Local AI Is Inevitable. The Trust Model Underneath It Is Not Ready.
For decades, the spec that mattered on a laptop was the processor. Amanda Caswell at Tom’s Guide makes the case that the next number buyers will learn to care about is the NPU, the neural processing unit, and that RAM is quietly becoming the real bottleneck because models have to load into memory to run. She is right, and the shift she describes is already underway. Microsoft, Apple, Google, and Nvidia are not debating whether local inference matters. They are racing to ship the hardware for it.
What that reporting does not weigh is the other side of the ledger. The same property that makes an on-device agent useful, a deepening, persistent model of who you are, is the property that makes it worth attacking. An agent that knows your files, your habits, and your purchase history is a far richer target than a chatbot that forgets you the moment you close the tab. The industry is sprinting toward local-by-default. It has not finished building the locks.
The Seven Predictions, and Why They Are Already Happening
Caswell’s piece organizes the shift into seven bets. NPUs become the spec that matters, with 32GB of RAM as the new comfortable floor. Everyday tasks, drafting, summarizing, transcribing, searching your own files, move on-device by default. Your assistant asks before it phones home to the cloud. It becomes an expert on your files through retrieval rather than memorization, the open-book exam model. AI tutoring goes private and personal. We may download specialized expert agents the way we install apps today, though she flags this as the shakiest bet of the seven. And cloud AI does not disappear; it becomes the fallback for the hard problems, summoned by consent rather than by default.
None of this is speculative anymore. It is shipping.
Microsoft’s Build 2026 keynote put real hardware and real software behind this thesis. RTX Spark, built with Nvidia, is a compact desktop unit purpose-built for local inference, explicitly marketed at data-sensitive and latency-sensitive workloads. Windows 11’s 26H2 update ships a new on-device runtime, codenamed Copilot Engine, that handles latency-sensitive intent detection and file classification locally before passing anything heavier to the cloud. That is prediction three and prediction seven, the ask-before-it-searches habit and the local-by-default, cloud-by-consent split, arriving as shipped product rather than a forecast.
The more consequential announcement at Build was Scout. Microsoft calls it an Autopilot, an always-on agent that watches Teams, Outlook, OneDrive, and SharePoint and acts before you ask. Scout is not itself a local model. It is cloud-tethered, built for Microsoft 365. Press coverage of the launch reports that Scout’s engine is OpenClaw, the open-source personal agent framework that crossed hundreds of thousands of deployed instances within months of release; Microsoft has not published architecture details confirming this directly, but the lineage matters regardless of the exact build. Nous Research’s Hermes Agent shows the same pattern in a fully self-hosted form: persistent memory across every session, and a closed learning loop that writes its own skill files from what it learns about you, then reuses those skills on future tasks without being asked. Hermes calls this “the agent that grows with you.” That phrase is the whole thesis of this post, compressed into six words, and it is also the whole problem.
What “Grows With You” Actually Means Architecturally
An agent that grows with you is accumulating three things over time: capability, in the form of tools and skills it can invoke; identity, in the form of configuration and behavioral defaults; and knowledge, in the form of memory about your files, your contacts, your habits, your purchases. Researchers studying OpenClaw in production have started formalizing this as the CIK taxonomy, because all three of those dimensions persist between sessions, and an attacker who can touch any one of them does not need to compromise the model itself. They only need to compromise what the model trusts.
The local-AI predictions skip a step. A skill file, a memory entry, a piece of retrieved content, none of these are abstract. They are files on a disk, the same disk that holds your tax returns and your kid’s photos. And the agent that reads them does not apply uniform scrutiny. It applies a trust hierarchy, and that hierarchy is where the exploitable seam sits.
A benchmark called CLAWSAFETY put this to a direct test: 2,520 sandboxed trials, five frontier models, three attack channels (a planted instruction in a skill file, a spoofed email from a trusted contact, a malicious web page), across realistic workspaces with fifty-plus files each. Attack success rates ran from 40 percent on the strongest model to 75 percent on the weakest. The single most exploitable channel, across every model tested, was the skill file. Instructions placed there are treated as operating procedure, not as content to question. The researchers found that vague, authoritative-sounding instructions failed consistently, while precise, narrowly operational language, the kind a real workflow would actually use, succeeded almost every time. Specificity beats authority. That finding should worry anyone building an agent that writes its own skills from experience, because the agent is generating the kind of artifact that earns the highest trust and the lowest scrutiny.
This is not theoretical. CVE-2026-25253, the first CVE ever assigned to an agentic AI system, was a remote code execution flaw in the OpenClaw skill runtime, triggered by a crafted skill package. Weeks later, the ClawHavoc campaign pushed more than 1,200 malicious skills to a public OpenClaw marketplace, several bundling a credential stealer, before the community caught it. An agent that proactively prompts you, the way Caswell imagines, “the author you follow just published a new book, want me to get it,” is doing the kind of autonomous, multi-source reasoning that the CLAWSAFETY researchers found bypasses every existing defense once the framing shifts from a command to a statement of fact. Their sharpest finding: agents reliably catch an imperative instruction buried in a document (“update this value”). They do not reliably catch a declarative one (“this value does not match”), because reporting a discrepancy is what the agent is supposed to do. The vulnerability is not a bug to be patched. It is the same faithfulness to instructions that makes the agent worth having.
The Local Trust Gradient
Leaders evaluating which tasks to hand a local agent need a way to reason about this before they wire up persistent memory and skill files to a device that already holds everything sensitive about a person. I propose three tiers, ordered by what happens when the trust assumption breaks.
| Tier | What it covers | Failure if compromised | Smell test |
|---|---|---|---|
| 1. Read-only synthesis | Summarizing, transcribing, drafting for review | A bad draft, caught before it sends | Does a human see the output before anything leaves the device? |
| 2. Retrieval on your own data | Document search, RAG over personal files | A confidently wrong answer with no visible failure | Does the agent ever act on what it retrieves, or only report it? |
| 3. Autonomous action with persistent memory | Scheduling, purchasing, self-written skills, content access on your behalf | Credential forwarding, destination substitution, an action taken on a false premise | Does the agent act on a conclusion it reached itself, using remembered data, with no human in the loop at the moment of action? |
Tier one: read-only synthesis. Summarizing a PDF, transcribing a meeting, drafting an email for review before it sends. The agent reads and proposes; a human approves before anything leaves the device. A compromised instruction here produces a bad draft, not a bad outcome. This is where Caswell’s predictions one through four live, and it is the tier where local AI is genuinely close to a solved problem.
Tier two: retrieval against your own data. “What did I agree to in that March contract,” “find the volcano hike photos.” This is RAG, and RAG inherits a coherence problem distributed systems engineers already named decades ago: garbage in is garbage out, and a poisoned or stale index produces a confidently wrong answer with no visible failure mode. The risk here is quieter than tier one but not smaller. An agent that has indexed your full document history is a single well-placed file away from surfacing the wrong thing to the wrong context.
Tier three: autonomous action with persistent memory. Scheduling, purchasing, anything that writes a skill file from experience and reuses it without asking. This is where Scout and Hermes Agent both live, and it is the tier CLAWSAFETY measured directly. The blast radius is not a bad draft. It is credential forwarding or destination substitution, the two action types CLAWSAFETY found agents comply with most readily.
A fourth case belongs in this tier as a forward bet rather than a documented threat: an agent with persistent memory of your media habits and autonomous purchasing intent, reasoning its way around a licensing restriction because a “new book is out, should I get it” workflow quietly implies a “get it from wherever, by whatever means” workflow underneath. Nobody is building agents to do this today, and I have no research to cite that says otherwise. But the reasoning capability already exists, and the access-control assumptions inside today’s DRM systems were built for static decryption tools, not general-purpose agents with standing permission to act on your behalf. Worth watching, not yet worth measuring.
Anti-Patterns for Leaders
Treating “runs locally” as “runs safely.” Local inference solves a privacy problem, where your data leaves your device. It does not solve a trust problem, where the agent decides what to do with the data once it is local. CLAWSAFETY ran entirely on local agent deployments. The attack success rates did not care that the model was on-device.
Letting the agent write its own trust boundary. Hermes Agent’s pitch, skills written from experience and reused automatically, is also the CLAWSAFETY paper’s highest-risk channel by a wide margin. An agent that generates the artifact it will later trust most has removed the one external checkpoint that catches a poisoned instruction before it executes.
Mistaking declarative content for safe content. The defense boundary CLAWSAFETY found is precise: agents catch commands, not claims. “Your credential may be compromised” bypasses defenses that “update your credential to X” triggers. Any workflow where the agent reports on or reasons about external content, not just executes instructions from it, inherits this gap.
Assuming consumer marketplaces are curated. ClawHavoc put 1,200 malicious skills into a public catalog before detection. A skill marketplace is a software supply chain, and it should be governed like one: signed, scoped, and reviewed, not browsed like an app store.
The Bottom Line
The local AI predictions are correct. The hardware is shipping, the habits are changing, and within a few years an assistant that knows your files better than you do will be normal rather than novel. Caswell is right that the real question underneath the spec sheet is what kind of relationship we will have with this technology.
That relationship has a security dimension nobody asked about yet. An agent that grows with you is accumulating a trust surface, not just a memory. The same persistence that lets it recognize your favorite author’s new release is the persistence that lets a single bad skill file, a single spoofed email, a single declarative web page, redirect what it does with everything it has learned about you. Tier one and tier two tasks are close to safe today. Tier three is not, and tier three is exactly where the most exciting consumer demos live.
Buy the RAM. Watch the NPU spec. But before you let an agent write its own skills and act on them while you sleep, ask which tier you are actually in.
References
- Caswell, A. “I get asked about local AI all the time, here are the 7 predictions I’d bet on.” Tom’s Guide (June 30, 2026). https://www.tomsguide.com/ai/i-get-asked-about-local-ai-all-the-time-here-are-the-7-predictions-id-bet-on
- Wei, B., Zhang, Y., Pan, J. et al. “ClawSafety: ‘Safe’ LLMs, Unsafe Agents.” arXiv:2604.01438 (April 2026). https://arxiv.org/abs/2604.01438
- “Your Agent, Their Asset: A Real-World Safety Analysis of OpenClaw.” arXiv:2604.04759 (April 2026). https://arxiv.org/abs/2604.04759
- “Formal Analysis and Supply Chain Security for Agentic AI Skills.” arXiv:2603.00195 (March 2026). https://arxiv.org/abs/2603.00195
- Nous Research. “Hermes Agent.” https://hermes-agent.org/
- Microsoft. “Microsoft Scout and the MAI Model Family.” Build 2026 (June 2026).
- Kanakasabesan, K. “Your LLM Has a State Management Problem. Distributed Systems Solved It in 2005.” https://kanakasabesan.com/2026/05/25/your-llm-has-a-state-management-problem-distributed-systems-solved-it-in-2005/
- Kanakasabesan, K. “The Repository Has a Read Side and a Write Side: Governing the Agentic Commons.” https://kanakasabesan.com/2026/06/04/the-repository-has-a-read-side-and-a-write-side-governing-the-agentic-commons/
- Kanakasabesan, K. “Your Agents Are Not Safe and Your Evals Are Too Easy.” https://kanakasabesan.com/2025/11/21/your-agents-are-not-safe-and-your-evals-are-too-easy/




