In two weeks, three of the biggest AI companies shipped agents that can read your files, control your apps, and run around the clock. None of them can prove what they actually did. That shift moves the governance problem from “what did the agent say?” to “what did the agent do on your machine, and can anyone verify it independently?”
On March 11, Perplexity announced Personal Computer: software that runs 24/7 on a Mac Mini, merging local files and applications with its cloud-based AI agent[1]. It connects to Gmail, Slack, GitHub, Notion, Salesforce, and anything else on the machine. It never sleeps.
On March 16, Meta's Manus launched My Computer: a desktop application that brings the company's AI agent onto Mac and Windows devices[2]. The agent executes command-line instructions in the user's terminal, reads and edits local files, and launches and controls installed applications. Manus, which Meta acquired for $2 billion in December 2025, previously operated exclusively in the cloud.
On March 23, Anthropic shipped computer use for Claude Desktop's Cowork feature[3]. Claude can now navigate a user's screen directly, clicking, typing, opening apps, with persistent memory across sessions and scheduled background tasks.
Three companies reached the same conclusion within two weeks.
The convergence reflects a shared conclusion: agents need a home. Not a chat window that disappears when the tab closes, but a machine with file access, application control, and background execution. The pattern was validated earlier by open-source agents that demonstrated users would accept persistent machine access if the workflow was useful enough. OpenClaw, acquired by OpenAI in February 2026 after accumulating 210,000 GitHub stars, proved this at scale. As we documented in our analysis of 135,000 exposed agent instances, the security consequences were significant[7]. The demand was not deterred.
All three products share the same governance model. It is built on permission prompts, behavioral training, and self-reported audit logs. None of it produces proof.
What the Agent Can Do
File access, application control, background execution, and write access to shared services.
Each product grants an autonomous agent access that, twelve months ago, would have been an incident ticket for any IT department:
Local persistence and manipulation
Agents read, create, modify, and organize files on the local machine. Perplexity scans folders, identifies content, and sorts thousands of files into categorized subfolders. Manus builds applications using installed development tools. Claude opens files and operates within them.
Cross-application execution
Agents launch applications, navigate interfaces, and execute multi-step workflows across installed software. Claude takes screenshots to understand context, then clicks and types. Manus executes terminal commands. Perplexity orchestrates across 20+ integrated services.
Unattended continuity
These agents run unsupervised. Perplexity operates 24/7 on a dedicated Mac Mini. Manus accepts tasks from a phone and completes them on the desktop while the user is away. Claude maintains memory across sessions.
Real-world consequences
Gmail, Google Drive, Slack, Google Calendar, GitHub, Salesforce: each product connects to services where actions affect other people, from sending emails and posting messages to creating calendar events and modifying shared documents.
What the Governance Model Provides
All three products converge on the same governance approach. These controls reduce risk, but they do not create an independent proof layer.
Permission prompts
The agent asks before accessing a new application or service. The user approves or denies.
Action approval
Sensitive operations require explicit confirmation. Manus offers “Allow Once” and “Always Allow.” Perplexity requires user approval for sensitive actions. Claude asks permission before accessing each application.
Behavioral training
Each agent is trained to avoid risky operations. Claude is trained not to engage in stock trading, input sensitive data, or scrape facial images. But training is not a guarantee: a model can be trained to refuse risky tasks and still be prompted past those refusals, misconfigured, or drift through emergent optimization.
Kill switch
Each product provides a mechanism to stop the agent immediately.
Audit trail
Perplexity generates an audit trail for each session. Manus logs actions. Claude provides session history.
Anthropic's documentation includes a caveat that applies equally to all three: these guardrails “aren't absolute” and “aren't perfect.” Users should “monitor Claude's work, especially early on”[3].
What the Governance Model Does Not Provide
What is missing is not another control. It is a different class of system.
The gap is not a missing feature. It is the absence of an independent proof layer: one that produces cryptographic evidence, not self-reported logs.
No pre-commitment
No product cryptographically commits the agent's authorized scope before operation begins. The permission model is advisory. If the agent drifts from its constraints through adversarial input, misconfiguration, or emergent pressure, no independent mechanism detects the deviation. A Policy Artifact would seal these constraints before execution.
No independent enforcement
No product interposes a separate process that measures the agent's behavior against a reference. The agent reports its own actions. No external system verifies that the agent's claimed behavior matches its actual behavior. A Portal enforcement boundary would close this gap.
No cryptographic receipts
No product generates signed evidence for each action the agent takes. The audit trails are internal logs: records the system creates about itself. They are not Enforcement Receipts where each record is independently signed and linked to its predecessor such that modification is detectable.
No tamper-evident chain
No product maintains a Continuity Chain where each event references the previous event's hash, ensuring that insertion, deletion, or reordering of events is detectable.
Logs are not evidence
The distinction is structural, not semantic. A log records activity. Evidence proves control. As we explored in Why Logs Aren't Proof, when an autonomous agent writes its own audit trail, the trail reflects what the agent reports happened. If the agent sends an unauthorized email, modifies a restricted file, or accesses a service outside its scope, the audit trail cannot be relied on to reflect the violation. The agent controls the trail.
Current model vs. cryptographic model
| Capability | What Ships Today | Cryptographic Model |
|---|---|---|
| Pre-commitment | Advisory permissions | Sealed Policy Artifact |
| Runtime enforcement | Agent self-reports | Independent Portal boundary |
| Audit trail | Internal logs | Signed Receipt Chain |
| Tamper detection | None | Hash-linked Continuity Chain |
| Third-party verifiability | Not available | Offline Evidence Bundles |
| Enterprise audit readiness | No | Yes |
The Desktop Makes the Gap Worse
The agent evidence gap we described in the context of Karpathy's autoresearch loop, where 700 autonomous experiments produced zero governance evidence, operated at the level of a single training script on a single GPU[6]. That gap was concerning because the pattern was headed toward consequential environments.
Desktop agents are that environment. When an agent sends an email from your account, posts in your company's Slack, modifies a shared document in Google Drive, commits your time on a calendar, or edits a financial spreadsheet, those actions have real-world consequences affecting other people.
The agent cannot distinguish between a legitimate instruction and an adversarial one.
Consider a concrete scenario: an agent with “Always Allow” access to Salesforce receives a prompt-injected instruction embedded in a customer email. It updates a deal record, changes the contract value, and sends a confirmation to the client. The agent's audit log shows the action was taken. It does not show that the action was unauthorized, because the agent cannot distinguish between a legitimate instruction and an adversarial one. No independent process evaluated the action against sealed constraints. No signed receipt recorded the policy violation. The only record is the agent's own account of what happened.
Enterprise deployment changes the question
All three companies are pursuing enterprise deployment. Perplexity launched Computer for Enterprise with compliance controls and single sign-on. Manus integrated with Meta Ads Manager and Instagram. Anthropic's Cowork is available on Pro and Max plans with Team and Enterprise tiers planned.
This turns the governance gap from a design question into an audit question: can you prove that agents operating on employee machines acted within their authorized parameters? Not “did they report compliant behavior” but can you prove it independently?
SOX auditors evaluating financial controls, HIPAA compliance officers evaluating healthcare workflows, and litigation counsel evaluating discovery obligations will all ask the same question. The answer, with every desktop agent shipping today, is no.
What Would Close the Gap
A chain, not a checklist. Four properties, each building on the previous.
Closing the gap requires four architectural properties layered in sequence:
1. Sealed constraints define the allowed space
Before the agent begins a session, its authorized scope is cryptographically committed into a sealed Policy Artifact: which services it can access, which operations are permitted, what rate limits apply, what content patterns are blocked. The constraint file is hashed, signed, and immutable. Modification breaks the signature. The constraints are no longer advisory.
2. Independent measurement enforces at runtime
A separate process (the Portal), running in a different address space and holding the signing keys the agent cannot access, intercepts every action. Before an email is sent, before a file is modified, before a Slack message is posted, the independent process evaluates the action against the sealed constraints and makes the enforcement decision. The agent executes; the separate process enforces and records. That boundary cannot be collapsed.
3. Signed receipts record each decision
Every action, whether permitted, denied, or quarantined, produces a signed Enforcement Receipt containing the action hash, the policy reference, the decision, the timestamp, and the previous receipt's hash. The receipt chain is append-only and linked by structural metadata hashes. Modification of any receipt invalidates every subsequent link.
4. Offline-verifiable evidence proves it later
At the end of a session, an Evidence Bundle containing the sealed constraints, all signed receipts, and Merkle inclusion proofs enables any third party to verify the complete governance history. Standard cryptography. No network access. No trust in the agent, the operator, or the platform provider.
These four properties transform a desktop agent's self-reported audit trail into cryptographic evidence that any third party can independently verify. This is the architecture that agentic AI governance requires: not observation, but cryptographic runtime enforcement with provable evidence.
Questions to Ask Your Vendor
Four questions separate governance theater from governance architecture.
If you are evaluating desktop agents for enterprise deployment:
- Is the agent's authorized scope cryptographically committed before it begins operating, or is the permission model advisory?
- Does a separate, independent process enforce policy at runtime, or does the agent self-report its own compliance?
- Does every action produce a signed, hash-linked receipt, or is the audit trail an internal log the agent writes about itself?
- Can a third party verify the complete governance history offline, without trusting the agent, operator, or platform?
If the answer to any of these is no, the product ships with a governance gap. The controls it provides are a starting point, not a proof layer.
The Convergence Tells You Something
Three companies independently arriving at the same architecture in the same two weeks tells you the market has decided: autonomous agents will live on personal computers, operate continuously, and have write access to the services where consequential actions happen.
The governance architecture for this deployment pattern does not yet exist in any of these products. The behavioral guardrails they ship are a starting point. Anthropic's own documentation says as much.
The question is no longer whether desktop agents need governance. It is whether the governance they ship produces cryptographic proof of what happened, or just a log of what the agent says happened.
References
- Perplexity. “Everything is Computer.” March 11, 2026. perplexity.ai
- Manus. “Introducing My Computer: When Manus Meets Your Desktop.” March 16, 2026. manus.im
- Anthropic. “Let Claude use your computer in Cowork.” March 2026. support.claude.com
- CNBC. “Meta's Manus launches desktop app to bring its AI agent onto personal devices amid OpenClaw craze.” March 18, 2026. cnbc.com
- Axios. “Perplexity launches Mac-based AI agent.” March 11, 2026. axios.com
- Attested Intelligence. “The Agent Evidence Gap.” March 23, 2026. attestedintelligence.com
- Attested Intelligence. “The Governance Gap: 135,000 Exposed Agent Instances.” 2026. attestedintelligence.com