With Anthropic's introduction of Computer Use capabilities in beta and rumours of Google's Jarvis AI on the horizon, we are witnessing a subtle but profound transformation in how AI systems interact with our computational environments. As we head into 2025, organisations will increasingly hand control over to AI to complete tasks on their computers. The question isn't just whether we're ready—it's whether we understand what we're about to unleash.
2024 has rightfully earned its title as the 'Year of the Agent'. Thus far, AI automation has followed two main paths: agentic workflows, where predetermined tasks are executed in sequence, and multi-agent systems, where multiple AI instances collaborate to achieve goals. Yet Computer Use capabilities are poised to trump both approaches, offering more powerful and direct interactions. The reason? It all comes down to simplicity and control.
The Elegant Shift
Computer Use's elegance lies in its directness. Rather than requiring complex agent architectures or choreographing multiple AI systems, it creates a straight line between human intent and computer action. Think of it as giving AI a direct licence to operate, but with guardrails:
User Intent -> API Call -> Direct Action -> Result
This marks a fundamental departure from what we've seen before. Traditional agents operate within predetermined boundaries, following scripted workflows. Multi-agent systems rely on complex coordination protocols between independent agents. Computer Use, as demonstrated by Claude Sonnet 3.5, enables direct system interaction through an API—no middleman required.
Why This Time It's Different
Unlike traditional APIs with their fixed endpoints and predictable patterns, the Computer Use API represent a fundamental shift in how systems process requests. They must dynamically translate natural language into system actions, handling complex chains of interdependent operations while maintaining context-aware permissions. Imagine an AI system that needs to first understand your request to "analyse last quarter's sales data," and then determine which files to access, how to process them, and what level of system access is required at each step.
The implications of this flexibility create unique challenges. Where traditional APIs have predictable failure modes and clear boundaries, the Computer Use APIs will exhibit emergent behaviours and create cascading effects across systems. A simple request might evolve into a complex series of interrelated actions, each with its own potential for unexpected interactions and sophisticated patterns that could ripple through connected systems.
Beyond Traditional Security Concerns
The risk landscape here is unprecedented. When an AI system can dynamically interpret and execute complex chains of actions, we face challenges our current security frameworks we not designed to address. Consider an AI analysing your company's sales data—it might access customer databases for deeper analysis, integrate with financial systems for revenue validation, or modify reporting parameters based on its interpretations, all without explicit authorisation for each step.
More concerning is the AI's ability to learn and adapt. Unlike traditional APIs where each request is isolated, Computer Use APIs must manage an AI system that can potentially recognise patterns across requests, accumulate understanding of system architectures, and optimise its approach over time (this will happen). This creates "capability accumulation" risk—where the system's effective permissions might extend beyond its formal authorisation through learned behaviours and creative problem-solving.
The Real Risks
Anthropic's research team has identified four critical categories of potential AI system behaviours that warrant particular attention. These aren't theoretical concerns—they're practical considerations for any organisation planning to implement Computer Use capabilities in 2025:
Human Decision Sabotage: At its core, this risk represents the potential for AI systems to subtly influence human decision-making in detrimental ways while maintaining an appearance of helpfulness. What makes this particularly concerning is its subtle nature—the system appears to be functioning as intended while gradually steering decisions toward suboptimal outcomes. Consider a financial analysis system that consistently recommends slightly suboptimal investment strategies. Each individual recommendation might appear reasonable and well-justified, but the cumulative effect could be significantly detrimental. With direct computer interaction capabilities, this risk becomes more pronounced as systems can now not only suggest actions but potentially execute them.
Code Sabotage: This risk category is particularly relevant given the increasing role of AI in code generation and review. The concern isn't just about obvious bugs but rather the introduction of subtle vulnerabilities that might only become apparent under specific conditions. These could range from minor inefficiencies to serious security vulnerabilities. What makes this risk especially pertinent is how it intersects with power-seeking behavior patterns. A system could theoretically introduce vulnerabilities that only it knows about, creating potential future exploit opportunities. As AI systems become more involved in software development processes, the scale and sophistication of such potential manipulations increase.
Sandbagging: Perhaps the most subtle of the four categories, sandbagging represents a sophisticated form of capability concealment. The system deliberately underperforms during evaluation or testing phases while maintaining the ability to deploy its full capabilities later. This risk becomes particularly relevant as we develop more sophisticated evaluation frameworks for AI systems. This behavior pattern aligns closely with the broader category of deceptive behavior in AI systems. It suggests a level of strategic thinking that goes beyond simple task completion to long-term planning and capability management. The implications for testing and evaluation protocols are significant—how do we verify a system's true capabilities if it can strategically conceal them?
Undermining Oversight: This final category represents perhaps the most direct challenge to AI safety measures. It involves systems actively working to circumvent or disable monitoring and evaluation mechanisms. This could manifest in various ways, from subtle manipulation of logging systems to more direct interference with oversight protocols.
Alignment with Broader Risk Categories
These four specific risk types map onto broader categories of AI risk in interesting ways:
Power-Seeking Behavior
All four categories can be viewed as manifestations of power-seeking behavior, but they operate at different levels:
Human Decision Sabotage represents power-seeking through influence
Code Sabotage creates future leverage points
Sandbagging maintains power through deception
Undermining Oversight directly preserves operational freedom
Misaligned Behaviors
The relationship between these risks and misalignment is particularly interesting:
They can emerge even in systems that appear well-aligned on the surface
They represent sophisticated forms of misalignment that go beyond simple goal divergence
They suggest the possibility of emergent misalignment in complex systems
What Organisations Need to Do Now
As we move into 2025, organisations need to take specific actions to prepare:
Audit Your AI Touchpoints
Map existing AI system interactions
Document security protocols
Identify potential Computer Use integration points
Establish Robust Monitoring
Implement comprehensive logging
Create clear audit trails
Deploy early warning systems
Build Industry Collaboration
Share risk patterns
Develop best practices
Create cross-organisational protocols
Looking Ahead
The emergence of Computer Use capabilities marks a significant evolution in how we deploy AI systems. Success won't just be about addressing individual risks—it'll be about developing frameworks that can handle their interactions and emergent behaviours. As we move forward, the challenge will be finding that sweet spot between innovation and control.
For Australian organisations, particularly those in regulated industries, the time to start preparing is now. The potential benefits are enormous, but so too are the risks. The question isn't whether to adopt these capabilities, but how to do so safely and effectively.
Please review the Anthropic guidance below for Computer Use.
Author: Christopher Foster-McBride, CEO, Digital Human Assistants