Modern web browsers do more than just retrieve webpages. AI-powered browsers can now summarize content, perform tasks, and deploy agents to fill out forms, shop online, and book flights. While these agentic AI capabilities promise productivity gains, they also bring new security risks for enterprises.
A case in point is Perplexity’s Comet AI assistant, which reportedly failed to distinguish between user commands and malicious instructions hidden in web pages, leaving it vulnerable to malicious command execution, according to an investigationOpens a new window conducted by security researchers at Brave Software last year.
The team at Brave warned that AI assistants and agents operate with users’ full privileges across authenticated sessions, which provides access to sensitive information such as bank accounts, emails, and cloud data. This incident showed how AI assistants can be tricked into sharing sensitive information in enterprise environments.
Aware of these risks, Perplexity said in a blog postOpens a new window last October that it uses real-time prompt injection classifiers to detect malicious instructions before the AI assistant takes any action.
OpenAI also cautioned in a blog postOpens a new window last December that browsers equipped with agentic capabilities remain susceptible to prompt injection attacks, emphasizing the need for developers to consistently monitor and secure these systems. The company recognized that prompt injection, similar to online scams and social engineering, is unlikely to be completely resolved. As browser agents take on more responsibilities, their susceptibility to adversarial attacks is expected to increase.
Last December, Gartner issued a warningOpens a new window urging CISOs to block AI browsers with agentic capabilities until enterprise-ready AI browsers become available. The firm said AI-enabled browsers pose a significant privacy risk because active web content, browsing history, and open tabs may be stored on cloud-based servers without centrally managed security controls. A 2025 study by the University of CaliforniaOpens a new window , Davis, found that GenAI browser assistants collect personal and sensitive information and share it with first-party servers as well as third-party trackers such as Google Analytics.
Why AI browsers worry security teams
While OpenAI’s Atlas and Perplexity’s Comet have generated significant interest, Google Chrome or Microsoft Edge remain the most used web browsers in enterprise environments. IT admins rely on tools such as Windows Group Policy or Google Chrome Enterprise Core to enforce policies, block malicious sites, unauthorized extensions, and restrict access to unapproved websites.
However, the growing integration of agentic AI capabilities in browsers brings in new challenges that traditional browser management tools can’t handle.
Palo Alto Networks warns in a blog postOpens a new window that browser-based agents can be hijacked through prompt injection attacks, the same threat OpenAI has highlighted. These attacks hide malicious instructions inside webpages, emails, or documents, designed to trick the AI into ignoring its guardrails and executing the attacker’s commands.
By following these injected commands, the AI agent can be tricked into sharing sensitive enterprise data. According to a 2025 Gartner reportOpens a new window , 32% of organizations have already experienced prompt-injection attacks on GenAI applications.
Unlike traditional browser vulnerabilities, prompt injection attacks are much easier to carry out using natural language prompts. SimulationsOpens a new window by researchers at Palo Alto Networks reveal that agents with broadly scoped prompts or tool integrations can be manipulated to leak data, escalate privileges, and abuse connected systems.
Palo Alto Networks cautions Opens a new window that enterprises often lack visibility to differentiate between user actions and agent actions. Traditional security and network monitoring tools can’t see what AI agents are doing inside an authenticated browser session because they were designed to detect known malware and network anomalies.
Enterprises frequently provide agents with extensive service user permissions to facilitate independent operations, as noted in a Check Point Security studyOpens a new window . This practice undermines the principle of least privilege, allowing agents to access sensitive data. Additionally, Check Point pointed out the risks associated with Model Context Protocol (MCP) supply chain attacks. Agents utilize MCP to connect with APIs and various third-party integrations, which opens up more potential entry points for cyber attackers.
The use of unauthorized AI browsers can also exacerbate data exposure risks, as it creates blind spots for IT teams tracking agentic AI activity within the enterprise. IBM’s Cost of Data Breach reportOpens a new window shows that security incidents involving shadow AI accounted for 20% of breaches in 2025.
How to manage AI browser risks
Organizations first need clear visibility into where AI browsers and agents are being used, the level of access they have, and the tasks they are allowed to perform. This requires clearly defined AI governance policies along with risk assessments to identify browsers that offer stronger security controls.
The security researchers at Brave Software recommended that agentic capabilities should be isolated from regular browsing tasks, so users do not accidentally end up in this mode during routine browsing. In their blog postOpens a new window they emphasized, “This clean separation is especially important in these early days of agentic security, as browser vendors are still working out how to prevent security and privacy attacks.”
Palo Alto Networks recommends using enterprise-grade AI browsers that offer AI runtime security that analyzes prompts to monitor all agent interactions. These controls can also apply topic and toxicity controls to flag and block malicious prompts.
Another mitigation strategy is to extend step-up MFA and just-in-time approval mechanisms to agentic workflows. This allows browsers to pause sensitive actions and require explicit human approval before completing transactions or moving sensitive data.
Deploying defensive AI agents to evaluate the actions and API calls of primary browser agents can also help identify deviant behavior.
The evolving security landscape of AI browsers
AI browsers with agentic capabilities can be excellent productivity tools, as they act autonomously and can handle many of the time-consuming tasks, allowing users to focus on work. However, when used in the workplace, they pose a significant risk for enterprises, as attackers can exploit an agent’s broad user-level access to retrieve and share sensitive data.
Enterprises can mitigate some of their risks with AI governance policies that can provide them a clear view over how and where they are being used. Experts also recommend the use of enterprise-grade AI browsers and adding a human in the loop to approve sensitive actions by agents.
comments