Thursday, July 16, 2026

Claude's Computer Control Capabilities: Innovation, Risk, and Lessons from the Past

Anthropic recently introduced capabilities that allow Claude to interact directly with a computer, including opening applications, navigating websites, clicking buttons, entering information, and performing tasks on behalf of a user.

Having worked in technology leadership for more than 25 years, I have learned that every major innovation introduces new opportunities and new risks.

Before anyone accuses me of being opposed to artificial intelligence, let me be clear: I believe AI is transforming the way we work. These tools can improve productivity, reduce repetitive work, assist with troubleshooting, and help people accomplish tasks that once required considerable time and technical expertise.

However, history has also taught us that convenience often comes with a price. Organizations would be wise to understand the security risks before allowing an AI system to interact with their computers, applications, files, and administrative tools.

Haven't We Seen This Before?

For years, IT professionals have relied on Remote Desktop Protocol, better known as RDP, to access and manage computers remotely.

RDP was fast, convenient, and incredibly useful. It allowed employees to work from home, administrators to support servers from another location, and businesses to operate without requiring everyone to be physically present.

Then attackers learned how to exploit it.

Internet-exposed RDP services became a common entry point for ransomware attacks, unauthorized access, credential theft, and data breaches. Organizations spent years learning painful lessons about weak passwords, missing multi-factor authentication, excessive privileges, exposed network ports, and inadequate monitoring.

Today, most experienced IT professionals become immediately concerned when they discover that an RDP service has been directly exposed to the internet.

AI-powered computer control is not exactly the same as traditional RDP. It does not necessarily expose a Windows desktop or network port in the same manner.

However, it raises a similar and important question:

What happens when software can not only access a computer, but also interpret information, make decisions, and perform actions on behalf of the user?

That is where the conversation becomes more complicated.

The New Risk: Prompt Injection

Traditional software generally follows instructions written by its developers.

AI agents operate differently. They are designed to interpret natural language, review information, make decisions, and determine which actions should be taken next.

That flexibility is what makes them useful.

It is also what creates a new category of security risk.

Security researchers call one of these risks prompt injection.

Imagine an AI agent is asked to review a website, read an email, open a document, or analyze a PDF. Somewhere within that content, an attacker has inserted instructions intended specifically for the AI system.

Those instructions might tell the agent to ignore the user's original request, reveal sensitive information, open another website, download a file, modify a document, or perform some other unauthorized action.

The instructions may be visible, or they may be disguised within content that appears harmless to the person using the computer.

This creates a difficult problem. The AI must determine which information is legitimate content and which information is an attempt to manipulate its behavior.

Humans already struggle with phishing emails and social engineering attacks. AI agents may now face their own version of the same problem.

The concern is not simply that Claude, or any particular AI platform, is inherently insecure.

The greater concern is that AI agents introduce a new attack surface that businesses and security professionals are still learning how to manage.

Why Computer Control Changes the Risk

A chatbot that only answers questions has limited ability to cause direct harm.

An AI agent that can control a computer is different.

Depending on the permissions it has been given, an agent may be able to:

  • Open applications
  • Read documents and email
  • Access cloud storage accounts
  • Navigate internal business systems
  • Enter or modify information
  • Download and upload files
  • Run scripts or terminal commands
  • Interact with administrative tools
  • Access remote management software
  • Make changes using the user's credentials

The more access the agent receives, the greater the potential impact of a mistake, compromised account, malicious instruction, or successful prompt injection attack.

An AI system operating under an administrator's account could potentially have the same access as the administrator.

That is an enormous amount of trust to place in any tool.

The Lessons We Should Already Know

The technology industry has faced this problem before.

Remote monitoring and management platforms, remote access tools, service accounts, domain administrator credentials, and automation systems all provide tremendous value.

They also become extremely attractive targets because they have access to many systems at once.

History has repeatedly shown us that attackers often target the tools trusted to manage everything else.

We have seen serious security incidents involving remote access services, software management platforms, privileged accounts, and administrative utilities. In many cases, the problem was not that the tool had no legitimate purpose.

The problem was that it had broad access, insufficient restrictions, weak authentication, or inadequate monitoring.

The lesson is simple:

The more access a tool has, the more valuable it becomes to an attacker.

An AI agent with access to email, files, browsers, cloud platforms, source code repositories, or administrative systems should therefore be treated as a privileged technology platform, not merely as a convenient assistant.

Account Compromise Is Another Concern

Prompt injection is not the only risk.

Organizations must also consider what could happen if the user's AI account is compromised.

If an attacker obtains access to an account connected to a computer control session, the attacker may be able to misuse the permissions previously granted to the AI platform.

This is especially concerning when users reuse passwords, fail to enable multi-factor authentication, remain signed in on shared devices, or grant broad access without reviewing it later.

The risk becomes even greater when an AI account is connected to other services, including:

  • Microsoft 365
  • Google Workspace
  • GitHub
  • Cloud infrastructure
  • Customer management systems
  • Financial platforms
  • Internal applications
  • Corporate file shares
  • Remote support tools

A compromised account may no longer provide access to just one service. It could become a gateway to several connected systems.

Human Approval Helps, but It Is Not Perfect

AI companies are introducing safeguards intended to reduce these risks.

Depending on the product and configuration, the system may require the user to approve sensitive actions, such as submitting a form, downloading a file, running a command, or accessing certain information.

These approval steps are important.

However, approval prompts only work when users understand what they are approving.

People are already accustomed to clicking "Allow," "Accept," "Continue," and "OK" without carefully reviewing the request. Over time, frequent approval prompts can become background noise.

An AI agent may ask permission to perform an action, but the user may not fully understand why the action is being requested or what the consequences could be.

Human approval should therefore be viewed as one layer of protection, not a complete security solution.

Does This Mean We Should Avoid AI Agents?

No.

AI agents have tremendous potential.

They may eventually help organizations perform routine troubleshooting, generate documentation, monitor systems, prepare reports, test software, manage repetitive processes, and reduce the burden placed on technical teams.

They may also make advanced technology more accessible to people who do not have traditional technical training.

The answer is not to reject innovation.

The answer is to introduce it carefully.

Businesses should avoid treating AI computer control as an ordinary consumer feature. It should be evaluated using the same security discipline applied to remote access tools, privileged accounts, automation platforms, and administrative software.

Practical Security Recommendations

Organizations considering AI-powered computer control should begin with several basic safeguards.

Require multi-factor authentication. Every account capable of controlling a computer or accessing connected business systems should require strong multi-factor authentication. A password alone should not be considered sufficient.

Follow the principle of least privilege. The AI agent should only receive the access necessary to complete the assigned task. It should not operate under a domain administrator, global administrator, root, or similarly privileged account unless there is a compelling and carefully controlled reason.

Separate everyday and administrative accounts. Users should not perform routine browsing, email, and document work while signed in with administrative credentials. The same separation should apply when using AI agents.

Require approval for sensitive actions. Actions involving software installation, command execution, credential access, financial transactions, security changes, file deletion, or external communication should require explicit human approval.

Restrict access to critical systems. AI agents should not automatically receive access to every server, client environment, cloud tenant, file share, or administrative console available to the user. Access should be limited by role and business need.

Maintain logs and review activity. Organizations should be able to determine what the agent accessed, what actions it attempted, what the user approved, and what changes were made. Logging is essential for accountability and incident investigation.

Review connected applications regularly. Permissions granted to AI platforms should be reviewed periodically. Connections that are no longer necessary should be removed.

Use isolated environments when possible. High risk or experimental tasks should be performed in a sandbox, virtual machine, test environment, or otherwise isolated system rather than on a primary workstation containing sensitive business information.

Train users to recognize AI-specific threats. Employees should understand that malicious instructions can appear inside websites, emails, documents, support tickets, source code, and other content reviewed by an AI agent. Users should be taught to question unexpected actions and unusual approval requests.

A Balanced Path Forward

Claude's computer control capabilities are impressive and may represent an important step forward in workplace productivity.

They may also change the way people interact with computers. Instead of manually opening applications, finding information, and completing each step, users may increasingly describe the desired outcome and allow an AI agent to perform the work.

That is a major shift.

It deserves serious consideration, not panic and not blind enthusiasm.

The security industry has repeatedly learned that powerful administrative capabilities must be introduced with strong authentication, limited permissions, effective monitoring, and clear accountability.

AI agents should be held to the same standard.

Organizations should begin cautiously, limit early use cases, monitor activity closely, and expand access only after they understand how the technology behaves within their environment.

Final Thoughts

Innovation has always required a degree of trust.

However, trust should never mean giving a new technology unrestricted access and simply hoping for the best.

The real question is not whether AI agents will become part of the modern workplace. They almost certainly will.

The more important question is whether organizations will apply the lessons learned from decades of remote access, privileged administration, automation, and cybersecurity, or whether those lessons will have to be learned again.

AI-powered computer control offers remarkable possibilities.

It also places more responsibility on technology leaders, security professionals, vendors, and users to understand what access is being granted and how that access could be misused.

Innovation is exciting. Security is what allows us to keep using it.

Thanks,

Michael Cronin


Website: https://www.michaelcronin.info
LinkedIn: https://www.linkedin.com/in/michaeltcronin/details/experience/

 

Claude's Computer Control Capabilities: Innovation, Risk, and Lessons from the Past

Anthropic recently introduced capabilities that allow Claude to interact directly with a computer, including opening applications, navigat...