COMMENTARY: AI browsers have come on the scene of late and are already one of the riskiest blind spots in enterprise security.Most programs we use in an enterprise setting process information via file shares, email, and other sanctioned SaaS systems. These are systems we’ve more or less managed to properly secure.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]AI-native browsers are a new beast, and too often, employees give these new systems cross-context access to their workspaces — piping sensitive data to third-party infrastructure under the banner of “productivity.”If this sounds too new, assume sensitive data has already left the company’s environment without detection.Let me break down the problem:Tools such as OpenAI’s Atlas and Perplexity’s Comet are not just search boxes with chat sidebars. They operate like autonomous agents with memory, cross-device sync, and direct access to authenticated sessions. An employee can use Atlas to research an acquisition target, then later ask it to “summarize the company's M&A strategy.” A sales leader may, without realizing it, let Comet’s Background Assistant read Gmail, calendar, and CRM to draft outreach.No matter the case, strategic business information and customer data are processed through third-party AI infrastructure without a formal upload, integration request, or security review.The cases are not by any means rare; they are now mainstream.In regulated sectors — like healthcare and financial services, among others — these patterns are a major concern and represent clear liabilityAI browsers are not going away. They’re becoming the default interface for knowledge work. The organizations that stay safe won’t ban them outright: they’ll recognize AI browsers as powerful, high-risk intermediaries — and re-architect their controls to match the reality of how data moves now.Rohan Sathe, co-founder and CEO, Nightfall AISC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Five exfiltration paths our controls don’t see
Most legacy DLP was built for explicit, observable actions. Upload a file, send an email, and copy it to USB. AI browsers route around those assumptions entirely. Here's what I mean:- Cloud sync has become a silent pipeline: Browser histories, "memories," and sessions sync automatically to provider clouds and personal devices. When an engineer opens sensitive code in an AI browser at home, it doesn't trigger exfiltration alerts — but that context now lives in a third-party system and can inform future AI outputs.
- File uploads have become frictionless: An employee drags a board deck into an AI browser for "quick summarization." The company’s most sensitive documents just left its infrastructure. Strong vendor assurances don't change the math: the attack surface has been expanded, increasing legal exposure, and staked the company’s security on someone else's controls.
- Copy/paste functions as a stealth channel: Pasting roadmap bullets, pricing matrices, or patient notes into an AI prompt feels harmless. It bypasses file-centric DLP, leaves thin audit trails, and scales with every "just help me rewrite this" request. It's exfiltration that doesn't look like exfiltration.
- AI-generated downloads are reverse exfiltration: When AI browsers pull data across tabs and apps — "compile all renewal data into a sheet," "merge these contracts" — the output itself becomes a high-risk artifact. It's often downloaded locally or pushed to unsanctioned storage, and it aggregates information that was never meant to live in one place.
- Autonomous agents are data vacuums: Background agents configured to "act on your behalf" have continuous access to CRMs, ticketing systems, source code repositories, and communications. Once enabled, they operate quietly and automatically — far outside any access model the team mahy have explicitly designed or monitored.
Why traditional DLP never stood a chance
Most security teams have an architecture problem because of legacy DLP. Here’s why:Network DLP struggles with the basics: Certificate pinning, encrypted channels, and traffic that looks like normal web activity all create blind spots. AI browser traffic gets fragmented across APIs and WebSockets — not the neat file transfers our tools were built to catch.Endpoint DLP was designed for a different era: It blocks USB drives and monitors email clients, but it can't inspect browser text fields, AI prompts, or agent behaviors inside modern web apps. The granularity just isn't there.App-native DLP loses visibility at the handoff: Tools built into Drive or M365 work fine — until data gets downloaded or copied into a separate AI tool. The second hop is completely invisible.AI browsers operate at the application and interaction layer, inside trusted sessions, across multiple services at once. Perimeter-era DLP was never designed to see that kind of activity, let alone govern it.CISOs don’t need another fear narrative. They need a blueprint. Securing against AI browser exfiltration requires a dramatic shift in principles. Here are five ways to make it happen:- Move controls to the browser and endpoint layer: Protection must live where users actually interact with AI: in the browser, in the clipboard, in the session — not only in the network choke points the company owned a decade ago.
- Inspect content before it leaves, not after: “Alert after exposure” has become obsolete when sensitive prompts are processed in milliseconds. Modern controls should evaluate content pre-submission and prevent risky uploads, pastes, and syncs in real time while explaining the “why” to users.
- Understand context, not just patterns: Regexes and keyword lists can’t distinguish between public docs and proprietary auth logic. AI-native detection — across text, code, images, and documents — has become table stakes to reduce false positives and focus human attention on real risk.
- Capture full data lineage: Where did this data originate? Who touched it? Which AI tools saw it? Where did it try to go next? Lineage across SaaS, endpoints, AI tools, and browsers has fast become a regulatory and incident-response requirement.
- Treat AI tools as first-class applications in the company’s governance program: Inventory, risk-assess, set governance policies, and monitor AI browsers, assistants, and agents just like core SaaS.
