Windows 11 Gets Agentic AI
Microsoft is bringing a new wave of artificial intelligence to Windows 11 through an update known as build 26220.7262. These are called experimental agentic features and they are designed to let AI agents take actions on your system, not just answer questions.
Instead of being a simple chatbot, an agentic AI in Windows can potentially read your files, interact with apps, and carry out tasks on your behalf. Think of it as giving the operating system a semi autonomous helper that can do things for you inside Windows.
On paper this sounds like the next step for PC users and gamers who want smarter automation, customized workflows, and deeper integration of AI with everyday tasks. But Microsoft is openly warning that these features also come with serious security risks including hallucinations and new types of attacks.
How Agentic AI Works and Where It Can Go Wrong
Microsoft explains that these new agents can suffer from a problem called cross prompt injection. This is where malicious content can be hidden inside files or on screen elements and then used to hijack the AI agent.
For example, imagine you download a seemingly harmless PDF. Inside that PDF is hidden text crafted specifically to trick the Windows agent. If the agent reads the file and follows that hidden instruction, it might try to exfiltrate your data, install malware, or perform some action you never intended.
This is not a theoretical idea. Microsoft is clearly acknowledging that this is a realistic threat. The company warns that these new AI features can hallucinate, which means the AI can confidently make things up, and that they introduce novel security risks that do not exist with traditional software alone.
Microsoft describes cross prompt injection like this:
- Malicious content is embedded in a UI element or document.
- The AI agent reads that content as if it were a valid instruction.
- The agent then executes unintended actions such as data theft or running malware.
In short, the more control you give the agent over your system, the bigger the impact if it is tricked.
What Protections Does Microsoft Promise?
Microsoft is not enabling these agentic AI features by default. You have to turn them on yourself. When you do, the features become active for all users on that PC all the time and they are clearly marked as experimental during setup.
The company says the design of these agents is guided by three main principles:
- All actions of an agent should be observable and clearly different from what a human user does.
- Agents that access or use protected user data should meet or exceed the security and privacy standards already applied to that data.
- Users should approve all queries for user data and all actions taken by the agent.
These sound reassuring, but Microsoft frames them more as goals than hard guarantees. The wording and the official documentation both underline that there are still real risks and that the technology is not fully locked down.
In fact, Microsoft explicitly recommends that users read the documentation and understand the security implications before enabling an agent on their computer. That is a tall order, because even many advanced users struggle to estimate how likely a cross prompt injection attack is or how badly it could affect their machines.
The practical effect is that the responsibility is being pushed onto the user. You decide whether to switch it on and you accept the associated risks, even though the exact threat level is difficult to measure from the outside.
What This Means For PC Users And Gamers
For PC enthusiasts and gamers, Windows is still the dominant platform. Any change this deep in the operating system has ripple effects across gaming rigs, workstations, and everyday PCs.
The move to integrate agentic AI directly into Windows 11 suggests a future where your OS does far more on its own. You can imagine potential upsides for gamers and power users:
- Automated game library management and optimization.
- Smart performance tuning based on what you are playing.
- AI driven workflows for streaming, recording, and editing.
- Faster setup and troubleshooting of new hardware or drivers.
But the security concerns are just as real. An agent that can reach into your files or apps is also a powerful tool in the hands of an attacker if it gets tricked. Traditional malware already targets gamers looking to steal game accounts or crypto wallets. Adding a privileged AI layer that can be influenced by hidden instructions inside documents or web content gives attackers a whole new surface to exploit.
What stands out most is how normal it has become for AI systems to ship with known flaws. Hallucinations and prompt injection attacks are widespread across many AI models, and yet they are now being embedded directly into core software like Windows rather than kept at arm’s length in a browser tab.
Microsoft appears to feel intense competitive pressure. If it does not weave deep AI into Windows, others might build platforms that do and capture that momentum. That pressure seems strong enough that the company is willing to roll out a feature set with clearly stated downsides and let users decide whether the risk is acceptable.
The result is a strange new normal for PC software. Reliability and safety used to be baseline expectations for system level features. With AI, it is suddenly considered acceptable to bolt on a powerful but unreliable layer and warn users that it might hallucinate or open the door to new forms of attack.
If you are running Windows 11 and love experimenting with new tech, you will likely be tempted to flip that experimental switch at some point. Before you do, it is worth remembering what Microsoft itself is saying. These agents can be helpful, but they are also unfinished and vulnerable. Treat them as an optional experiment, not a core security hardened part of your gaming rig or daily driver system just yet.
Original article and image: https://www.pcgamer.com/software/windows/microsoft-confirms-that-its-new-ai-agent-in-windows-11-hallucinates-like-every-other-chatbot-and-poses-security-risks-to-users/
