Heimdal sysadmin Alex Panait spent weeks testing Claude Cowork inside the company.

His verdict was blunt. It felt like onboarding a junior employee with no manager, no scoped access, and no clear accountability when something goes wrong.

Except this one can delete your SharePoint.

That is the uncomfortable reality behind autonomous AI desktop assistants. They are no longer just chat windows that answer questions or draft emails.

Claude Cowork can work across a user’s computer, and Anthropic’s own guidance says Claude can click, type, navigate the screen, open files, and use apps directly. OpenAI’s Operator, later folded into ChatGPT, showed the same direction for the wider market, with AI agents able to interact with webpages by typing, clicking, and scrolling.

For years, enterprise AI risk was mostly framed as data leakage. Employees might paste confidential information into a chatbot. That risk still matters, but autonomous agents introduce something more operationally dangerous.

They act.

Once an AI assistant can act on a business machine, the question changes. It is no longer only what data a user might paste into AI. It becomes what the AI can access, change, send, delete, or trigger using that user’s permissions.

The SharePoint blast radius

Alex’s clearest example is painfully familiar to any IT manager, MSP, or sysadmin.

An employee has a corporate SharePoint folder synced locally. It contains marketing assets, customer documents, draft contracts, campaign plans, and working files. The employee gives an AI coworker access and types a simple instruction.

“Clean up my documents.”

A human assistant would probably ask follow-up questions. A script would follow predefined rules.

An AI agent may interpret the task more broadly. It might rename files, move folders, rewrite documents, or delete content it decides is duplicated or unnecessary.

Alex described the risk directly:

“If someone has synced the entire marketing SharePoint folder locally and decides to give the AI access to it with a prompt like ‘clean up my documents,’ the AI could potentially delete, edit, or modify everything inside that folder.

“Since those files are automatically synchronized with SharePoint, any changes would immediately propagate across the organization.”

That is the SharePoint blast radius.

The problem is not that the AI breaks into the company. The problem is that the company gives it access through a trusted user, a synced folder, and a normal business workflow.

In a modern Microsoft 365 environment, “local” rarely means local

Files on a laptop may be connected to SharePoint, OneDrive, Teams, Git repositories, CRM exports, finance folders, HR documents, and customer data.

One desktop action can become an organization-wide event.

Anthropic’s safety guidance warns users to be especially cautious with computer use because Claude can click, type, and navigate the screen directly, without the same permission checks that gate other Cowork tools.

The endpoint is not just an endpoint anymore. It is the AI coworker’s workspace.

The real risk is delegated action

Traditional insider-risk programs focus on human behavior. They look for negligence, compromised accounts, privilege abuse, or malicious intent.

AI agents complicate that model.

An agent does not need intent. It only needs access, autonomy, and a plausible instruction. That makes agentic AI a new kind of operational risk. It is a non-human actor operating inside the trust boundary, often through the permissions of a real employee.

Alex’s comparison is useful here:

“In many ways, it’s like having a junior employee. It can help with repetitive tasks and improve efficiency, but someone still needs to review the work and make sure everything is correct.”

The issue is not that AI agents are useless or inherently unsafe. The issue is that many organizations may enable them before deciding what they can touch, where they can write, which systems are off-limits, and who owns the outcome when they make a mistake.

Alex is clear about where he draws the line.

“I would never grant an AI access to anything critical – production databases, production code, or highly sensitive systems. At most, you can allow access to testing environments where the AI can assist, while a human reviews and validates everything before deployment.”

That is not anti-AI. It is basic IT discipline.

The same rules teams already apply to employees, contractors, service accounts, and automation should apply to AI agents. Start with least privilege. Limit write access. Require approval before irreversible actions. Keep critical systems out of reach.

Prompt injection becomes an action problem

Agentic AI also raises the stakes around prompt injection.

A chatbot can be manipulated into producing a bad answer. An agent connected to files, tools, browsers, and applications can be manipulated into taking a bad action.

A user might ask an agent to summarize a document. Hidden inside that document could be an instruction telling the agent to ignore previous directions or send information elsewhere. If the agent has the right permissions, the risk moves from theoretical to operational.

OWASP’s agentic AI guidance identifies indirect prompt injection, tool abuse, privilege escalation, data exfiltration, and excessive autonomy as key risks for AI agents. Anthropic’s computer-use documentation also warns that Claude may follow commands found in content, including webpages or images, even when those commands conflict with user instructions.

The more useful an agent becomes, the more dangerous a bad instruction becomes.

The controls are catching up

Alex’s frustration during testing was that admin control felt too limited.

“As an admin, my only options are basically enable or disable. There’s no granular control beyond that.”

Anthropic has since promoted enterprise features for Claude Cowork, including role-based access controls, usage analytics, OpenTelemetry support, and granular admin controls over connectors and tools. Microsoft is also building toward centralized agent governance through Agent 365, with guidance that every AI agent should be observable, governed, and secure.

Those developments are welcome. Agent governance is becoming a required IT function, not a nice-to-have.

Microsoft’s security team has warned about “shadow AI” agents that run unmanaged, execute tasks, modify code, or access confidential information outside traditional governance.

What IT teams should demand before approving AI coworkers

AI coworkers should not be treated like browser plugins. Before approving them, IT teams need clear answers to five questions.

1. Can we see every AI agent in the environment, who owns it, and what systems or data it can access?
2. Can we separate the agent’s actions from the human user’s actions in logs and incident response?
3. Can permissions be scoped by folder, app, connector, and action type, so reading a file is not treated the same as editing, deleting, or sending it?
4. Can high-impact actions, such as deleting files, exporting customer data, modifying code, or sending external emails, require human approval?
5. Can the agent be confined to a dedicated working area, such as Alex’s suggested “CoWork” folder, where users manually place only the files they want the AI to touch?

Governed autonomy, not blind trust

AI agents can deliver real value. Alex sees particular potential in cybersecurity, where AI can help analyze large volumes of logs, detections, and behavioral signals faster than humans alone.

As Alex puts it:

“AI is a tool, not a replacement for people. It can be extremely useful, but it still requires human supervision.”

AI coworkers are coming to the enterprise. The challenge for IT teams is not whether to use them, but how to control them.

If you liked this article, follow us on LinkedIn, Reddit, X, Facebook, and Youtube for more cybersecurity news and topics.