A wave of products that let artificial intelligence directly control a user’s computer has moved from experiment to market in the past six months. The trigger was Anthropic’s January 2026 release of Claude Cowork, a desktop-capable assistant that can reorganise files, draft documents and run multi-step workflows. Open-source projects such as OpenClaw (formerly Clawdbot/Moltbot) amplified the effect by showing how a third‑party toolkit can marry a hosted large model for reasoning with local control for execution.
Chinese technology firms have matched the overseas momentum. Alibaba’s QoderWork surfaced in late January as the company’s first desktop agent tool, billed as easy to deploy and able to invoke authorised local applications to tidy documents and process data. MiniMax has shipped an Agent2.0 that runs on Mac and Windows, claims persistent memory and professional “expert” agents, and the startup Step (阶跃星辰) has offered a “desktop partner” since September 2025 and recently expanded to Windows. These products illustrate two converging trends: models that can reason across steps and local executors that can act on the user’s behalf.
The practical difference between the new agents and earlier cloud-only assistants is a matter of degree of control. Traditional assistants mostly answer questions or provide text outputs built from cloud reasoning and limited tool calls such as calendar or search. Desktop agents obtain system-level permissions: reading and writing files, launching and operating applications, executing commands and retaining long-term memory about the user’s environment. That change converts AI from adviser to executor and makes it possible to complete multi-app, long-chain tasks without manual hand‑offs.
The technical and market drivers are straightforward. Advances in model capacity and in “computer use” capabilities mean agents are less likely to fail at complex logic or get stuck at the “last 100 metres” of tasks—large file moves, cross-application automation and session persistence. Open-source releases have lowered the barrier for developers and enthusiasts to adapt agents for specialised workflows, accelerating experimentation and social-media diffusion. For vendors the business model is clearer than with chatbots: subscription tiers, enterprise deployment and usage-based credits for professional workflows make monetisation more direct.
But the advance raises immediate security and privacy questions. Granting an AI program broad access to a local filesystem and the ability to execute commands increases the risk of accidental data loss, privilege escalation and exfiltration. OpenClaw’s permissive design, for example, trades safety for flexibility; an agent that acts without robust confirmation workflows could delete sensitive files or mishandle confidential emails. Firms are pursuing mitigations—containerisation, virtual machines, strict permission boundaries, user confirmation for high-risk steps, and designing default actions to be reversible—but those measures impose trade-offs in performance and user convenience.
Regulatory and governance issues are already intruding on product design. The EU’s AI Act-inspired provisions for human oversight of high-risk systems suggest that vendors will need built-in interruption and accountability mechanisms where agents exercise system-level power. Industry practitioners point to three technical controls as essential: least-privilege and dynamic authorisation, local-data-first architectures that avoid sending sensitive files to remote servers, and comprehensive activity auditing that can be reviewed by a human operator.
For enterprises, desktop agents offer productivity gains and fresh compliance headaches. Standardised, folder-level permissioning makes sense for rollout across businesses, yet corporate environments vary widely in tooling, legacy software and security posture; cross-platform compatibility and safe long-running process management remain engineering headaches. For consumers, the appeal is convenience: a desktop agent that can manage social-media workflows, collate messy research or produce formatted spreadsheets feels like hiring a digital assistant. The price of that convenience is placing trust in a third party’s safety design and in the user’s own willingness to cede operational control.
The broader market implication is a potential shake-up of parts of the SaaS landscape. If desktop agents can orchestrate local applications reliably, incumbents that sell specialised cloud automation and workflow tools will face new competition from vendors that combine cloud reasoning with local execution. At the same time, the rise of open-source agent frameworks complicates vendor lock-in and can accelerate feature adoption across the ecosystem.
The next phase will be defined by whether vendors can strike a pragmatic balance between empowerment and restraint. The technology has reached a point where agents can do more than talk, but widespread adoption hinges on demonstrable safety, clear consent models and auditable controls. Until those are in place, enterprises and privacy-conscious users will likely proceed with guarded pilots rather than wholesale handovers of their desktops.