Autonomous Agent
How Griffin AI Search's autonomous agent watches your screen and acts on your behalf, and why some actions are executed directly while others only appear as a suggestion.
Autonomous Agent
Griffin AI Search doesn't only answer questions — inside a Search conversation, it can also run an autonomous agent that watches your screen and carries out a goal step by step, the same way a person would work through a task by looking at the screen, deciding what to click or type next, and repeating. You give it a goal in plain language; it observes, acts (or suggests an action), and keeps going until it decides the goal is done or you stop it.
What the agent is actually allowed to do depends on what you're sharing your screen for — some actions it performs directly, others it can only suggest. That split isn't an arbitrary product limitation; it comes directly from a real browser security boundary, explained below.
Starting a run
- A consent dialog opens first. Type your goal in plain language — for example, "Navigate to the Vulnerabilities tab and filter to Critical." — and check the box confirming you authorize the agent to take browser actions on your behalf for the session. Start session stays disabled until both the goal text and the checkbox are filled in.
- Your browser then prompts you to choose what to share, using its native screen-share picker. Depending on your browser, the options are typically something like This Tab, Window, or Entire Screen.
- Once you grant access, the agent begins observing your screen (captured roughly once per second) and issuing actions —
click,type,scroll, orwait— each with a stated reason, until it emitsdoneor you stop it.
What happens after you grant access depends on what you chose to share in that picker.
Every session is scoped and bounded regardless of what you share: the agent can only ever act inside the browser tab (never the OS, the file system, or other applications directly), and a session ends automatically after 30 actions or 60 seconds of wall-clock time, whichever comes first.
Same-origin vs. cross-origin: why some actions execute and others don't
This is the core thing to understand about the autonomous agent, and it's worth explaining honestly rather than glossing over.
The browser's screen-sharing API (getDisplayMedia) lets the agent see almost anything you choose to share — the current tab, another window, or your whole screen. But being able to see a surface and being able to act inside it are two different permissions, governed by two different parts of the browser.
Acting inside a page — clicking an element, typing into a field — requires script access to that page's own document (finding the element under a point, dispatching keyboard events to it). Browsers only grant that access to scripts running on the same origin as the page itself. A browser tab showing Safeguard cannot reach into the DOM of a different tab, a different application window, or your desktop — no matter what you're sharing on screen — because that would be a fundamental breach of the same-origin sandbox every website runs inside. This isn't something Safeguard chooses to restrict; it's a boundary the browser itself enforces, and it's the same boundary that keeps any other website from reaching into your other open tabs.
So the agent checks what kind of surface you shared:
| You shared | What the agent can tell | Result |
|---|---|---|
| This tab (the Safeguard tab itself) | Capture surface is the browser's own tab, so the agent's script and the visible page share an origin | Actions are executed directly |
| A window, your entire screen, or another tab | The captured content isn't the same document the agent's script runs in | Actions are only suggested — nothing is dispatched automatically |
If there's any ambiguity about which case applies, the agent defaults to suggestion-only. It's a deliberate fail-safe: when it isn't certain it can safely act, it doesn't guess.
What you'll experience in each case
Sharing this tab (same-origin): the agent finds the element under the coordinates it wants to interact with and acts on it directly — clicking it, typing into whatever field currently has focus, or scrolling the page. You'll see the page respond as if the action happened, because it did.
Sharing a window, your whole screen, or another tab (cross-origin): the agent cannot reach into that content, so instead of dispatching anything, it draws an overlay marker at the screen position where it would click or type, while its reasoning for that step appears in the live session log. You remain the one actually operating the mouse and keyboard — the agent is suggesting the move, not making it. This lets the agent guide you through a task on any application or site you're sharing, without ever needing (or being able) to silently control it.
Every step the agent takes — whether executed directly or only suggested — is recorded as it happens, along with the reason the agent gave for it, so you can follow its reasoning as the run progresses. For example, a cross-origin session's log might show an entry like:
3 click (840,220) visualised
"Clicking the Critical severity filter to narrow results."The visualised tag only appears on suggested actions that weren't actually dispatched; the same kind of entry from a same-origin (this-tab) run omits it, because the click really happened.
Stopping a run
You can stop the agent at any time. Stopping is handled entirely on your side: it immediately ends the screen capture, closes the connection to the backend, and marks the run as finished — so it works even if the backend is slow or unreachable at that moment. Using your browser's own Stop sharing control (the one built into the screen-share indicator, not part of Safeguard's UI) has the same effect and ends the run immediately.
FAQ & Troubleshooting
Why does the agent click for me on the Safeguard tab but only draw a box when I share a different app? This is the same-origin boundary described above — it's the browser preventing any page's script from reaching into a different tab, window, or application's content, not a feature Safeguard has chosen to leave out.
I shared "This Tab" but the agent still isn't clicking anything — why? The agent double-checks the capture surface before dispatching anything, and defaults to suggestion-only whenever it can't confirm same-origin access. If in doubt, it stays safe rather than acting.
Can the agent act on a different website or app if I give it permission? No — this isn't a setting that can be relaxed. It's enforced by the browser's own sandboxing, the same mechanism that stops any website's script from reading or controlling a different site's tab.
Does closing the shared tab or window stop the agent? Yes. The browser ends the screen share when the shared source closes, and the agent treats that the same as you clicking Stop.
What kinds of actions can the agent take? Clicking, typing, scrolling, waiting, and signaling that it has finished the goal — each step comes with a stated reason so you can see why it chose that action.
Is there a limit to how long a session can run, or how much it can do? Yes — a session ends automatically after 30 actions or 60 seconds of wall-clock time, whichever it hits first. This caps how much a single run can do even if the goal is broad or ambiguous.
Do I have to explicitly opt in before each run? Yes. The consent dialog requires you to type a goal and check "I understand and authorize the assistant to take browser actions on my behalf for the duration of this session" — Start session stays disabled until both are done, and re-opening the dialog for a new run resets that consent, so it isn't remembered across sessions.
Related
- Griffin AI — the underlying AI that powers Search, natural-language queries, and remediation guidance across Safeguard.
- Search — the Griffin AI Search interface the autonomous agent runs inside of.
Search Connectors
Attach external MCP servers as live tools Griffin can call during a search conversation.
Application Security Testing (SAST & DAST)
Find vulnerabilities in your source code (SAST) and running applications (DAST) with Safeguard's first-party, tenant-isolated application security testing.