I don’t want AI agents controlling my laptop
Part of me is always unnerved when I see people running claude --dangerously-skip-permissions or codex --yolo to give them unfettered ability to run commands on their machine. Admittedly, I do usually hit approve when I’m asked about a specific command, so I certainly understand the temptation to just avoid all that fuss and do a blanket approval. With the next generation of apps that people are building to control everything on your computer via some AI chat interface, it feels perhaps even scarier.
The problem is, modern desktop operating systems are not really designed for strong security boundaries between different things running on your machine. Sure, there are some protections like “you can’t record the screen without the user granting explicit permission”, but if you want AI to be able to take actions on your computer then you need to turn most of this stuff on. Different user accounts act as a security boundary but in practice everyone does all their work under a single user account.
There’s no good way to say “allow access to everything on my computer, except for my password manager, my bank, my ~/.aws/credentials file, and the API keys I left in my environment variables”. Especially with Simon Willison’s lethal trifecta, you don’t really want to be giving access to these things, even if most of the time, nothing bad happens.
Barring a major rearchitecture (which maybe Apple and Microsoft are working on), it’s too hard in practice to grant access to your whole laptop and know exactly what things the AI has access to and feel confident that there’s nothing too sensitive. (I do appreciate Codex’s clever default of running commands in sandboxes that can’t communicate over the network or write files outside the repo directory.)
There are two promising solutions here.
Cloud environments (and VMs in general) are one. A bit more annoying to set up but you also get the bonus of reproducibility across a team, being able to run multiple sessions in parallel, and easier collaboration. I expect most coding agents to move in this direction (Codex already offers this; Claude Code is working on it). In corporate environments, it will make more sense to give AI agents their own credentials that don’t necessarily have all the permissions that are available to the user who spawned them.
The other piece of software on my machine designed to handle isolated environments that don’t leak between each other is the browser. Each site has its own cookies that are protected from other sites, and entire applications are designed to run successfully within this framework. Giving full access is scary — Perplexity has screwed it up, Anthropic knows it doesn’t have a workable solution yet. But if integrated properly into the browser, you actually could plausibly pick and choose which sites to give access to (or not give access to) and have the browser enforce those boundaries. Looking forward to this existing. It’s not really possible to build this properly unless you have control over the browser itself. Atlassian’s bet on using The Browser Company to build (presumably) the new “home” for all business SaaS interaction is persuasive to me in this light. This approach seems more likely to succeed than building a browser that didn’t have a clear value proposition for the consumer space where distribution is king.