COMMENTARY: The internet browser first appeared on the scene about 36 years ago and and ever since, commercial browsers have been on a continuous evolutionary path, becoming the trusted interface between users and the web. Browsers have kept in step with user expectations, and also with the prevalence of threat actors. Despite the scale and scope of evolution, the role of the browser as passive gateway has not changed.Browsers are one of the most widely-used applications in the world. Google Chrome holds 69% of the global market, with Safari and Microsoft Edge trailing far behind.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Now, we're adding AI to the mix. Technology providers are investing $401 billion to expand the foundations of the AI ecosystem. Analysts predict a dramatic shift toward agentic AI systems. By 2026, 40% of enterprise applications are expected to include AI agents.Unlike traditional browsers, AI-enabled browsers and browser assistants don’t passively display information: they interpret content, summarize pages, automate tasks, and have the agency to act on behalf of the user. AI has breathed intelligence into the browser, making it no longer just a viewing tool. But this radical shift has painted a target on the browser’s back.The rise of an unfamiliar attack surfaceAI capabilities within the browser have improved productivity and efficiency. At the same time, AI has fundamentally changed the browser’s security model. An attack on traditional browsers either targeted the user or the browser itself. Phishing campaigns convince users to reveal their credentials, or malicious code exposes vulnerabilities. Now attackers train their crosshairs on the AI agent embedded in the browser.The very capabilities that make AI agents useful are also what makes them vulnerable. Attackers can exploit the ability of the agents to understand natural language and take action through manipulation rather than conventional techniques, mainly via three vectors:Browser security has historically been designed to detect malicious code, suspicious domains, and unauthorized access. AI-driven attacks focus on how AI systems interpret information. From the perspective of a network security tool, a prompt injection embedded in webpage text looks like ordinary content. A benign text and malicious instructions designed to manipulate an AI model will pass under the radar of endpoint protection systems. Reliable browser protection, such as sandboxing, offers limited defense against attacks targeting the reasoning processes of AI assistants.Here’s how we can rethink browser securityAs an industry, we can’t ban the use of AI browsers. The productivity gains from their use are undeniable. Also, with 59% of employees partaking in shadow AI, banning AI browsers might not deliver the results organizations may look for.We have to view security through the prism of the rapid mainstreaming of AI capabilities, the creation of an environment that adopts safe-AI use, and the reduction of the use of unregulated AI tools. Assume that AI browsers will become part of the enterprise environment and manage the associated risks accordingly.The industry needs to change the way it thinks about AI browsers. They are not an extension or advanced version of a traditional browser. Think of them as a new category of enterprise software. Here are five steps teams can take to manage them better:The human-web interface has reached a new level with AI browsers. No doubt, they are the future of browsing, in which navigating the internet becomes conversational, engaging, and meaningful.But the silver cloud has a dark lining. Many organizations approach the use of AI browsers as a trade-off between efficiency and security. But it doesn’t have to work that way. The AI’s attack surface includes reasoning, memory, and autonomy, which we can address by updating policies, new technical controls, and user awareness.It’s still a wild frontier, and as AI browsers evolve, the security mechanisms designed to protect them will have to evolve in concert.Etay Maor, vice president of threat intelligence, Cato NetworksSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- Prompt injection: An AI browser reads and interprets content on a web page. Attackers can inject malicious instructions (prompts) into web page content. A user can choose to ignore them in a traditional browser, but an AI browser can actively process this information and treat these instructions as legitimate commands. A seemingly harmless website could contain hidden text instructing the assistant to reveal sensitive information or direct the user toward malicious actions. Agentic AI can take actions on the user’s behalf such as fill out forms or make purchases, with the user none the wiser.
- HashJack: Discovered by our research team, it’s an indirect prompt-injection technique that hides malicious instructions in the URL fragment of an otherwise legitimate link. When an AI browser or assistant forwards the full URL to an LLM, it’s possible to interpret those hidden instructions as prompt content, letting attackers manipulate the model’s behavior or even trigger data exfiltration in agentic systems. Because the attack lives in link context rather than traditional infrastructure, it can bypass many standard network and server-side defenses.
- Memory manipulation: We all admire AI’s ability to retain context from previous interactions and carry it forward, improving continuity and personalization over time. This means we don’t have to start from scratch every time. Attackers can get the AI to store something false or harmful in that memory; they don't need to attack the user directly or exploit code. They just need to corrupt what the assistant remembers and trusts.
- Define clear policies for their selection and use, including which tasks AI assistants can perform within clearly established guardrails.
- Implement a control framework aligned with the threats posed by AI browsers.
- Limit permissions granted to AI assistants, thus reducing potential damage from manipulated instructions.
- Monitor browser behavior for unusual activity. This includes unexpected data transfers or automated interactions with sensitive systems. Vigilance on such activities will help to identify compromised workflows.
- Emphasize the importance of human oversight to ensure that AI-generated recommendations are cross-checked before use.




