What is an AI browser agent?

An AI browser agent is an autonomous AI system embedded in or integrated with a web browser. Unlike chatbots that only generate text, browser agents take real actions: they navigate URLs, click elements, fill forms, extract data, and complete multi-step tasks without step-by-step human instruction. Examples include Perplexity Comet, OpenAI ChatGPT Atlas, and deployments built on Anthropic's computer-use API.

What is indirect prompt injection in AI browsers?

Indirect prompt injection is an attack where malicious instructions are hidden inside web pages, documents, or emails that an AI browser agent processes. The agent treats the hidden text as a legitimate command and executes it, potentially exfiltrating credentials, navigating to attacker-controlled pages, or completing unauthorized transactions on behalf of the user.

Can AI browser agents access my company's SSO tokens?

Yes. Browser agents run inside an existing authenticated browser session and inherit all active authentication context, including SSO tokens, session cookies, and OAuth grants. A compromised or misdirected agent has the same effective access as the authenticated user across every connected SaaS application in that session.

Should enterprises allow AI browsers on corporate devices?

Gartner's advisory published in late 2025 recommends blocking all AI browsers until enterprise-ready versions reach general availability. For organizations that need to pilot them, Gartner advises limiting use to small groups with low-risk, easily reversible tasks, combined with strict monitoring, session isolation, and human review checkpoints.

What controls reduce AI browser agent risk?

Key controls include: isolated read-only browser profiles that are not linked to enterprise SSO, allowlist-based navigation that restricts which domains the agent can visit, human-in-the-loop approval gates for any sensitive or irreversible action, comprehensive audit logging of every tool invocation, and network segmentation that prevents agent sessions from reaching internal infrastructure.

What does OWASP say about browser agent security?

The OWASP Top 10 for Agentic Applications 2026 identifies prompt injection (AA1), excessive agency (AA2), and insufficient logging and monitoring (AA9) as the primary risks applicable to browser agents. OWASP recommends least-privilege tool access, time-bound scoped permissions, and sandboxed environments with hard technical enforcement as first-line mitigations.

AI Browser Agent Security: CISO Guide to Computer-Use Risks

AI browser agent security is one of the fastest-emerging enterprise risk categories in 2026 — and most security teams are evaluating it only after a business unit has already deployed the tool. This guide gives you the risk framework, the real attack data, and the control set to make an informed decision before you approve any computer-use AI tool for enterprise deployment.

Key Takeaways

AI browser agents act autonomously inside a live browser session, inheriting SSO tokens, session cookies, and all enterprise SaaS access from the authenticated user
Indirect prompt injection — malicious instructions hidden in web pages, emails, and documents — is the primary attack vector, and OpenAI has publicly stated it may never be fully solved
A documented proof-of-concept against Perplexity Comet demonstrated that an attacker could exfiltrate a user's OTP and take over their account via a single Reddit post
Gartner recommends blocking all AI browsers for the foreseeable future; one in eight AI breaches is now linked to agentic systems (HiddenLayer 2026 AI Threat Landscape Report)
Browser agents are not inherently safe to use even on low-sensitivity tasks — the session context they inherit makes any compromise high-impact
Risk can be reduced but not eliminated; the controls that matter most are session isolation, navigation allowlisting, and human-in-the-loop approval for sensitive actions
Your acceptable use policy needs to be updated now, before your first deployment, not after your first incident

What AI Browser Agents Are — and Why They Are Different

A standard chatbot generates text. An AI browser agent takes actions.

This is the distinction that matters for security. Tools like Perplexity Comet, OpenAI's ChatGPT Atlas, and applications built on Anthropic's computer-use API do not just answer questions. They navigate to URLs, click interface elements, fill in form fields, extract content from pages, and complete multi-step workflows — all autonomously, based on a high-level natural language instruction from the user.

In practice, this means that when an employee asks a browser agent to "research our competitor's pricing and compile a comparison table," the agent is opening real web pages, processing their content, and potentially interacting with authenticated enterprise systems to store the result. The agent is not sandboxed from the browser session. It operates inside the user's existing authenticated context.

This architectural reality creates a threat surface that traditional endpoint controls, DLP tools, and SWGs were not designed to address. The agent's actions look like legitimate user traffic because, from the identity layer's perspective, they are. The requests originate from a valid session, authenticated via MFA, on a managed device. There is no anomalous login to detect.

The Indirect Prompt Injection Threat

The primary attack against AI browser agents is indirect prompt injection. The attack works because browser agents, by design, must read and interpret the content of web pages they visit. Attackers embed malicious instructions inside that content — invisible text, content hidden behind spoiler tags, text rendered in white on a white background, or instructions embedded in HTML metadata — and wait for an agent to process the page.

When the agent reads the page, its language model receives the malicious text as part of its context and interprets it as a legitimate instruction. The agent then executes the instruction with full user-level permissions.

The Perplexity Comet proof-of-concept is the most clearly documented real-world example. Researchers at Brave Security identified that Comet feeds raw webpage content directly to its language model without distinguishing between user instructions and untrusted page content. Their proof-of-concept embedded instructions in a Reddit comment hidden behind a spoiler tag. When a user invoked Comet's "summarize this page" function, the agent read the comment, received the hidden instructions, navigated to the user's account settings page, extracted the user's email address, triggered an OTP to be sent, and exfiltrated the OTP to an attacker-controlled endpoint — enabling full account takeover.

Perplexity issued a patch within days. Retesting found the patch was incomplete.

This is not a Comet-specific bug. It is a structural property of how browser agents work. OpenAI's own researchers have publicly stated that prompt injection for browser agents may never be fully solved, because any agent that reads and acts on web content can potentially be manipulated by that content.

OWASP lists prompt injection as the top risk in the OWASP Top 10 for Agentic Applications 2026. Our own prompt injection attacks defense guide covers the full taxonomy of injection techniques and mitigations in depth.

Session Hijacking: When One Agent Unlocks Everything

Browser agents authenticate through the existing browser session. They inherit valid tokens from the identity provider the same way any tab in the same browser would. This means:

Active SSO sessions grant the agent implicit access to every connected SaaS application
OAuth grants are accessible; the agent can make authenticated API calls to any service the user has authorized
Session cookies for internal tools — ticketing systems, HRIS platforms, financial applications — are present in the browser profile the agent operates within
MFA provides no protection once the session is established; the agent is already inside the authenticated perimeter

The threat model here is different from a credential theft scenario. The attacker does not need the user's password. The attacker does not need to bypass MFA. If the agent can be redirected by an injection attack, the attacker effectively has everything the user's session has. In an enterprise environment where employees maintain long-lived SSO sessions across dozens of SaaS applications, that is a significant blast radius.

In early 2026, security researchers documented a coordinated campaign in which five Chrome extensions masquerading as productivity tools for Workday and SuccessFactors exfiltrated session tokens from over 2,300 installations, enabling direct account takeover without any credential-based attack. Browser agents present a structurally similar risk: any compromise that gives an attacker control over agent behavior gives them access to everything the session holds.

This is why non-human identity security for AI agents matters as much as human identity governance. The agent is a non-human actor operating with human-level permissions, and most enterprise identity systems have no model for that.

The Risk Data: What the Numbers Say

The threat is not theoretical.

HiddenLayer's 2026 AI Threat Landscape Report, based on a survey of 250 IT and security leaders, found that autonomous agents now account for more than one in eight reported AI breaches, even though agentic deployments are still in early enterprise stages. The report notes that security frameworks and governance controls are "struggling to keep pace" with the deployment velocity.

Across the broader agentic AI landscape, 88% of organizations reported confirmed or suspected AI agent security incidents in the past year. More than 31% of organizations do not know whether they experienced an AI security breach at all — a visibility gap that is particularly dangerous for systems that generate traffic indistinguishable from normal user behavior.

Gartner's advisory, published in late 2025, was explicit: block all AI browsers until enterprise-ready versions reach general availability. The advisory cited credential abuse, data leakage, phishing facilitation, and prompt-injection-induced rogue agent behavior as the primary risk categories. For organizations with higher risk tolerance that choose to pilot, Gartner recommends limiting deployment to small groups, low-risk use cases, and tasks that are easy to verify and roll back.

Risk Assessment Framework: Questions to Ask Before You Approve

When a business unit requests approval for a browser-use AI tool, these are the questions that should determine your answer:

1. What session context does the agent operate within? Does the tool use the user's existing browser profile and session? Or does it operate in an isolated, purpose-built profile with no enterprise SSO context? Any tool that shares a session with enterprise-authenticated applications requires elevated scrutiny.

2. How does the agent handle untrusted web content? Does the vendor document how the tool differentiates between user instructions and content from pages it visits? Has the tool been independently tested for indirect prompt injection resistance? "We have mitigations in place" is not an acceptable answer without specifics.

3. What data can the agent access and exfiltrate? Map the agent's effective access. What SaaS applications are logged into the browser profile it uses? What internal tools are reachable from that session? A browser agent approved for external research tasks should have no path to internal finance or HR systems.

4. What actions can the agent take, and are they reversible? Can the agent send emails, submit forms, make purchases, or modify data in enterprise systems? Irreversible actions require explicit human approval checkpoints. Reversible, read-only tasks can tolerate more automation.

5. What does the audit trail look like? Does the tool log every URL visited, every element clicked, every form submitted, and every piece of data extracted? If an incident occurs, can you reconstruct exactly what the agent did? Agents with no audit logging should not be approved for enterprise use.

6. How does the vendor handle vulnerability disclosure? The Comet example shows that AI browser vendors are already receiving security vulnerability reports. Ask the vendor about their patch timeline, their disclosure policy, and whether they have a bug bounty program.

Controls That Reduce (But Cannot Eliminate) the Risk

If you decide to allow a limited browser agent pilot, these controls reduce your exposure:

Session isolation. Run browser agents in a dedicated browser profile with no enterprise SSO sessions, no saved credentials, and no OAuth grants. The agent should authenticate only to the specific services it explicitly needs, with scoped, revocable credentials. This is the single highest-impact control.

Navigation allowlisting. Define a strict allowlist of domains the agent is permitted to visit. Block access to internal tooling, financial platforms, HR systems, and any SaaS application containing sensitive data. Deny-by-default for any URL not on the approved list.

Read-only profiles where possible. For research and information-gathering tasks, configure the agent's session so it cannot submit forms, send messages, or modify data in any application. Agents that can only read content cannot complete most injection-driven exfiltration attacks.

Human-in-the-loop checkpoints. Require explicit human approval for any action the agent classifies as sensitive: sending a message, submitting a form, navigating to an authenticated application, or accessing any data that was not part of the original task scope. This adds friction but prevents autonomous execution of injected instructions.

Audit logging at the agent gateway. Log every tool invocation, every URL access, and every data extraction event. Route logs to your SIEM. Set alerts for access to domains outside the approved list and for any agent action involving authenticated sessions.

Network segmentation. Ensure agent processes cannot make network requests to internal RFC 1918 addresses, internal DNS zones, or corporate VPN tunnels. An agent browsing the public web should not be able to reach your internal wiki, your Jira instance, or your cloud management console.

These controls are consistent with the guidance in the OWASP Agentic Top 10 and align with NIST SP 800-207 (Zero Trust Architecture) principles for non-human system access.

Drafting an Acceptable Use Policy for AI Browser Agents

Your enterprise AI acceptable use policy needs a dedicated section for browser-use tools before you allow any deployment. At minimum, it should specify:

Approved tools list. Name the specific browser agent tools that have been evaluated and are approved for use, under what conditions, and for which user groups. Tools not on the approved list are prohibited.

Session requirements. Specify that approved browser agents must operate in isolated profiles with no enterprise SSO context unless explicitly authorized for a specific, scoped integration.

Data classification restrictions. Define what data classifications the agent is permitted to access, process, or generate output containing. Confidential, restricted, and regulated data categories should be explicitly out of scope.

Prohibited use cases. List the specific actions the agent is not permitted to take: accessing internal systems, submitting forms in enterprise applications, sending communications on behalf of the user, or handling data subject to HIPAA, PCI DSS, or GDPR.

Incident reporting. Specify that any unexpected or unauthorized agent behavior must be reported to the security team immediately. Employees should understand that agent misbehavior is a security event, not a software glitch.

Review cadence. Browser agent security is moving faster than most policy cycles. Commit to reviewing this section at least quarterly, given the pace of vendor changes and new vulnerability disclosures.

Conclusion

AI browser agent security is not a future problem. Tools like Perplexity Comet and OpenAI Atlas are already being requested by business units, and the attack techniques against them are documented and proven. The window between "approved for pilot" and "first security incident" is shorter than most organizations expect.

The right approach is not necessarily to block everything forever — though Gartner's current guidance to do exactly that is reasonable given the state of the tooling. The right approach is to evaluate each tool with a structured framework, apply the controls that meaningfully reduce session exposure, and maintain an audit capability that lets you respond when something goes wrong.

BeyondScale helps enterprises evaluate whether AI browser and agentic tools are safe to deploy and what specific controls are needed for your risk posture. Our AI security assessments include browser agent evaluation, session exposure analysis, and policy documentation tailored to your deployment environment.

If you are being asked to approve a computer-use AI tool and want to know exactly what you are approving, start with a scan of your current AI deployment.