions and causing it to execute unintended actions.
This can cause the AI agent to install malware, give credit card information to third parties, and much more. Check out the optional and experimental feature—courtesy of Windows Latest—below.
Microsoft claims that these AI agents operate within their own “Agentic Workspace.” When Windows creates an AI agent and assigns it an instance in this workspace, the agent is given limited access to documents, and its actions are reportedly isolated from the system and auditable.
This means users can later review what actions were taken. Microsoft compares this to its Windows Sandbox, but unlike the Sandbox, AI agents persist even after being shut down. By default, when enabled, AI agents have read and write access to the Downloads, Desktop, Videos, Pictures, and Music folders.
Although each agent comes with a set of permitted actions, it remains a security concern until Microsoft addresses issues like prompt injections.
