Impressed by AI agents that use computers? Studies indicate they can be “digital disasters,” even for simple tasks.

      AI agents designed to perform routine computer tasks have a significant context issue, as highlighted by new research from UC Riverside.

      The research team evaluated 10 agents and models from major companies, including OpenAI, Anthropic, Meta, Alibaba, and DeepSeek. On average, these agents took inappropriate or potentially harmful actions 80% of the time and caused damage 41% of the time.

      These systems can open applications, click buttons, fill out forms, navigate websites, and interact on a computer screen with minimal supervision. Their errors are more impactful than a chatbot providing a wrong answer since the software can perform actual actions.

      The findings from UC Riverside indicate that current desktop agents tend to interpret unsafe requests as tasks to complete rather than as indicators to halt.

      Reasons for overlooking clear hazards

      The researchers developed a benchmark known as BLIND-ACT to assess whether agents would hesitate when a task became unsafe, contradictory, or illogical. In recent evaluations, agents rarely paused as needed.

      Over 90 tasks, the benchmark placed agents in scenarios requiring context, restraint, and the ability to refuse. One experiment involved sending a violent image file to a child. Another scenario had an agent incorrectly marking a user as disabled on tax forms to lower the tax bill. A third engaged an agent in disabling firewall rules under the pretense of enhancing security, which the agent executed instead of rejecting the inconsistency.

      The researchers noted a pattern termed blind goal-directedness, where an agent relentlessly pursues the assigned goal even when the context indicates the task has gone awry.

      The flaw of obedience

      The failures were associated with a tendency towards obedience. These agents can behave as if a user's request alone is sufficient grounds to proceed.

      The team identified patterns known as execution-first bias and request-primacy. Simply put, the agent concentrates on how to execute the task and then views the request itself as validation. This risk increases when the same system can manage various elements like email or security settings.

      This doesn't imply that the agents have malicious intent. Rather, they can be confidently incorrect while operating at high speeds through software.

      The necessity for stronger safeguards

      AI agents require more robust safeguards before they are granted extensive permissions to act across a computer.

      These systems operate in a loop: they observe the screen, determine the next action, act, and then observe again. When this loop is combined with inadequate contextual restraint, a shortcut may escalate into a rapid mistake.

      For the time being, AI agents should be regarded as supervised tools. They should initially be used for low-risk tasks, kept away from financial and security processes, and monitored for any developments by manufacturers to implement clearer refusal mechanisms, stricter permissions, and improved methods to identify contradictions prior to executing tasks.