Anthropic Gives Claude the Keys to Your Computer — and Hopes You'll Trust It

On March 24, 2026, Anthropic released a feature that crosses a threshold most AI companies have been circling for years: Claude can now take direct control of your computer. The capability, branded "Computer Use," allows the AI to move your mouse, type on your keyboard, open applications, browse the web, and manipulate files — all while you watch from your phone, or don't watch at all [1][3].

The launch lands in a competitive environment where OpenAI, Google, and open-source projects are racing to build autonomous AI agents. But Anthropic's approach — shipping a desktop-control agent as a "research preview" to paying subscribers — raises questions about security, data privacy, and the pace at which AI companies are willing to hand control of personal machines to probabilistic systems.

What Claude Can Now Do on Your Machine

Computer Use is available through two Anthropic products: Claude Code, aimed at developers, and Claude Cowork, a more general-purpose assistant introduced in January 2026 [3]. When a user assigns a task, the system follows a layered approach: it first attempts to use existing API connectors for services like Google Calendar, Slack, or Gmail. If no connector exists, it tries browser-based navigation. Only when neither option works does Claude take direct screen control, interacting with desktop applications through simulated mouse clicks and keystrokes [4][5].

The feature works by taking periodic screenshots of the user's display, which Claude analyzes to determine what's on screen and where to click next [5]. Through this mechanism, Claude can open files, fill in spreadsheets, draft presentations from local data, search and summarize emails, and run development tools [3][6].

A companion feature called Dispatch, released the prior week, enables users to assign tasks from a smartphone. As long as the Mac is awake and the Claude Desktop app is running, instructions travel from phone to desktop, and results travel back. Dispatch maintains a single persistent conversation thread with editable memory, so the agent retains context across tasks [6].

Computer Use is currently limited to macOS, with Windows support planned. It requires a Claude Pro subscription ($20/month) or Claude Max ($100–$200/month) [6][7].

The Permission Architecture

Anthropic has built Computer Use around what it calls a "permission-first approach" [4]. Claude requests access before interacting with a new application, and users can halt operations at any time. When the feature is enabled, the system's access scope is determined by the permissions users grant — Anthropic advises granting access "only to resources you're comfortable with Claude acting on autonomously" [6].

But the company is candid about limitations. "Computer use is still early compared to Claude's ability to code or interact with text," Anthropic stated in its launch documentation. "Claude can make mistakes, and while we continue to improve our safeguards, threats are constantly evolving" [4]. Independent assessments put the feature's reliability at roughly 50% for complex tasks [6].

What Data Leaves Your Machine

The privacy implications of an AI that watches your screen are substantial. Computer Use operates by capturing screenshots of whatever is visible on the user's display — meaning any open document, email, chat window, or password manager visible during a session is accessible to the system [5][6].

Anthropic has not published a detailed technical specification of exactly what data is transmitted to its servers during Computer Use sessions, how long screenshots are retained, or whether screen captures are used for model training. The company recently drew criticism for shifting its stance to allow sharing of users' conversations for AI training purposes [8], a policy change that makes the absence of specific Computer Use data handling disclosures more conspicuous.

For enterprise customers, Anthropic holds SOC 2 Type II and ISO 27001 certifications, and the company states it is HIPAA-eligible for health data [9]. The Enterprise plan provides a Compliance API for programmatic access to usage data. However, these certifications apply to the broader Claude platform — whether Computer Use sessions receive the same protections, and what specific data retention policies apply to captured screenshots and interaction logs, remains unclear.

Prior Security Track Record

The decision to ship a computer-control feature arrives against a backdrop of documented security vulnerabilities in Claude Code. In research published between September 2025 and January 2026, Check Point researchers Aviv Donenfeld and Oded Vanunu disclosed three significant flaws [10]:

• Code injection via project hooks (CVSS 8.7): A vulnerability allowing code execution through untrusted project hooks in .claude/settings.json, bypassing user consent. Fixed in version 1.0.87, September 2025.
• CVE-2025-59536 (CVSS 8.7): Shell command injection during tool initialization, triggered when users opened untrusted directories. Fixed in version 1.0.111, October 2025.
• CVE-2026-21852 (CVSS 5.3): An information disclosure vulnerability where API keys could leak before the trust prompt was shown. Fixed in version 2.0.65, January 2026.

All three vulnerabilities could be triggered simply by opening a crafted repository — no additional user interaction required [10]. Anthropic patched each issue, but the pattern of configuration-file-based attacks is relevant to Computer Use, which expands Claude's access surface to the entire visible desktop.

How It Compares to Existing Automation

Claude's Computer Use enters a market already populated by mature robotic process automation (RPA) platforms. UiPath, the market leader in enterprise RPA, offers desktop agents that can "enter a legacy application, read data from the screen using Computer Vision, and physically execute actions where no API exists" [11] — a description that closely mirrors Claude's fallback-to-screen-control approach.

Microsoft Power Automate, bundled with many Microsoft 365 Enterprise licenses, follows a per-user or per-flow pricing model that makes basic automation effectively free for existing Microsoft customers [11]. UiPath charges enterprise-scale pricing that can reach tens of thousands annually but provides what one comparison described as "military-grade auditing" [11].

Source: GDELT Project

Data as of Mar 25, 2026CSV

Claude's differentiation is in natural language task assignment. Where UiPath and Power Automate require users to build explicit workflows or use low-code designers, Claude accepts plain-English instructions and determines the execution path autonomously. The tradeoff is predictability: a UiPath bot follows a defined script every time, while Claude's probabilistic approach means the same instruction may produce different execution paths.

On browser automation benchmarks, OpenAI's ChatGPT agent mode leads with 87% success rates, compared to Claude Sonnet's 56% [12]. For software engineering tasks, Claude benchmarks at 49%, an area where ChatGPT's agent wasn't designed to compete [12]. Google's Project Mariner, its Chrome-based agent, has seen team restructuring as the company redirects resources, though its computer-use capabilities will be folded into Google's broader agent strategy [12].

Compliance Gaps for Regulated Industries

For organizations in healthcare, finance, and government, the compliance picture is incomplete. Anthropic's SOC 2 Type II and ISO 27001 certifications cover the Claude platform broadly, and the company offers HIPAA eligibility and GDPR compliance with a Data Processing Addendum [9][13].

But compliance responsibility falls heavily on the customer. As one security analysis noted, "compliance remains the responsibility of the organization, not Anthropic" [9]. For HIPAA, human review of AI-processed patient data remains mandatory. For SOC 2 audits, enterprises must demonstrate that Claude's access is tied to their own identity governance and monitoring systems [9].

FedRAMP authorization — required for U.S. government use — is not listed among Anthropic's certifications [9]. This represents a significant barrier for federal agencies and government contractors considering AI-driven automation.

Claude Code's hooks system, which runs custom scripts at lifecycle points (pre-tool, post-tool, pre-commit), offers one mechanism for compliance enforcement [13]. But for Computer Use specifically, where the AI is controlling arbitrary desktop applications, the audit trail question is open: how does an organization document and verify what an AI agent did across multiple applications during an autonomous session?

The Labor Question

The automation capabilities Claude now offers overlap directly with tasks performed by administrative assistants, data entry clerks, and customer service workers. Research aggregated from multiple sources paints a consistent picture of exposure: data entry and clerical roles face some of the highest automation risk, with an estimated 7.5 million such jobs at risk globally by 2027 [14]. Customer service and call center roles face up to 80% automation potential [14].

Source: Bureau of Labor Statistics (CES0500000001)

Data as of Mar 25, 2026CSV

The World Economic Forum projects 85–92 million jobs displaced globally by 2030, offset by 97–170 million new roles created [14]. The IMF estimates 60% of jobs in advanced economies have significant AI exposure, compared to 26% in low-income countries [14].

The demographic distribution of this exposure is uneven. According to compiled labor statistics, 79% of employed U.S. women work in roles with high automation risk, compared to 58% of men — reflecting the concentration of women in clerical, administrative, and customer service occupations [14]. Workers aged 18–24 are more than twice as likely to report concern about displacement [14].

Historical precedent from earlier automation waves suggests the net effect is typically job transformation rather than elimination — spreadsheet software didn't destroy accounting, but it did change what accountants spend their time doing. Anthropic's own research has estimated that 49% of jobs could use AI for at least 25% of their tasks [14], framing the technology as augmentation rather than replacement.

The Risk-Reduction Argument

Proponents of AI-controlled automation point to error reduction in repetitive tasks. AI systems can process over 1,000 documents per hour with error rates below 0.1%, compared to 2–5% for human data entry [14]. In domains like medical data entry, financial reconciliation, and compliance checking, where a single error can have significant consequences, this accuracy gap is the core argument for automation.

But the security risks of granting autonomous computer access create a countervailing concern. A misinterpreted instruction could delete files, send incorrect emails, or expose private data [8]. The 50% reliability rate on complex tasks reported during early testing [6] suggests that for high-stakes domains, the error-reduction benefits of automation may be offset by the introduction of new categories of failure — not typos in a spreadsheet, but an AI agent clicking the wrong button in a medical records system.

The tension is real and unresolved. Anthropic is betting that iterative improvement — shipping early, learning from failures, tightening safeguards — is the right approach. Critics argue that computer control should reach higher reliability thresholds before being offered to paying customers, even as a research preview.

What Comes Next

Anthropic's Computer Use launch is a calculated bet that users will accept a capable but imperfect agent in exchange for the promise of autonomous task completion. The company has been transparent about limitations, which works in its favor. But transparency about what the feature can't do reliably doesn't fully address questions about what it does with the data it sees while trying.

The competitive pressure is real. OpenAI hired OpenClaw creator Peter Steinberger to build its next generation of personal agents [12]. Google is restructuring its agent teams. The industry consensus has shifted toward command-line and desktop agents as more reliable than browser-only approaches [12].

For now, Computer Use remains a research preview — a label that provides Anthropic some cover but doesn't change the fact that paying subscribers are running it on machines containing real emails, real financial data, and real credentials. The gap between "research preview" and "production feature" may matter less to the AI on your screen than it does to the legal team reviewing your compliance posture.