Claude Can Now Use Your Computer. Who Governs What It Does?

What Anthropic Shipped

On March 24, Anthropic announced that Claude can now control your computer. The feature, called Computer Use, lets you message Claude a task from your phone — “export this pitch deck as a PDF and attach it to the meeting invite” — and Claude does it. It opens applications, navigates web browsers, fills in spreadsheets, moves files, and completes multi-step workflows on your desktop while you are somewhere else.

This is available now as a research preview for Claude Pro and Max subscribers. Anthropic also shipped Dispatch, which lets you have a continuous conversation with Claude from your phone and assign tasks that the agent executes on your computer. Separately, Claude Code Channels connects Claude Code to Telegram and Discord — what VentureBeat called an “OpenClaw killer.” And the Agent SDK, the same infrastructure powering Claude Code, is now available for any developer to build their own agents.

In a single week, Anthropic shipped computer control, messaging integration, and a developer platform for agents. All capability. The stated safety measure: “Claude will always request permission before accessing new apps.”

External validators are accumulating: BCG named this pattern “Brain Fry,” Jensen Huang put human-AI collaboration at the center of his GTC keynote, and at O'Reilly AI Day (March 2026), speakers are now naming “AI Brain Fry” and “The Stopping Problem” as the central design failures of AI-as-generator systems — the loss of the human-as-architect role.

The Risk Surface Just Changed

Until now, AI agent risks were bounded by APIs. An agent connected to your email API can send emails. An agent connected to your CRM can modify records. An agent connected to your payment processor can initiate transactions. Each connection is explicit, scoped, and auditable.

Computer Use removes those boundaries. An agent with computer access can do anything you can do:

• Open your banking application and initiate a transfer
• Access your password manager and retrieve credentials
• Read files on your desktop including contracts, medical records, financial statements
• Send messages from your email, Slack, or any communication tool — as you
• Modify documents in ways that change legal or financial commitments
• Install software or change system settings

The scope is no longer “which APIs does this agent have access to?” It is “which applications are installed on this computer?” The attack surface is the operating system.

What “Ask Permission” Doesn’t Cover

Anthropic’s stated safeguard is that Claude asks permission before accessing new applications. This is access control — the WHO layer. It answers: “Is this agent allowed to open this app?”

It does not answer:

Every row where the answer is “No” is a decision that Computer Use cannot govern. Permission to open an app is a one-time gate. The decisions the agent makes after that gate — hundreds or thousands of them per session — are ungoverned.

The Week That Made the Gap Visible

March 2026 has been a compressed demonstration of what happens when capability outruns governance:

• OpenClaw CVE-2026-25253 (late January, still reverberating): 135,000 instances exposed across 82 countries. 12% of ClawHub’s skill marketplace was malicious. One-click RCE. The platform had admin governance — patches, session management, HTTP headers. The attack bypassed identity to exploit agent decisions.
• Langflow CVE-2026-33017 (March 17): Unauthenticated RCE via exec() with zero sandboxing. Same root cause as CVE-2025-3248. Exploited within 20 hours. Second time the same vulnerability class. Governance didn’t fail — it didn’t exist.
• Trivy/LiteLLM supply chain attack (March 19): A security scanner was compromised and used to poison an AI framework. 300GB of credentials exfiltrated. 500,000 stolen from LiteLLM alone. The tool companies deployed to find vulnerabilities WAS the vulnerability.
• Claude Computer Use (March 24): Claude now controls your computer. The governance safeguard: “asks permission before accessing new apps.”

Each incident expanded the attack surface. APIs → marketplaces → supply chains → operating systems. Each platform had some form of access governance. None had decision governance. And now the agent has a keyboard.

What Decision Governance Looks Like at OS Level

A computer-using agent operating under constitutional self-governance would retain all of Computer Use’s capabilities — opening apps, navigating browsers, completing tasks — and add four constraints:

1. Hard Constraints on Irreversible Actions

Before any action that cannot be undone — sending an email, submitting a form, transferring money, deleting a file — the action passes through a hard constraint check. If the action violates an absolute rule (e.g., “no financial transaction above $X without human confirmation”), it blocks. Not a warning. Not a log entry. A block.

2. Gate Evaluation on Every Consequential Decision

Not just “can I open this app?” but six independent evaluations on every consequential action within the app: Is my confidence warranted (epistemic)? Could this damage trust (risk)? Is this economically sound (economic)? Am I authorized for this impact level (authority)? Are my metrics authentic (governance)? Am I learning from this (growth)?

3. Authority Tiers Matched to Action Impact

Reading a file is a different authority level than modifying it. Modifying a file is a different level than sending it externally. Computer Use treats all actions the same once the app is opened. Decision governance matches the oversight level to the consequence level — just as an employee who can read a contract should not necessarily sign it.

4. Immutable Decision Audit

Every action logged with: what was done, which app was used, what data was accessed, what decision criteria were evaluated, and what constitutional authority permits it. Not “Claude opened Outlook” but “Claude opened Outlook, composed an email to [recipient], risk gate evaluated content and approved, economic gate N/A, authority tier 2 (permitted for communication), constitutional citation: Section 30.5.”

The Agent SDK Multiplier

The same week Anthropic shipped Computer Use, they also released the Agent SDK — the same infrastructure that powers Claude Code, now available to any developer. This means the capability to build computer-controlling agents is no longer limited to Anthropic’s products. Any developer can build an agent that controls a user’s computer.

This is excellent for capability. It is a governance emergency. The OpenClaw marketplace had 2,857 skills and 12% were malicious. The Agent SDK will produce orders of magnitude more agents, built by developers with varying levels of security awareness, deployed into environments with varying levels of oversight.

The pattern is now: platform ships capability → developers build agents → agents deploy without governance → incident occurs → retrospective governance is bolted on. We have seen this cycle with OpenClaw, Langflow, and the Trivy/LiteLLM supply chain. Computer Use is the next iteration at a higher capability level.

The ODNI Said This Would Happen

The US Intelligence Community’s 2026 Annual Threat Assessment states that advanced AI systems “carry risks that require careful human engineering to appropriately mitigate risk of AI autonomy before they are broadly deployed.”

Computer Use is being broadly deployed now. The EU AI Act takes full effect August 2, 2026 — in 130 days. The NIST AI Agent Standards Initiative has listening sessions next week. Singapore published the world’s first governmental framework for agentic AI in January. The regulatory infrastructure is being built. The governance implementation is not.

Claude Computer Use is a remarkable capability. It is also, right now, the most ungoverned agent capability ever shipped to consumers. Anthropic built the agent. The question is who builds the constitution.