Pew Research Center surveyed 5,119 US adults in February 2026 and found that 49% use AI chatbots. Then it asked which ones, and ChatGPT came in at 44%, Gemini at 24%, Copilot at 17%, Meta AI at 14%, Grok at 8%, Claude at 6%, and Character.ai at 3%.
Naturally, there’s overlap in tool usage. People stack AI assistants (🙋🏽♂️), and each one asks the same person to explain themselves from scratch. Every provider keeps a partial copy of your preferences, coding rules, brand guidelines, project decisions, and those copies drift apart within days.
The next step is to move context down a layer, into the operating system, which would index what’s on your devices and broker access to it. The AI model wouldn’t own your memory, but would request temporary, scoped access to information the OS holds or points to, then lose that access when the task ends.
Apple and Microsoft have both shipped early pieces of this in 2026, under different names. The main AI labs also recognise this shift, with Anthropic and OpenAI both releasing desktop versions of their apps that repeatedly request access to your files and devices throughout the day. The main questions around this pertain to security and the risk of walled gardens.
Prompts are no longer the constraint
Early AI usage rewarded those who wrote better prompts. Providers then absorbed those patterns into system behaviour, applications added templates and planning, and similar instructions started producing usable results across several frontier models.
The harder problem is what the model knows when it starts: what’s already been decided, which rules apply, which file is current, and what happened last week. A capable model with poor context loses to a weaker model with current context.
That’s why context engineering is what each AI application now focuses on: retrieval, memory summaries, tool descriptions, and prompt assembly. Per Anthropic’s own engineers, loading tool definitions on demand instead of upfront cut one workflow from 150,000 tokens to 2,000, a saving of 98.7%.
Better selection, not bigger inputs, are more effective.
Your laptop already knows who you are
Your phone or laptop holds documents, photos, messages, calendars, notes, browser history, repositories, design files, contacts, credentials, and local databases. No chatbot has a fuller picture of your current work.
Chatbot memory can’t reasonably keep pace: it’s partial, manually curated, provider-specific, hard to inspect, hard to move, and built from past conversations instead of present files.
A model might recall that you maintain a design system, but your laptop has the actual one, as of this morning.

Microsoft and Apple have shipped primitives
Microsoft’s support documentation describes agent workspace: a contained session where agents run under their own user account, separate from yours. Agent connectors in the Windows On-Device Registry are MCP servers, and Windows asks for permission before an agent runs them.
Agentic accounts get limited access to the user profile directory, with read and write granted to six common folders (Documents, Downloads, Desktop, Music, Pictures, and Videos), manageable per agent from preview builds 26100.7344+, with consent requested by default.
Apple shipped the other half of this in June 2026. Siri AI draws on personal context understanding across messages, emails, and photos, and that understanding extends to third-party apps when developers integrate with Spotlight. The assistant uses a system orchestrator to tap the Spotlight index and App Toolbox, both of which run entirely on device.
Apple’s developer page goes further: the Foundation Models framework supports Apple’s own models or any provider that conforms to the Language Model protocol. So we’re looking at a model-independent interface at the OS layer, published by an OS vendor.
| Microsoft | Apple | |
| Broker mechanism | Agent workspace, On-Device Registry | System orchestrator, Spotlight index, App Toolbox |
| Connector standard | MCP agent connectors | App Intents, App Schemas |
| Identity | Separate agentic account per agent | User account, on-device processing |
| Permission unit | Per-agent, per-folder consent | Per-app integration, on-screen awareness |
| Third-party models | Any MCP-compatible agent | Any Language Model protocol conformer |
Though neither company uses the word ‘broker’, they’ve both built the beginnings of an AI context brokering system.
What an OS context broker would do
A background service would index files and metadata, watch for changes, resolve which version is authoritative, and answer structured requests. A registry would record which sources exist, where they live, who owns them, and which applications may reach them.
An agent then submits a request: your coding rules, architecture decisions, files for one project, read access for this session, and write access to the test directory only. The OS broker verifies the caller, checks permissions, retrieves the minimum, strips restricted fields, returns the context, logs what was touched, and expires the grant when the work ends.
Projects would carry a manifest describing what’s available:
Project: Agora
Purpose: Structured debates between language models
Primary rules: /guidelines/coding.md
Design system: /design/system.md
Architecture decisions: /docs/decisions/
Allowed write paths: /tests/, /docs/
Restricted paths: /.env, /data/private/
Any model could enter that project without provider-specific memory. The original files stay where they live, in GitHub, Drive, iCloud, Notion, Figma, or a local folder. The OS handles identity, discovery, policy, and retrieval.
What this does to the AI labs
Models would still differ on reasoning, speed, price, latency, privacy, and specialisation. But nobody would rebuild their working life inside each new product. The model becomes a component chosen per task.
The labs have already conceded the layer below. When Anthropic donated the Model Context Protocol to the Agentic AI Foundation in December 2025, the protocol had passed 97 million monthly SDK downloads and 10,000 active servers, with client support across ChatGPT, Claude, and other major platforms. OpenAI and Block co-founded the foundation alongside it.
Competitors have already agreed to share the connection layer, and I think context is the next candidate. A shared context layer would also lower switching costs: a smaller provider wouldn’t need to persuade anyone to rebuild two years of memory. It would simply request approved context and compete on the work itself.

Mitigating prompt injection
If your device’s OS brokers files, memories, tools, and credentials, then compromising the device exposes more than it does today. The current numbers aren’t very reassuring.
The LivePI benchmark ran frontier models on a live virtual machine with working email, chat, web, local-file, repository, and wallet interfaces, and recorded total attack success rates between 10.7% and 29.6% across GPT-5.3-Codex, Claude Opus 4.6, Gemini 3.1 Pro, Kimi K2.5, and GLM-5. Group-chat injection succeeded against every model tested.
A separate meta-analysis of 78 studies found attack success rates above 85% once attackers adapt to the specific defence in place.
So a broker needs permission grammar, not just a toggle.
| Principle | Instead of | Grant |
| Least privilege | Access all my files | Read three folders until this session ends |
| Knowledge without action | Read my inbox | Read inbox, no send |
| Time limits | Standing access | One task, then expiry |
| Data labels | Undifferentiated context | Confidential, employer-owned, local processing only |
| Audit | Trust | Log every request, retrieval, and denial |
Public sentiment mirrors this technical risk. In the same Pew survey from earlier, 71% of US adults said increased AI use will make their personal information ‘less secure’, against 3% who said ‘more secure’. A system-level index of someone’s life has to earn its way past that number.
Building walled gardens
The vendors best placed to broker context (Microsoft, Apple) also sell models. They could rank assistants, charge for context APIs, restrict competitors, or bundle their own services—similar to how Amazon edges out other vendors with Amazon Essentials.
Regulators have noticed. The European Commission published its first Digital Markets Act review on 28 April 2026, concluding that the DMA remains fit for purpose and doesn’t need revising, while naming AI and cloud computing as areas requiring particular focus going forward.
The Commission is also assessing whether some AI services should be designated as virtual assistants, and it has focused regulatory dialogue on changing defaults easily and ensuring AI services get equal access to operating systems.
Article 6(7) already requires gatekeepers to provide third parties with effective interoperability with the same hardware and software features accessed or controlled via the operating system or the designated virtual assistant.
That obligation was written for smartwatches and headphones. Whether it stretches to context access remains to be seen.
Open questions
Proposing an OS context layer raises a few unresolved questions, such as:
- Ownership: who holds the context graph built from your files and activity?
- Portability: Can you export it and move to another OS?
- Deletion: How do you prove a model discarded what it received?
- Accuracy: How does the system find and remove stale or contradictory entries when two agents disagree?
- Liability: Who’s responsible when an agent acts on inaccurate context? Is it the model provider, the application, the OS vendor, the tool, or you?
- Inheritance: What happens to your context layer when you die or replace every device you own?
I also don’t think application-specific context will disappear. A design tool like Figma understands its own components better than a general file index will, and much of our data lives in cloud services the OS would need agreements to reach.
These questions and more are being settled by companies in Redmond and Cupertino with vested interests in keeping us all walled into their gardens. Let’s see how it all plays out.
