Microsoft has warned that its agentic AI can make hallucinatory mistakes, behave unpredictably, and become vulnerable to new types of attacks that were not a concern just a year ago. The company’s own support documentation acknowledges that AI models “face functional limitations” and warns users only to enable this feature if they understand the security implications.
The company unveiled Agent Workspace in mid-November 2025. The system creates separate Windows sessions in which AI agents operate with their own user accounts and have access to six personal folders: Documents, Downloads, Desktop, Videos, Pictures, and Music. These agents can perform tasks in the background, such as sorting files, converting formats, or extracting information from PDFs, without constant user supervision.
Microsoft warns that these agents are vulnerable to cross-prompt injection attacks (XPIA), where malicious content embedded in documents or UI elements can override the agent’s original instructions. The company is quick to note that agentic AI can open PCs to XPIA.
The feature remains experimental and off by default, and administrator approval is required to activate it. Once enabled, it applies to all users on the device. Microsoft controls what agents can access through the Model Context Protocol (MCP), a standardized bridge that lets agents discover tools and interact with services through a JSON-RPC layer, Windows Latest reports. The company says agents operate under three core principles: All actions are observable, agents meet security standards for the data they handle, and users approve all queries and actions.
This comes after Microsoft faced backlash over its Recall feature when Signal blocked it from capturing private chats, and again when Recall captured sensitive data like credit card numbers, even with filters enabled.