Amid the explosion of AI systems, AI web browsers like Perplexity’s Fellow and Comet are starting to appear on enterprise desktops. Such applications are described as the next evolution of the humble browser and include built-in AI capabilities. It can read and summarize web pages, and in the most advanced cases, it can autonomously manipulate web content.
The promise, at least in theory, of AI browsers is to speed up digital workflows, perform online research, and retrieve information from internal sources and the broader Internet.
However, security research teams have concluded that AI browsers pose significant risks to businesses that cannot be ignored.
The problem lies in the fact that AI browsers are highly vulnerable to indirect prompt injection attacks. These are places where the model in the browser (or accessed through the browser) receives instructions hidden in specially created websites. By embedding text into web pages and images in ways that are difficult for humans to discern, you can provide instructions to AI models in the form of AI prompts, or modifications to user-entered prompts.
The bottom line for IT departments and decision makers is that AI browsers are not yet suitable for enterprise use and represent a significant security threat.
Combining automation and exposure
In tests, researchers found that text embedded in online content was processed by an AI browser and interpreted as instructions to a smart model. These instructions can be carried out using the user’s privileges, so the more access a user has to information, the greater the risk to the organization. The autonomy that AI grants users is the same mechanism that expands the attack surface, and the greater the autonomy, the greater the potential scope for data loss.
For example, you can embed text commands in images and display them in a browser, allowing an AI assistant to interact with sensitive assets such as corporate email or online banking dashboards. Another test showed how an AI assistant’s prompts could be hijacked to perform unauthorized actions on the user’s behalf.
This type of vulnerability clearly violates all principles of data governance and is the most obvious example of how “shadow AI” in the form of unauthorized browsers poses a real threat to an organization’s data. AI models act as bridges between domains, bypassing same-origin policies (rules that prevent data from one domain from being accessed by another domain).
Implementation and governance challenges
The root of the problem is the combination of user queries in the browser and live data accessed on the web. If the LLM is unable to distinguish between safe and malicious input, a human operator may be able to casually access and act on unsolicited data. Given the agent’s capabilities, the impact can be far-reaching and can easily cause a cascade of malicious activity throughout the enterprise.
For organizations that rely on data segmentation and access control, if the AI layer of a user’s browser is compromised, it could potentially bypass firewalls, perform token exchanges, and use secure cookies in exactly the same way as the user. In effect, the AI browser becomes an insider threat with access to all the data and capabilities of the human operator. Infected browsers can operate undetected for long periods of time, as browser users are not always aware of activity “under the hood.”
Threat mitigation
IT teams should treat first-generation AI browsers the same way they treat unauthorized installations of third-party software. While it’s relatively easy to prevent users from installing certain software, it’s worth noting that mainstream browsers like Chrome and Edge come with a number of AI features in the form of Gemini (in Chrome) and Copilot (in Edge). Companies that make browsers are actively exploring AI-enhanced browsing capabilities, and the need for competitive advantage among browser companies means that agent capabilities (which give browsers significant autonomy) will soon emerge.
Without proper monitoring and controls, organizations are exposed to significant risks. Future generations of browsers should see the following features:
- Separation of prompts. Separate user intent from third-party web content before generating LLM prompts.
- Gated privileges. AI agents should not be able to perform autonomous actions such as navigation, data retrieval, or file access without explicit user confirmation.
- Sandbox sensitive browsing (HR, finance, internal dashboards, etc.) so no AI activity occurs in these sensitive areas.
- Governance integration. Browser-based AI must align with data security policies, and the software must provide a record to enable traceability of agent actions.
Until now, no browser vendor has offered a smart browser with the ability to differentiate between user-driven intent and model-interpreted commands. Without this, browsers could be forced to act against your organization using relatively simple prompt injection.
Decision maker takeaways
Agentic AI browsers are being introduced as the next logical evolution in workplace web browsing and automation. They are intentionally designed to blur the distinction between user and human activity and become part of the interaction with a company’s digital assets. Given that the LLM within AI browsers is easily circumvented and corrupted, current generation AI browsers can be considered dormant malware.
Major browser vendors plan to incorporate AI (with or without agent functionality) into future generations of their platforms, so each release should be closely monitored to ensure security oversight.
(Image source: “Unexploded Ordnance!” by Hugh Llewellyn is licensed under CC BY-SA 2.0.)
Want to learn more about AI and big data from industry leaders? Check out the AI & Big Data Expo in Amsterdam, California, and London. This comprehensive event is part of TechEx and co-located with other major technology events. Click here for more information.
AI News is brought to you by TechForge Media. Learn about other upcoming enterprise technology events and webinars.
