The newest wave of “desktop automation” tools look genuinely useful – and materially different from the assistants we’ve gotten used to. Tools like Claude Cowork and agentic browsers such as Perplexity Comet and ChatGPT Atlas don’t just answer questions; they can take actions across your files, tabs, and workflows. That shift changes the risk profile, fast.
What is it?
Claude Cowork (desktop “work agent”): Cowork is a research-preview mode tool that can run multi-step tasks on your behalf, including reading/writing local files and producing deliverables like spreadsheets and presentations. It depends on the permissions you grant and can make real changes to your files.
Perplexity Comet (agentic browser): Comet positions itself as a browser that “works for you,” including “shopping” and other task-like flows. From a data perspective, Comet can use the open tab/history to fulfill “personal searches,” and offers opt-in connectors (e.g., Gmail/scheduling) with revocable permissions.
ChatGPT Atlas (browser with ChatGPT built in): Atlas is a browser where ChatGPT is present “in the window right where you are,” acting in an agent mode that can open tabs and click through steps to complete tasks.
The key pattern: these are action-capable tools operating inside high-trust contexts (your desktop and your browser session).
What does it mean from a business perspective?
In summary – they introduce significant risk.
- Your browser becomes an automation surface, not just a viewer. If the tool can “click the buttons,” then a compromise can move from data theft to transaction completion (changes made, purchases placed, messages sent, access granted).
- Access is the risk multiplier. Cowork’s value is local file access; agentic browsers’ value is access to authenticated web apps – where sensitive business data tends to live.
- Prompt injection becomes operational, not theoretical. Malicious content on a page can attempt to steer the agent’s actions.
- “Opt-in” permissions still create governance overhead. Connectors and elevated permissions are often user-driven and revocable, which is good, but it also means you now have to manage a new class of “micro-integrations” happening at the endpoint.
- Auditability and non-repudiation get harder. When work is partly automated by an agent (especially inside a browser), you need a clear answer to: what did it do, when, and under whose authority? Are any organizations logging at that level on endpoints today?
- Endpoint security assumptions may no longer hold. Traditional controls were designed for “human-driven browsing” and “human-driven file ops.” Agentic workflows compress time and steps, which can outpace manual detection and response.
What do I do with it?
Tread carefully…..
- Classify these tools as “privileged productivity,” not “just another app”. Treat agentic desktop tools and agentic browsers like you would treat new admin-like capabilities at the endpoint.
- Start with a sandbox pilot. Use a dedicated device/profile and non-production accounts. Prove the value and map the blast radius before broad rollout. The apply least-privilege aggressively.
- Control where the agent can act. Prefer allowlists for business-critical systems (finance, HRIS, CRM, procurement). If you can’t allowlist, consider disabling agentic actions for those apps until controls mature. Allow file based actions on a sandboxed copy, or at the very least have version control on your files.
- Plan for prompt injection as a standard threat. Train users with one practical rule: “If the page tells the agent to do something, assume it’s hostile until verified.”
- Add guardrails in your enterprise security stack. Egress controls, DLP where appropriate, endpoint monitoring, and stronger isolation for high-risk browsing.
- Write a short policy addendum (do it now, not later). Cover: approved tools, approved use cases, prohibited data, connector permissions, required profiles/devices, and reporting expectations for mistakes or suspicious behavior.
Agentic tools are crossing a line from “assistant” to “operator.” The upside is real productivity improvements. The downside is that you’ve effectively introduced a new kind of endpoint actor – one that can read, decide, and execute at machine speed inside your most trusted surfaces: files and browsers. If your organization is experimenting with Cowork, Comet, Atlas, or similar tools, the question isn’t “should we block them?” It’s: How do we keep automated action inside acceptable risk boundaries?