I Don’t Like Agents. Windows Does
We keep debating whether people want agents. Microsoft may be rebuilding the operating system around the assumption that they are coming anyway
I don’t like agents.
There. I said it.
Maybe I dislike the word more than the idea.
“Agent” has become one of those technology terms that expands until it means almost nothing.
A chatbot calls an API.
Agent.
A workflow executes three steps.
Agent.
A script retrieves a document, summarizes it, and sends an email.
Agent.
A software company adds a prompt box to its product and suddenly announces that it has hired a digital workforce.
Somewhere along the way, software stopped being software and started asking for a job title.
I find most of this exhausting.
I am not particularly interested in a future where every application introduces me to a cheerful synthetic employee with a name, a personality, and a request for permanent access to my calendar.
But lately, I have started wondering whether my objection is aimed at the wrong layer.
Because while the industry is arguing about whether people want agents, Microsoft appears to be preparing Windows for a world in which the question may already have been answered.
Not by consumers.
By architecture.
The hypothesis: Windows is becoming an operating system for agents.
Not Windows with an agent added to it.
Not Copilot sitting in a sidebar.
Not another AI button bolted onto the taskbar.
Something more fundamental.
A machine designed around the assumption that humans will increasingly express intent—
and software actors will increasingly carry it out.
That is a very different future.
And, strangely enough, a ridiculous Windows storage bug is what sent me down this rabbit hole.
The 500GB Permission Slip
Emma Roth at The Verge recently reported on a Windows 11 issue involving a file with the exceptionally glamorous name:
CapabilityAccessManager.db-wal
The file is associated with Windows capability and permission management.
Under the reported bug conditions, it could grow dramatically. Reports described systems losing tens of gigabytes of storage, with one widely cited case approaching 500GB.
Microsoft issued a fix for the excessive disk usage.
At first glance, this is just a funny operating-system bug.
A permissions database eating half a terabyte of storage practically writes its own joke.
But the name of the component stuck with me.
Capability Access Manager.
Because the further computing moves toward software acting on our behalf, the more central that class of infrastructure becomes.
To be clear: the bug itself does not prove anything about Microsoft’s agent strategy.
Windows has mediated access to cameras, microphones, files, location data, and other protected resources for years.
This database was not secretly created for an incoming army of AI workers.
But the incident points toward a much larger architectural problem.
In a world of agentic software, the machine must answer questions that are considerably harder than:
Can this user access this resource?
It must begin answering questions like:
Who is requesting this action?
Is the requester a human, application, service, or agent?
On whose behalf is it operating?
What task was it authorized to perform?
Which tools may it use?
What data may it inspect?
What actions may it take?
How long does that authority last?
Can its work be reconstructed afterward?
This is not primarily a model problem.
It is an operating-system problem.
And I increasingly suspect Windows is being positioned to solve it.
We Still Think in Applications
Most of us still carry a mental model of computing inherited from the graphical desktop.
You sit down at a machine.
You open an application.
You perform an action.
The application requests resources from the operating system.
The operating system mediates access.
The user remains the primary actor.
The application remains the primary unit of work.
This model has been remarkably durable.
The windows changed.
The icons improved.
The applications moved from local disks to browsers and clouds.
But the relationship remained recognizable.
Human chooses application.
Human operates application.
Application requests resources.
Operating system arbitrates.
Agentic computing threatens to rearrange that sequence.
The emerging interaction model looks more like this:
Human Intent → Agent → Tools → Data → Applications → Operating-System Policy
That may look like a minor abstraction.
I don’t think it is.
The user is no longer necessarily deciding which application performs each step.
The user may instead describe an outcome.
Find the files.
Compare them.
Extract the changes.
Update the report.
Schedule the meeting.
Notify the participants.
File the output.
The software actor determines how to accomplish the task.
It discovers available tools.
It retrieves context.
It requests access.
It invokes applications.
It writes files.
It takes actions.
Then it returns with a result.
At that point, the operating system is no longer merely managing applications.
It is mediating something much more consequential:
Delegated intention.
The human remains the source of authority.
The human is no longer necessarily the immediate actor performing each operation.
The machine needs a way to represent the gap between those two things.
That gap may be where the next operating-system battle is forming.
The Most Important AI Feature May Be Identity
Microsoft has publicly described several pieces of Windows infrastructure that are much more interesting to me than another assistant window.
Native Model Context Protocol support.
An on-device registry for agent-accessible connectors.
Connections into resources such as File Explorer and System Settings.
Separate identities for agents.
Agent Workspace environments intended to provide software actors with a contained and auditable place to operate.
Strip away the AI language and read that list again.
Identity.
Workspace.
Permissions.
Tools.
Discovery.
Containment.
Policy.
Audit.
That does not sound like a chatbot.
It sounds like the early shape of a new execution principal.
Traditional systems already contain multiple classes of actors:
Users.
Applications.
Processes.
Services.
Containers.
Virtual machines.
Service accounts.
The agent may become another one.
Not exactly a user.
Not exactly an application.
Not exactly a service.
A software actor operating under delegated authority.
That creates an authorization problem that enterprise security has not fully solved.
Today, we might ask:
Can Stephen access this file?
The agentic version becomes something closer to:
Can this specific agent, acting for Stephen, during this specific task, using this approved connector, access this file, extract this field, pass that field to another permitted tool, and retain the result for this amount of time?
The difference is context.
Identity answers:
Who?
Agentic authorization also needs to answer:
Why?
For what purpose?
Through which path?
Within what scope?
Under what conditions?
A login cannot express all of that.
An access-control list cannot express all of that.
And many policy systems were never designed for this degree of temporary, contextual delegation.
This is where the agent conversation becomes much more serious than the demos suggest.
Intelligence Is Not the Hardest Problem
The central contradiction of agentic computing is simple.
We are connecting probabilistic systems to deterministic consequences.
The model may interpret.
The model may infer.
The model may choose.
But the tools it controls are real.
The file is deleted or it isn’t.
The message is sent or it isn’t.
The security setting changes or it doesn’t.
The credential is exposed or it isn’t.
The transaction happens or it doesn’t.
The model operates in probability.
The world it acts upon does not.
That means the model itself cannot be the final trust boundary.
A language model can recommend an action.
It can propose a plan.
It can select a tool.
But the system around it must decide what is actually permitted to become real.
This is why I keep returning to a principle that I think will define serious enterprise AI systems:
The future of enterprise AI is not making the model deterministic. It is making everything around it intentional.
Identity must be intentional.
Policy must be intentional.
Capability exposure must be intentional.
Consent must be intentional.
Data boundaries must be intentional.
Containment must be intentional.
Verification must be intentional.
Audit must be intentional.
Recovery must be intentional.
The model can remain nondeterministic.
The architecture around it cannot afford to be accidental.
Everyone is talking about intelligence.
The harder problem may be authority.
Windows Does Not Need to Own Every Agent
There is an easy interpretation of Microsoft’s strategy:
Microsoft wants Copilot everywhere.
That may be true at the product level.
But I think there is a more interesting possibility beneath it.
Windows does not need to own every agent.
It does not need every model to be a Microsoft model.
It does not need every agent to carry the Copilot brand.
It only needs Windows to become the environment where agents are:
Discovered.
Identified.
Authorized.
Contained.
Observed.
Audited.
And, when necessary—
stopped.
That is a far more powerful position.
The model layer is already intensely competitive.
Models improve.
Open models advance.
Cloud providers compete.
Inference moves between cloud and edge.
Application developers change providers.
The operating system owns something far more difficult to displace:
The files.
The devices.
The applications.
The credentials.
The hardware.
The user session.
The security controls.
The enterprise policy.
The recovery environment.
The relationship between digital intention and physical machine state.
That is an extraordinary position from which to govern software action.
The real AI platform war may therefore look very different from the one we currently imagine.
We keep asking:
Who has the smartest model?
The more important question may be:
Who controls the boundary between model output and real-world execution?
We May Be Watching the Application Model Break Apart
There is another possibility worth considering.
Agents may not survive as a visible product category.
The word itself may fade.
The cartoon assistants may disappear.
The glowing icons may become embarrassing artifacts of this particular moment in technology.
But the architecture could remain.
We may simply become accustomed to asking machines to accomplish outcomes.
The machinery underneath will interpret the request, construct a plan, select tools, request authority, execute permitted operations, and return the result.
At that point, saying:
I don’t like agents.
may sound a little like saying:
I don’t like processes.
Or:
I don’t like APIs.
Not because those technologies are inherently good.
But because they became foundational patterns rather than products.
That is the distinction I have been wrestling with.
I dislike many things currently being sold as agents.
I remain skeptical of exaggerated autonomy claims.
I remain skeptical of systems that accumulate broad permissions.
I remain deeply skeptical of probabilistic systems acting without appropriate containment, validation, and recovery.
But those are architectural objections.
They are not necessarily objections to delegated software action itself.
And the architecture Microsoft is describing suggests that distinction matters.
The Permission Layer Becomes the Product
Return for a moment to that absurdly large Windows permissions file.
Again, the bug proves nothing about AI agents.
But symbolically, it is almost too perfect.
A database governing capability access quietly expands until it consumes the machine.
That sounds like an accident.
It may also be an accidental metaphor for the next era of computing.
As software actors gain access to more tools, more data, and more actions, permissioning is no longer a side feature.
It becomes core infrastructure.
So does identity.
So does context.
So does provenance.
So does audit.
So does recovery.
The more capable the agent becomes, the more valuable the surrounding control plane becomes.
This is why I think much of the market is looking in the wrong direction.
The AI conversation remains obsessed with the model.
How smart is it?
How fast is it?
How many tokens can it process?
Which benchmark did it beat?
Those are legitimate questions.
But once systems begin acting, intelligence alone is not enough.
An intelligent system without deliberate boundaries is not an enterprise architecture. It is a risk event waiting for a timestamp.
I Still Don’t Like Agents
Mostly.
I dislike the marketing.
I dislike the anthropomorphism.
I dislike the idea that autonomy itself is automatically valuable.
I dislike systems asking for broad permissions and vague trust.
I dislike the assumption that every human workflow improves when replaced by a synthetic subordinate.
But I am starting to think those objections may become increasingly irrelevant to the deeper platform shift.
The useful question is no longer:
Do I like agents?
The useful question is:
What happens when the operating system assumes software actors will routinely act on our behalf?
Because that appears to be the more consequential transition.
Not another chatbot.
Not another sidebar.
Not another animated icon waiting to summarize a meeting.
A different operating model for the machine.
One in which humans express intent.
Software actors receive constrained authority.
Tools become discoverable.
Identity separates human action from delegated action.
Policy mediates execution.
The operating system becomes the trust broker.
And every consequential action occurs inside a boundary someone had better have designed deliberately.
I still don’t like agents.
But I am beginning to suspect that Windows does.
And that may matter far more than my opinion.



