AI companies will tell you that there are many reasons to use an AI browser these days. They have purported, quite convincingly so, that it's the logical evolution for web browsers, changing their capabilities from "searching" to "delivering". With a command, you can get them to book a flight, generate and document insights, or even fetch the PDF you "were looking at last night" through their context-aware memory.

There is, however, one good reason not to use AI browsers: that is, if you care about privacy and data security. As they surge in popularity, agentic browsers are becoming an attractive attack surface for cyber threat actors, which puts your data at stake. Here's why it's prudent now more than ever to exercise caution.

Agentic browsers can be fooled by a prompt

It has already happened before

One of the key vulnerabilities facing AI browsing is prompt injection, which leverages the delivery of malicious 'prompts' to hijack an AI's output by embedding instructions that did not originate from the user. In November 2024, the UK's National Cyber Security Centre (NCSC) alerted members of the public to its risks, while the US National Institute for Standards and Technology characterized it as the greatest security flaw of generative AI.

The risk of instruction injection has been demonstrated by Brave, who, in a 2025 security disclosure, highlighted that malicious prompts could be hidden behind a spoiler tag on a Reddit post, which users almost instinctively open by habit. Through this, the attackers were able to retrieve credentials such as their email address and one-time passcodes on the Perplexity Comet browser.

This "intent confusion" is further amplified by unified ecosystems such as Apple's Continuity. When devices can communicate seamlessly, a malicious instruction encountered on a mobile browser can potentially propagate across a user's entire trusted hardware network through code injections. This obviously presents a worst-case scenario, but, in the context of cybersecurity, if a vulnerability exists, it will be leveraged.

Reputational, conduct, and operational risks are heightened

The threat gains new dimensions for businesses and business owners

The suite of evolving risks also beckon some noteworthy considerations for business entities and employees in regulated sectors.

Data hijacking incidents that arise as a result of prompt injections can coerce the system into leaking confidential information or perform actions that can threaten the reputation of organizations in a matter of hours. As it always happens, stakeholders, customers and investors rarely differentiate between an exploited AI interface and poor governance, and reputational harm lands the same.

For firms and for the employees of firms in regulated industries such as finance, healthcare or insurance, so much as exposure to such interfaces can reasonably be deemed risk events. The usage of an AI browser that retrieves sensitive data and has the potential to execute unintended actions as a result of model failure (such as hallucinations) creates technical vulnerability and gives rise to various conduct risks.

The security is still playing catch-up

It's early days for agentic AI

There's no doubt that developers are racing to implement guardrails against the threats seen, but it doesn't change the fact that mitigation techniques are reactive rather than preventative. Each patch closes one loophole, resulting in cyber threat actors probing for another. This means that it could potentially take a few more years of case studies and experimentation to make the pros outweigh the cons.

At this point, you might be wondering how this differs from other cybersecurity threats we have been living with for decades. After all, phishing, keylogging, and malware injections didn't pop up overnight either. The key difference here lies in awareness and institutional maturity. While traditional threats are now deeply documented, embedded in cyber awareness resources and widely understood by both users and security teams, there are no established playbooks, telltale signs and remediation protocols yet when it comes to agentic AI.

This is majorly because AI introduces a different dynamic altogether. The attack surface is disorganized and semantic rather than technical, and the existing body of defensive knowledge remains limited and available only to experts. Most users know what a suspicious email looks like (provided they bypass spam filters) and are privy to the signs, but the fact that so much as clicking a 'remove spoiler' button on a popular social network can be leveraged to steal data hasn't been conditioned into the minds of the average person.

Keep the features, but lose the ecosystem

It's too early to fully understand the security implications of agentic browsing, and there's no lack of cybersecurity experts and data privacy advocates who would agree with this notion. Developers are reacting to vulnerabilities in at a time when threats seem to be evolving faster than safeguards. This does not, however, mean abandoning generative AI altogether. Tools like ChatGPT, Gemini, and others remain powerful when used deliberately, but have the potential to behave questionably when functioning as delegated authorities. At such a time, relinquishing control seems premature, especially when your data is at risk.