Claw Wave: AI Agents Move from Answers to Doing Real Work

Silicon Valley’s latest race isn’t another model size contest — it’s a sprint to give AI hands that can actually do work for you. In the past few weeks the industry has moved from “assistant” to “agent” with stunning speed: Anthropic’s Claude Cowork, Microsoft’s Copilot Tasks and Agent Workspace, Meta’s Manus-powered Agents in Telegram, Notion’s Custom Agents, and Perplexity’s Computer all signal the same strategic shift. The question now is less “can these models reason?” and more “can we safely hand them authority to act?” The movement that began with hobbyist projects like OpenClaw has crystallized into a full-blown product arms race where autonomy, integration, and governance are the new battlegrounds — and every second of delay risks being left behind. rview
The pivot from chatbots that answer to agents that execute is driven by three forces: improved model reliability, shifting product economics that favor billed execution over tokens, and a new user expectation that AI should do rather than only advise. Over the last month, major vendors have shipped or previewed products that move beyond stepwise suggestions to multi-step automation, scheduled jobs, and cross-application orchestration.

• Anthropic has extended Claude into a desktop and enterprise-capable agent called Claude Cowork, designed to act on local files and orchestrate multi-step workflows across apps.
• Microsoft pushed Copilot Tasks and desktop Agent Workspace concepts that let Copilot plan, run, and schedule work in the background using sandboxed compute and connectors across Office and third-party apps.
• Meta integrated its recent acquisition Manus into messaging with Manus Agents on Telegram, bringing agentic execution to chat.
• Notion released Custom Agents in Notion 3.3: autonomous, triggerable agents designed for enterprise workflows with integrated auditing and cross-app connectors. Notion reports thousands of agents built during beta.
• Perplexity unveiled Computer, a full-stack agent orchestration service that coordinates multiple model types and can run extended workflows for paid subscribers.

This pattern — models plus runtime plus connectors — is what pundits are calling the “Claw” or “OpenClaw” moment: AI grows a literal claw to click, type, and operate on behalf of humans. The metaphor fits: these agents are designed to move the mouse, open apps, and manipulate files programmatically — in short, to bridge the last mile between reasoning and doing. The result is a convergence of strategies: cloud-first managed agents, on-device/sandboxed agents, and open-source runtimes, all competing for the same product slot: your time.

---

Who’s Building Claws (and How They Differ)​

Anthropic: From Code to Cowork — Claude as a Desktop Co‑Worker​

Anthropic’s strategy has been to take Claude beyond Q&A and into persistent, file-aware workflows. Claude Cowork aims to be a research-preview desktop coworker that can read from and write to a designated folder, run multi-file workflows, and call external tools. The company frames Cowork as “answers → action,” emphasizing enterprise integrations and sandboxing as core safety measures. Early releases emphasize connectors to Google Workspace, Docusign, and collaboration tools, and Anthropic positions Cowork as appropriate for research previews and paid tiers.
What’s notable: Anthropic is pursuing high-fidelity integrations across standardized business apps (Excel, PowerPoint, Slack), and shipping pre-built plugins for domain functions like HR and finance. That underscores a product play focused on enterprise workflow automation rather than a consumer chat novelty.

Microsoft: Copilot Tasks, Agent Workspace and Enterprise Control​

Microsoft’s move is strategic and architectural. Copilot Tasks converts natural-language goals into scheduled, recurring, or one-off workflows executed in the background on sandboxed cloud compute. The company’s vision also includes an Agent Workspace on Windows that runs agents under separate accounts with auditable actions and revokeable permissions — an attempt to balance productivity gains with enterprise governance. Microsoft’s releases indicate agents can plan proactively, extract and synthesize information from Outlook and other Office sources, and act across web and desktop apps.
What matters for enterprises: Microsoft is packaging runtime isolation, monitoring, and near-real-time security controls into Copilot’s workflow so that organizations can route proposed agent actions through Defender or third-party XDR for approve/block decisions before execution. That’s a foundational move for corporate adoption.

Meta & Manus: Chat-First Agents with Social Reach​

Meta’s acquisition of Manus and the subsequent Manus Agents in Telegram demonstrate another vector: embedding autonomous agents into everyday social channels. Manus’ Telegram integration makes the agent accessible via QR link pairing and supports multi-step workflows in a chat interface. The focus here is ubiquity and user familiarity: put the agent where people already chat, and the barrier to agent-driven automation drops sharply. Manus touts multi-model options and the ability to orchestrate tasks like video generation, research, and file handling from a phone.
This approach is commercially powerful — but it amplifies privacy and trust questions when agents are granted powerful connectors and long-lived credentials inside messaging platforms.

Notion: Agents as Persistent, Team-Level Workers​

Notion’s Custom Agents (Notion 3.3) are a particularly clear example of productizing autonomy for enterprise teams. These are non-interactive, trigger-driven agents you set up once to handle triage, Q&A, daily standups, and more — and Notion’s launch materials claim impressive adoption metrics from beta: tens of thousands of agents built and thousands running internally. Crucially, Notion emphasizes audit logs, admin controls, and the MCP connector ecosystem — signaling an intent to make agents governable assets inside company stacks.
Notion is positioning agents as a new seat-based monetization unit: agents are billed not by words, but by work, reflecting the broader commercial shift away from token-based pricing to outcome/time-based value.

Perplexity: The Full-Stack “Computer” Approach​

Perplexity’s Computer bundles research, coding, design, and deployment into an end-to-end system that orchestrates up to 19 models in parallel and can spawn subagents for complex projects. It is expensive and gated behind high-tier subscriptions, but it’s a functional vision of what agentic AI can be: a single, cloud-hosted service that turns ideas into deployed artifacts without the user running any local runtime. Perplexity’s pitch is that users want models stitched together to solve practical problems — not a single oracle.

---

What’s Technically Different — Why This Is Happening Now​

There are three technical inflection points that turned “can we?” into “should we?”.

• Improved reasoning and multi-step planning. Newer models and agent frameworks use chain-of-thought reasoning, policy learning, and reinforcement signals to dramatically reduce nonsensical multi-step behavior. This raises the confidence threshold for delegating tasks that require planning and context maintenance.
• Runtime orchestration and sandboxing. Vendors are shipping secure runtimes — containerized sandboxes, ephemeral cloud PCs, and audited Agent Workspaces — that let agents act while limiting blast radius and enabling revocation and monitoring. That solves many early governance objections.
• Connector ecosystems. Universal connectors (OAuth-backed integrations, MCP-like protocols) let agents interact with calendars, mailboxes, storage, and business apps while builtin admin controls provide scopes and audit trails — critical for real-world adoption. Notion’s MCP and Microsoft’s Copilot connectors are clear examples.

Together, these changes make handing an agent a “job description” and a set of credentials a realistic product move — and a large new revenue opportunity for vendors who can reliably deliver and govern that autonomy.

---

Productivity and Monetization: Selling Hours, Not Tokens​

A practical driver behind the push is commercialization. Chat-based AI sold by token volume is an awkward fit for enterprise budgeting: customers want predictable ROI and measurable time saved. Agents promise to sell “working hours” — scheduled summaries, triage, booking, filing, and other repeatable tasks — making it easier to frame value and price.

• Vendors are already shifting billing models to align with that: Notion plans credits for Custom Agents and Perplexity gates Computer behind high-tier subscriptions. Microsoft and Anthropic are bundling agent capabilities into enterprise tiers with differentiated admin controls.

This changes buyer psychology: an agent that saves a team member 5–10 hours per week is a quantifiable business case. The sector is moving quickly because converting “AI prompter” into “AI worker” shortens the sales cycle and expands the addressable market beyond early adopters.

---

Governance, Security, and the New Attack Surface​

Autonomy introduces new and compounding risks. The open-source OpenClaw craze made two things obvious: agents are extremely useful when they can run locally and connect broadly; and they create a novel class of security, supply-chain, and identity problems when they do.

• Self-hosted runtimes like OpenClaw allow deep local access and community-built skills, but they can also install persistent plugins, hold credentials, and be influenced by poisoned inputs. Major vendors and security teams have warned that such runtimes should not run on primary workstations without isolation. Microsoft’s guidance and advisories emphasize identity isolation, ephemeral credentials, and containment.
• Supply-chain incidents are already plausible: third-party packages or CI pipelines could inadvertently install agent runtimes, and “skills” registries create a new attack surface where malicious behaviors can propagate. Security teams must assume the agent runtime can be influenced and prepare for containment and rapid rebuild.
• Messaging integrations (e.g., Manus on Telegram) raise platform-specific privacy issues: what metadata is visible, how are tokens stored, and which chats can be accessed? Messaging-first agents make consent models more complex and require rigorous UI/UX design to prevent accidental privileges escalation.

Key enterprise controls that vendors are adopting — and that IT leaders should demand — include:

• Isolated execution environments (VMs, ephemeral cloud PCs, Agent Workspaces).
• Least-privilege connector scopes and per-action approvals for sensitive operations.
• Immutable audit trails that record decisions, tool calls, and files modified.
• Scheduled credential rotation and separation of test and production datasets.
• Runtime monitoring and external approve/block hooks for potentially dangerous actions.

---

Strengths, Weaknesses, and Short-Term Risks​

Strengths​

• Tangible productivity gains. Agents can remove repetitive, rule-based work from human desks and let skilled staff focus on high-value tasks. This has immediate appeal for enterprises chasing efficiency.
• Platform moat expansion. Companies that control identity, connectors, and the OS or browser runtime (Microsoft, Meta) can tightly integrate agents into workflows and lock in usage.
• New monetization paths. Subscriptions tied to agent work or agent seats create recurring revenue models that map directly to value delivered.

Weaknesses and Short-Term Risks​

• Security and compliance. Autonomous agents amplify risk: prompt injection, poisoned feeds, and malicious skills can lead to data leakage or unauthorized actions. Self-hosted agents are particularly fraught for corporate contexts without extra guardrails.
• Over-automation and brittle workflows. Agents that act without human oversight can create costly errors when business rules change or inputs deviate from training distributions. Without strong observability, errors compound.
• Vendor lock-in. As agents integrate deeper across apps, switching costs rise: agent logic, connectors, and auditing schemas are proprietary assets. Businesses must weigh convenience against long-term portability.

---

Practical Guidance for IT and Teams​

If your organization is considering agents now, treat this as an enterprise architecture and governance project — not just another SaaS pilot.

• Inventory and classify use cases. Start with low-risk, high-value automation: meeting prep, report drafting, ticket triage. Prioritize tasks with clear, auditable inputs and outputs.
• Require isolation for evaluation. Run any self-hosted or experimental agent in disposable VMs or dedicated cloud tenants; never on primary user devices.
• Define connector policies. Use least-privilege credentials, restrict third-party skill installs, and route high-risk actions through human approval gates.
• Invest in observability. Ensure every agent run produces structured logs, a step-by-step action record, and artifacts that can be audited for compliance.
• Plan for recovery. Treat agent runtimes like any other privileged system: snapshot state, maintain revocation paths, and have rapid credential rotation ready.

These steps map to vendor advice and emerging best practices from Microsoft, Anthropic, and security teams tracking OpenClaw-style risks. Pragmatic governance will determine whether agents become accelerators or liabilities in your stack.

---

The Open-Source Factor: OpenClaw’s Ripple Effect​

OpenClaw — the open-source agent runtime that galvanized enthusiasts — accelerated the timeline by proving how quickly community skills and local execution can deliver value. Its creator’s high-profile move into leading AI teams has both legitimized the idea of agent runtimes and sharpened big-tech responses: managed alternatives, hardened sandboxes, and stricter enterprise advice. OpenClaw’s popularity made the “how” visible; Microsoft, Anthropic, Notion, Perplexity, and Meta are now building the “where” and “how safely” for mainstream users.
Open-source also complicates governance: foundations, community registries, and decentralized skills markets will persist. Enterprises that expect a single managed solution will be surprised; the reality will be hybrid. Treat open-source agent runtimes like any other powerful OSS project — evaluate risk, apply controls, and assume the worst-case scenario in threat modeling.

---

What to Watch Next​

• Expansion of governance APIs. Watch for richer approve/block hooks, cross-vendor telemetry schemas, and standardized agent audit formats. These will be decisive for regulated industries.
• Pricing experiments. Expect more per-agent or per-work billing models as vendors try to monetize the “work” delivered rather than tokens consumed. Notion’s credits, Perplexity’s tiering, and Microsoft’s enterprise bundling are early signals.
• Skill registries and certification. Third-party skills ecosystems will mature; trusted registries, signed packages, and certification programs will emerge to limit supply-chain risk.
• Regulation and enterprise policies. Legal and compliance teams will enter procurement discussions earlier; expect stricter internal policies for agent approvals and data retention.

---

Conclusion​

The “Claw” wave marks a clear inflection: AI is no longer a novelty that answers questions — it is rapidly becoming an operational layer that performs work. The shift is both inevitable and constructive: agents can reclaim hours of repetitive labor, reduce context switching, and unify multi-application workflows. But the prize won’t go to the first mover alone; it will go to the vendor that can deliver reliable, auditable, and governable autonomy at scale.
For CIOs and IT leaders, the imperative is straightforward: pilot deliberately, enforce isolation, demand auditability, and design governance before agents gain write-access to your systems. For product teams, the opportunity is enormous: build agent experiences that are both useful and safe, and you’ll be selling time back to your customers, not just words.
Silicon Valley has “grown claws.” The important work now is to make sure those claws have seat belts, safety interlocks, and clear job descriptions — because handing work to machines is only the beginning.

---

Source: 36 Kr Silicon Valley Fully "Lobsterized": Anthropic, Microsoft, Meta, Notion Submit Their Own Claw