Microsoft’s push to put AI deeper into Windows 11 is moving beyond chat-style help. A new Windows Insider Program build includes an “experimental agentic features” toggle in Settings for Copilot Actions, a feature meant to let AI agents carry out tasks while the user focuses elsewhere.
The idea is productivity. The concern is control. These Windows 11 AI agents may need read and write access to personal files, and Microsoft is already warning that the design introduces “novel security risks.”
What Copilot Actions is meant to do
Microsoft has been adding AI features to Windows 11 for years, but the current direction is more deeply tied to the operating system itself. The company describes these newer tools as “agentic,” meaning they are intended to take action rather than simply answer questions.
In practical terms, Microsoft says agents should be able to handle “everyday tasks like organizing files, scheduling meetings, or sending emails.” It also describes Copilot Actions as “an active digital collaborator that can carry out complex tasks for you to enhance efficiency and productivity.”
That framing matters because it changes the role of AI on a PC. A chatbot that gives advice is one thing. A background assistant that can read files, write files, use apps, and proceed through a multi-step task is another.
The new Settings toggle suggests Microsoft is treating this as a distinct class of feature. It is not just another Copilot button. It is a system-level experiment in giving software agents permission to do work on the user’s machine.
Why file access changes the risk
For Copilot Actions to be useful, agents need access to the material they are supposed to organize or act on. That is also where the security and privacy issues begin.
According to the source, agents will be able to request read and write access to much of what sits in a user account. By default, that includes files in Documents, Downloads, Desktop, Music, Pictures, and Videos.
Those folders are often where people keep work files, personal media, saved documents, and downloaded attachments. Giving an AI agent the ability to read and modify that content creates a much larger trust boundary than a normal assistant feature.
The agents may also have access to apps installed for all users on the PC. Apps installed only inside the user’s own account will not be accessible to the agent, and users will also be able to install apps that only their agents can access.
That separation helps, but it does not remove the basic tradeoff. The more an agent can do, the more damage it could cause if it makes a mistake or follows hostile instructions.
Microsoft’s safeguards are built around separation and visibility
Microsoft’s approach appears to rely on giving agents their own operating space instead of letting them act invisibly as the user. AI agents running on a PC will have separate user accounts from the personal account of the person using the machine.
That setup is meant to stop agents from having permission to change everything on the system. It also gives them a separate “desktop,” so their work does not interfere with what the user is doing on screen.
The source also says users need to approve requests for their data. Microsoft says “all actions of an agent are observable and distinguishable from those taken by a user.”
That is an important design principle for any agentic AI feature. If software is going to take action, the user needs a way to see what happened, identify which actor did it, and understand whether the action came from the person or the agent.
Microsoft also says agents need to be able to produce logs of their activity. They “should provide a means to supervise their activities,” including showing users the list of actions they plan to take when completing a multi-step task.
The biggest threat is instruction hijacking
The source makes clear that these controls do not eliminate risk. AI agents can be wrong, can confabulate, and can continue confidently even when they are not actually handling a task correctly.
The more specific security issue is that an attacker may be able to influence an agent’s instructions. Microsoft specifically mentions “cross-prompt injection (XPIA), where malicious content embedded in UI elements or documents can override agent instructions, leading to unintended actions like data exfiltration or malware installation.”
That risk is especially serious because these agents are designed to interact with the same kinds of content that could contain hostile instructions. If an agent reads a document or user interface element and treats malicious content as something it should obey, the problem is no longer just a bad answer. It could become an action on the device.
For a Windows 11 AI agent with file access, the consequences could involve private data or unwanted software changes. Microsoft’s own wording points to data exfiltration and malware installation as possible outcomes of XPIA.
Default-off matters for Windows 11 users
For now, the “experimental agentic features” toggle can be switched off and is off by default. That gives users a clear way to avoid the feature while it remains experimental.
The default matters because Windows 11 already includes several cloud and AI offerings that some users prefer to keep out of their workflow. If Copilot Actions remains opt-in, people can decide whether the productivity promise is worth the privacy and security tradeoff.
The source also connects Microsoft’s current caution to the company’s earlier rollout of the data-scraping Windows Recall feature last year. This time, Microsoft has published a detailed support article explaining the risks and the precautions around the new agentic features.
Alongside the AI agent work, Microsoft is also trying to make Copilot more “human-centered” and approachable. The company is adding a Clippy-esque animated character named “Mico” and improving Copilot’s ability to understand voice input as well as mouse-and-keyboard requests.
That shows two sides of the same strategy. Microsoft wants Copilot to feel easier to use, while also making it capable of doing more on the system. The question for Windows 11 users is whether those new powers are transparent, controllable, and limited enough to trust.