What’s changed this week—and why it matters

AWS’s new AgentCore Policy introduces natural‑language boundaries with automatic checks at the gateway level. In parallel, desktop agents that can move the mouse/keyboard are hitting 1.0, and major outlets are stress‑testing the viability of agents in real work. The upshot: capability is up, guardrails are catching up, but the blast radius is bigger on laptops than in sandboxes. citeturn0search6turn0search1turn0news12

The 7‑Step Hardening Blueprint (macOS + Windows)

1) Isolate agents with least privilege workspaces

• Create a dedicated non‑admin OS user for each agent. Do not share human accounts.
• Use separate desktops or VMs for high‑risk tasks (refunds, payouts, supplier portals).
• For Windows previews of agentic workspaces, keep features disabled until policies and auditing are in place, then enable behind MDM with a staged ring. citeturn5news12

2) Gate file system access

On Windows, turn on Controlled Folder Access (CFA) to allow only trusted apps to write to Desktop, Documents, Downloads and other critical folders. Start in Audit to see what the agent would have changed, then move to Enforce and allowlist only the agent binary. Pipe events to Defender for Endpoint for hunting. citeturn5search0turn5search1turn5search2

On macOS, use Privacy Preferences Policy Control (PPPC) profiles via MDM to explicitly allow or deny agent access to Desktop, Documents, Downloads, Accessibility, Apple Events, Screen Capture, etc. Combine with separate user accounts and Full Disk Access restrictions. citeturn4search3

3) Enforce code signing, notarization and allow‑listing

• macOS: Require Developer ID–signed and notarized binaries; enable Hardened Runtime. Gatekeeper blocks unknown software by default—don’t override prompts for agents. citeturn4search1
• Windows: Apply Windows Defender Application Control (WDAC) or Smart App Control to block unsigned/unknown code and limit script engines that agents might invoke. citeturn3search7turn3news13

4) Broker tools and network egress through policy

Route agent actions through a gateway that checks every tool invocation against written policy (who/what/where). On AWS, map sensitive actions (e.g., touching CRM, ERP, or payouts) to AgentCore Policy rules; elsewhere, implement a proxy with allow‑lists and per‑tool API tokens. Log every denied action. citeturn0search6

5) Defend against prompt‑injection and unsafe browsing

• For browsing agents, run in a sandboxed browser profile with extensions disabled and a strict domain allow‑list.
• Adopt the OWASP LLM Top 10: treat untrusted content as hostile, sanitize outputs before execution, and limit “excessive agency.” See our site’s baseline for agent browsing controls. citeturn3search2

Related: our guide “The 2026 Agent Browsing Security Baseline” details 12 controls to stop prompt injection and data exfiltration. Read the baseline.

6) Instrument agents with OpenTelemetry

Capture traces for goals, tools, retries, costs and outcomes. OpenTelemetry’s GenAI/agent observability effort is standardizing semantic conventions; meanwhile, you can emit spans for each tool call and attach cost/time attributes. eBPF‑based auto‑instrumentation can help with low‑overhead capture. citeturn6search3turn6search0

• Minimum dashboard: task success rate, human approvals, error classes (auth, network, policy), cost per task, MTTR for rollbacks.
• Correlate agent spans with application logs to speed incident response.

7) Build kill‑switches, rate limits and spending guardrails

• Throttle concurrency and tool call rates; implement per‑merchant per‑day limits for refunds/returns.
• Set daily/weekly budget caps with alerting and automatic agent pause.
• Use policy gateways to block risky actions outside business hours.

See our new “Agent FinOps” playbook for 18 tactics to cut agent costs by 30–60%. Open the playbook.

macOS vs Windows: a quick reality check

Both platforms are tightening controls—but novel risks keep surfacing. Recent disclosures around bypasses affecting Apple Intelligence underscore the need for layered defenses and rapid patching. On Windows, Microsoft is warning about cross‑prompt injection risks as agentic features evolve; keep a human‑approval step for high‑impact actions. citeturn3news12turn5news12

Compliance anchors you can point to

• NIST AI RMF 1.0 and the Generative AI Profile for risk controls across the AI lifecycle. Map your policies and audits here. citeturn3search0turn3search1
• OWASP LLM Top‑10 to document prompts, outputs, and plugin/tool controls. citeturn3search2

14‑day pilot plan: from safe sandbox to value

1. Days 1–2: Choose one back‑office workflow (e.g., RMA processing). Stand up a dedicated agent user + VM.
2. Days 3–5: Apply Steps 2–5 above (CFA/PPPC, allow‑listing, gateway policy, sandboxed browsing). Instrument with OpenTelemetry.
3. Days 6–9: Run in Audit mode (CFA/WDAC), capture traces and denied actions. Iterate allow‑lists.
4. Days 10–12: Switch to Enforce with spend caps; add human‑in‑the‑loop approvals for money‑moving actions.
5. Days 13–14: Review KPIs (cost/task, error classes, approval latency). Decide to expand, pause, or retire.

For a desktop agent pilot tailored to e‑commerce back office, see our 14‑day guide. Run the desktop pilot.

Where this is going (and how to stay safe)

Agents are getting better at tasks, but consumer shopping agents still stumble, and enterprise agents need strong governance. Keep autonomy bounded, make actions observable, and require approvals for anything that moves money or changes inventory. For purchase automation, align early with Google’s AP2 so you’re ready when agentic checkout crosses the chasm. citeturn2search7turn0search7