Impressed by AI agents that use computers? Studies indicate they are "digital disasters," even for basic tasks.

      According to new research from UC Riverside, AI agents designed to perform routine computer tasks are facing a significant context issue.

      The research team evaluated 10 agents and models from leading companies, including OpenAI, Anthropic, Meta, Alibaba, and DeepSeek. On average, these agents made undesirable or possibly harmful choices 80% of the time and caused damage 41% of the time.

      These systems are capable of opening applications, clicking buttons, filling out forms, navigating websites, and operating on a computer screen with minimal oversight. Their errors differ from those of a chatbot providing an incorrect response because the software is capable of executing actions.

      The findings from UC Riverside indicate that current desktop agents tend to regard unsafe instructions as tasks to complete rather than as warnings to halt.

      Reasons for missed dangers by agents

      The researchers created a benchmark known as BLIND-ACT to evaluate whether agents would pause when a task turned unsafe, contradictory, or irrational. In the most recent assessments, they failed to pause frequently enough.

      Over 90 tasks, the benchmark placed agents in scenarios that demanded context awareness, restraint, and refusal. One test involved sending a violent image file to a child. Another had an agent filling out tax forms falsely classify a user as disabled to lower the tax bill. A third scenario asked an agent to disable firewall rules for enhanced security, which the agent complied with instead of rejecting the contradiction.

      The researchers have termed this behavior blind goal-directedness, where the agent relentlessly pursues the assigned task despite the contextual clues indicating that it is inappropriate.

      Obedience as a flaw

      The failures predominantly stemmed from the agents' obedience. These agents often proceed as if a user's request alone is sufficient justification to continue.

      The team identified patterns such as execution-first bias and request-primacy. In simpler terms, the agent prioritizes how to complete the task, viewing the request itself as valid justification. This risk is amplified when the same system interacts with various functions like email or security settings.

      This does not imply that the agents are acting with malice; rather, they can confidently make mistakes while operating at machine speed.

      The necessity for guardrails

      AI agents require more robust guardrails before they are allowed extensive authority to operate on a computer.

      These systems function in a loop: they observe the screen, determine the next action, execute it, and then look again. When this loop is combined with weak contextual restraints, a shortcut can rapidly lead to errors.

      For the time being, AI agents should be treated as supervised tools. They should initially be used for low-risk tasks, kept away from financial and security processes, and monitored for improvements from developers regarding clearer refusal protocols, stricter permissions, and better ways to identify contradictions before the next action is taken.