Signal president Meredith Whittaker is right to treat AI agents as a privacy problem first and a productivity product second. Once software can read your messages, calendar, browser and payment details, you don't have a clever assistant. You have a new control point over your life.
Whittaker's warning lands because it cuts through the friendly language around AI agents. Microsoft can call Copilot an assistant. Google can talk about helpful context. Salesforce can sell agents as tireless digital workers. But if the software needs permission to move across your inbox, files, browser, calendar and private chats, you should stop thinking about the demo and start thinking about the access.
According to Business Insider's report from SXSW in March 2025, Whittaker used a simple example to make the point: an agent that finds a concert, books tickets and messages your friends would need access to your browser, credit card, calendar and Signal. It would also probably send at least some of that information to a cloud server. That's the part the product video tends to skip. The agent doesn't become useful by magic. It becomes useful by being allowed into places most software has no business entering.
This is not an argument that the Signal Protocol is broken. It isn't. The risk Whittaker is describing sits above the encrypted channel, after the message has already been decrypted for the person reading it. If an operating system agent can see the screen, drive the app or pull from local databases, encryption hasn't failed. The operating environment around it has swallowed the protection.
You don't need to be a cryptographer to understand the problem. A locked room is still locked if someone drills a window through the wall.
For startups building agentic workflows, this is the part worth taking seriously now. The market is being organized around platforms that already own business data: Microsoft 365 with Copilot, Google Workspace with Gemini, Salesforce with Agentforce. Vendors sell that reach as a feature. Your agent can read the email, check the meeting, update the CRM and draft the follow-up. Fine. But access to the data layer and surveillance infrastructure are often the same thing, with different sales copy attached.
Frankly, too many founders are treating this as a branding problem rather than an architecture problem. If you're building on top of Microsoft 365, you don't control what Microsoft can technically see or how future product changes alter the permission surface. You can write a careful privacy policy, but the platform still sits underneath you. That doesn't make every Copilot product dangerous. It does mean your customer's trust is partly being rented from a company whose business depends on making its systems more context-aware over time.
Microsoft knows these questions are real. At Build 2026, Windows Central reported that Microsoft introduced Microsoft IQ, a context layer meant to ground agents in workplace knowledge, web information and Microsoft 365 signals. The same coverage noted that Windows 11 agents are being designed to run in sandboxes with visibility into what they are doing. That's good engineering language, but it also confirms Whittaker's central point: agents need access, and once they have access, the hard question becomes who controls the boundary.
The timing is awkward for vendors because the security evidence is no longer theoretical. TechRadar reported on June 19 that Microsoft's Defender Security Research Team disclosed an AutoGen Studio vulnerability chain called AutoJack, in which an agent browsing an untrusted website could be manipulated into reaching a privileged local service and running code. Microsoft found and fixed the issue before it reached regular users, and the official downloadable version was not affected. Still, the lesson is plain enough. When an agent can browse the web and talk to local services, the old trust boundaries don't behave the way developers expect.
That should change how you evaluate AI infrastructure. A managed cloud agent is easier to deploy than local processing. It usually costs less upfront and gives you faster access to new models. But convenience is not free. The price may be broader permissions, more third-party dependence and a bigger attack surface than your customer understands when they click approve.
Some buyers already know this. Banks, healthcare companies, defense contractors and legal teams have spent years treating data location and access control as business-critical facts, not footnotes. For everyone else, agentic AI is about to make those old procurement questions feel less boring. Where does the data go? Who can inspect it? Can the model act on it? Can the agent be limited to one task, one app, one permission set? If the vendor answers with vague trust language, don't bother. Ask again.
The most dangerous part of the agent pitch is the friend language. Whittaker is right to call that out. If a chatbot feels like a colleague, you tell it things you'd tell a colleague. If it feels like a personal assistant, you hand it the small pieces of life that make an assistant useful: receipts, schedules, passwords, habits, messages. The intimacy is not a side effect. It is what makes the system commercially valuable.
Startups have a choice here. They can chase every platform integration and hope enterprise buyers stay dazzled by automation, or they can build products that treat minimal access, local processing and narrow permissions as selling points from day one. The second path is harder. It is also the one that will age better when customers start asking what their new AI assistant has been allowed to see.
Also read: Nvidia's stock boom is quietly minting a new generation of AI startup founders • OpenAI's leaked financials show who is actually winning the AI arms race • Researchers have finally worked out why AI models keep inventing the same fake names
