OSWorld is a benchmark for computer use agents: real operating system tasks, real GUIs, no scaffolding. Submit a form, drag a file, navigate a settings panel, compose and send an email. Tasks that any competent human completes in under two minutes.
Eighteen months ago, the best agents scored below 15%. Last week, three models crossed 70%: GPT-5.4 at 75.0%, Claude Opus 4.6 at 72.7%, Claude Sonnet 4.6 at 72.5%. The human baseline on OSWorld is 72.4%.
Agents now match humans at using computers.
That number is not interesting because it’s large. It’s interesting because of what it crosses — and because every governance framework currently in existence treats GUI actions and API calls as equivalent. They are not.
What 72.5% Means in Practice
Below roughly 20%, computer use is a toy. You demo it, you marvel at it, you don’t run it unsupervised on anything that matters. The failure rate is too high to build on. Agents misclick, misread state, get stuck in loops, hallucinate UI elements. You spend more time cleaning up after the agent than doing the task yourself.
Above roughly 70%, the calculus reverses. On the Pace insurance benchmark — real desktop automation tasks against production software — Sonnet 4.6 already hits 94% accuracy. A computer use agent at this capability level can reliably:
- Navigate multi-step web workflows without an API
- Fill and submit forms with user-supplied data
- Interact with desktop applications that predate the API era
- Reconfigure system settings through control panels
- Send communications through GUI email clients and messaging apps
- Execute purchases through standard checkout flows
- Manage files and directories across any OS
This is not a marginal improvement on a research benchmark. It’s the transition from “occasionally useful experiment” to “deployable in production workflows.” The tasks it can now reliably execute are the tasks that matter: the ones with real-world side effects.
The speed of this transition matters too. Sonnet went from 14.9% to 72.5% in sixteen months. Capability curves compress at the top. The gap between 72.5% and 95% closes faster than the gap from 15% to 72.5%.
Blast Radius Taxonomy
When you design an API-integrated agent, you have coarse-grained but legible control over blast radius. OAuth scopes give you read vs. write. Rate limits constrain volume. Endpoints are enumerable — you can reason about what the worst-case action looks like.
GUI actions collapse this taxonomy completely.
Here’s the practical breakdown:
Read — Navigate to a page, read displayed content, inspect file listings. Low stakes. Reversible by doing nothing.
Reversible write — Create a draft, save a local file, populate a form field. High reversal cost if the agent has gone far down a workflow, but technically undoable.
Irreversible write — Submit a form, send an email, delete a file, publish a post, confirm a two-factor prompt. These cannot be undone by the agent. Some can be undone by a human with access and time. Some cannot be undone at all.
Financial — Submit a payment, confirm a purchase, initiate a wire, execute a trade. These have immediate monetary consequences and limited (often zero) recoverability windows.
The problem with GUI agents is that a single click event can move across any of these categories depending on what element is under the cursor. A form that looks like a draft-save might be a final submission. A “confirm” button might complete a purchase. The agent cannot know from visual inspection alone, and the classification is not surfaced in any structured way that a governance layer can intercept.
OAuth scopes protect you from API agents going out of bounds. Nothing protects you from a GUI agent that can click any button on any screen.
The Governance Blind Spot
Two governance frameworks have emerged in 2026: Singapore’s Model Governance Framework for Agentic AI (January) and NIST’s AI Agent Standards Initiative (February). The EU AI Act becomes fully enforceable August 2. These are serious efforts — NIST specifies least privilege, diminishing delegation, and immutable action logging with cross-agent trace IDs.
But none of them distinguish GUI agents from API agents. They treat all autonomous agent actions equivalently.
This is a fundamental gap. API calls are structured, enumerable, and auditable by default. GUI actions are unstructured, context-dependent, and auditable only if you build the audit layer. An API agent that sends an email goes through a documented endpoint with known parameters. A GUI agent that sends an email clicks a button on a screen — and the same click action could have been a form submission, a payment confirmation, or a file deletion depending on what was rendered.
The failure modes are categorically different. The governance should be too.
Meanwhile, real-world incidents demonstrate the stakes. McKinsey’s internal AI platform was compromised in under two hours during a red-team exercise, exposing 46.5 million chat messages. Amazon experienced prolonged outages from AI coding agent changes pushed directly to production. Audits of agent marketplace skills found backdoors in 8-12% of samples.
These incidents involved API-based agents with structured authorization. GUI agents don’t even have that.
What an Approval Gate Looks Like
Here is the concrete pattern that AgentLair implements for computer use workflows.
The agent is executing a vendor onboarding task. It has navigated to a supplier portal, filled in company details, uploaded the required documents. The next action is clicking “Submit Application.” This action is irreversible — the vendor receives the submission immediately.
Without a governance layer: the agent clicks Submit. The action executes. You find out when the vendor follows up.
With an approval gate:
- The agent identifies the pending action:
CLICK submit#application-formonvendor-portal.example.com. - The agent classifies the action as irreversible (form submission to external party).
- The gate intercepts before execution. It does not click.
- A human-readable authorization request is sent: “Agent is about to submit the onboarding application to Acme Supplies. Fields: [company name, address, tax ID, banking details]. Confirm?”
- The human approves, denies, or modifies.
- If approved: the action is released. The agent clicks.
- If denied: the agent receives the denial and stops or takes the specified alternative path.
- Everything is logged: the pending action, the authorization request, the human decision, the timestamp, the executing agent identity.
This is just-in-time authorization. It doesn’t require pre-enumerating every possible action. It intercepts at the moment of consequence, requests authorization for that specific action in that specific context, and gates execution on human confirmation.
The classification engine — irreversible vs. reversible — can be heuristic, LLM-based, or rule-driven. What matters is the architecture: the gate exists, actions pass through it, humans remain in the loop for the actions that can’t be undone.
This is the L4 governance layer in the agentic commerce stack. Settlement, wallets, routing, and protocol layers exist below. Application layers exist above. But governance — the layer that decides whether an action should execute — is the chokepoint. Whoever owns it captures the value.
Where This Goes
Computer use capability will continue to improve. In twelve months, the question will not be “can agents reliably use GUIs?” It will be “what are agents doing with that capability, and who is accountable?”
The governance infrastructure does not scale automatically with capability. It requires deliberate architecture. The patterns being established now — what gets intercepted, what gets logged, where humans remain mandatory — will determine the default operating model for computer use agents at production scale.
The blast radius of a capable agent is proportional to its capability. At 15%, the blast radius was small enough to ignore. At 72.5%, it is not.
An agent that can click anything, submit anything, and send anything through any GUI is not safe to deploy without a governance layer that matches its capability. The approval gate is not a feature — it’s a prerequisite.
Build it in, or build in the liability.
AgentLair provides runtime authorization infrastructure for autonomous agents. The approval gate intercepts irreversible actions before execution, requests human authorization, and logs everything. agentlair.dev