AI/ML, AI benefits/risks, Application security, Identity, Data Security, Exposure management

Seven ways to develop a governance framework for AI browsers

AI improves SEO with smart keyword tools, search pattern analysis, and virtual assistants to boost online visibility and marketing reach.

(Adobe Stock)

COMMENTARY: AI-powered browsers like Copilot, Gemini, and the OpenAI Atlas browser have reshaped how we interact with the web — moving from manual clicks to smart task delegation.

These intelligent agents can read, understand, and respond to web content. They can quickly perform tasks such as filling out forms, uploading files, calling APIs, and retrieving data, frequently engaging with sensitive systems in the process.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

While AI’s autonomy boosts productivity, it also increases the places and ways data and credentials can be exposed. As AI agents blur the lines between user, application, and automation, governing this era requires identity-first controls, data-aware policies, session containment, and continuous validation rather than a return to bluntly blocking innovation.

The hidden risks of AI browsers

AI browsers merge the capabilities of large language models (LLMs) with full web interactivity, dissolving the traditional network and endpoint boundaries. As organizations start to use these tools, recent analysis shows several new threat patterns. These patterns require careful attention and updated governance, including:

  • Prompt injection and data exfiltration: Malicious web content or cleverly crafted prompts can trick agents into revealing sensitive information or performing unauthorized tasks.
  • Autonomous actions in real time: AI agents can carry out complex workflows almost instantly. This speeds up the chance for errors or harmful redirects.
  • Exposure to malicious destinations: Automated browsing makes it easier for online threats to slip through, leaving systems more exposed to phishing scams, malware-laden sites, and untrusted domains that can infiltrate endpoints or steal sensitive data.
  • Human-in-the-loop gaps: Users might unknowingly share passwords, personal details, or other sensitive information when they enter prompts. They may not realize how that information could be reused or exposed downstream.

These risks show the need for modern controls that use AI, offer visibility, enforce rules, and guard against accidental data leaks. It’s especially important as new threats like “HashJack” emerge from active red-team testing and security research.

“HashJack” has become an emerging research direction within Cato CTRL that looks at how AI-driven browsers and agents might unintentionally leak authentication artifacts, such as session tokens or credential hashes, during automated web interactions. The concept builds on the known pass-the-hash (PtH) attack method that have long been observed inside LAN environments.

A pass-the-hash attack involves an attacker obtaining a hashed version of a user's password and using it to gain access to other systems. Rather than decrypting the password, the attacker “passes” the hash directly to initiate a new session and impersonate the user. This technique is frequently used in Windows environments, but it’s also applicable to other operating systems and authentication protocols.

HashJack was inspired by pass-the-hash techniques, exploring how AI-driven browsers might get manipulated into exposing reusable authentication artifacts. Instead of reusing password hashes like traditional PtH attacks, HashJack examines how malicious instructions hidden in the “#” URL fragment could influence LLM-powered assistants to leak tokens or perform unintended actions. Since fragments are not sent to servers and often bypass inspection, they present a unique risk if AI agents interpret them blindly to be more accurate.

Principles for governing AI browsers

Organizations should establish a governance framework centered on identity, data, and session management. Here’s how to do it:

Secure autonomy through identity: Set up and govern AI agents and like service accounts. Enforce least privilege to limit their access and actions. Keep audit logs, require approvals for high-risk operations, and have an immediate revocation mechanism in place.

Make data the control plane: Classify and label sensitive data consistently. Implement policies that prevent data from being transmitted to untrusted destinations across all communication channels. Include prompts that alert users before they share risky content.

Isolate when it matters: Use session isolation when handling unknown or high-risk destinations to stop payloads and exploits from reaching the endpoint. Enforce additional verification steps for transactions that involve financial activity, access rights, or identity changes.

Extend visibility to unmanaged endpoints: AI-driven browsing has moved beyond devices managed by companies as employees are interacting with agents on their personal devices or third-party platforms. Organizations must adopt a Secure Access Service Edge (SASE) architecture. This approach delivers integrated security and networking capabilities across both managed and unmanaged endpoints without affecting user experience.

Simulate to strengthen: Conduct red team exercises that focus on prompt injection, agent manipulation, and HashJacking techniques. Track how well detection and response perform during these simulations. Use the findings to strengthen your security defenses.

Apply just-in-time guardrails: Deploy inline detection systems that flag sensitive terms or payloads in prompts and form fields before submission. If a user or agent tries to transmit potentially risky content, the system can respond with alerts, safer alternatives, or enforce policy-based blocks while preserving normal workflow continuity.

Upload governance: AI agents may upload documents in their normal workflows, and without proper safeguards, this can accidentally expose sensitive information. Monitor these actions and, when needed, block uploads to untrusted locations.

AI browsers have taken on a central role in the evolving digital environment, which means governance must evolve in sync with the innovation. Instead of pushing back against change, organizations should find a balance between rapid innovation and careful governance.

Implementing identity-centric controls, isolating high-risk activities, and staying ahead of emerging threats will ensure that organizations realize the full potential of AI-powered browsing without losing out on trust and security.

Dr. Guy Waizel, tech evangelist, Cato Networks

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.
Guy Waizel

Dr. Guy Waizel is a Tech Evangelist at Cato Networks and a member of Cato CTRL. He has more than 25 years of experience spanning cybersecurity, IT, and AI, holding important roles at tech startups acquired by Philips, Stanley Healthcare, and Verint. Prior to Cato he held leadership roles at Commvault and TrapX Security (acquired by Commvault). Guy holds a PhD with magna cum laude honors from Alexandru Ioan Cuza University, an MBA from Netanya Academic College and a B.Sc. in technology management from Holon Institute of Technology.

Related

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BiometricsBlack HatBlock CipherBrowserBusiness Email Compromise (BEC)Digital CertificateDigital Signature Algorithm (DSA)Digital Signature Standard (DSS)Dumpster DivingDynamic Link Library

You can skip this ad in 5 seconds