Regardless of how you feel about Microsoft evolving from its predecessor to Windows 11, with future plans to move into an "agentic OS," it seems there is a risk to using the new functionality. On the eve of the new features rollout that's coming to select Windows Insiders, Microsoft has issued a warning: Users are advised that they should only enable the new experimental features "if you understand the security implications." In fact, because it could be dangerous the agentic components will be off by default.

The reason is pretty simple, albeit alarming: It's because AI applications introduce cross-prompt injection (XPIA) risks through the way that they are granted access to user files. Agentic accounts, those that would be offered when the features are enabled, are granted limited access to your user profile directory located at "Maindrive > Users > Username." As such, if an agent needs access to files, Windows grants them read and write access to anything in that directory.

Because of this, Microsoft says "malicious content embedded in UI elements or documents can override agent instructions," which could lead to unintended consequences. It then gives the examples of data exfiltration or malware installation through AI applications. In other words, these vulnerabilities could be used to install malware or gain access to user-sensitive files. In addition, when using the agent workspace, "the agentic app has access to the apps that are available to all users by default." Agentic AI applications could install or modify software without your knowledge, which is the alarming bit.