If you’ve used a modern browser lately, you’ve probably noticed something changing. These systems are no longer passive tools for opening tabs or trying in search bars; they’re turning into active, intelligent companions. An AI browser like Perplexity’s Comet, OpenAI ChatGPT Atlas or Opera Aria, can understand what you want, find answers, summarise web pages, and even perform actions on your behalf. It’s like having a personal AI assistant that helps with everyday tasks.
While AI browsers unlock big productivity gains, they also introduce new and unseen security risks. Unlike conventional browsers that simply display content, AI-powered browsers actively interpret, summarise, autofill, and even execute tasks on behalf of users. This added layer of autonomy introduces new and unpredictable risks for both individuals and enterprises. Attackers target this “thinking” layer, using advanced tactics like prompt injection to influence browser behaviour.
Manipulation Chain
A typical manipulation chain looks like this: An employee uses an AI browser to research or interact with a site while logged into corporate accounts. The agent fetches page content (including hidden or adversarial instructions) or accepts a screenshot/image. The adversarial content contains instructions that the model interprets as user intent. Attackers can deliver the malicious content via compromised web pages, or via malicious browser extensions/sidebars. Real-world proofs-of-concept and audits have shown these flows can expose credentials, tokens, and confidential data.
Check Point Research’s analysis of OpenAI’s Atlas shows that AI browsers put the assistant at the centre of your digital life, with access to all authenticated sessions (email, banking, SaaS, corporate systems), dramatically expanding an already heavily-targeted browser attack surface. “In an AI browser, attackers don’t need to trick the user – they trick the AI,” says Sundar Balasubramanian, MD, Check Point Software Technologies, India & South Asia.
Through indirect prompt injection, malicious instructions hidden in barely visible or off-screen text on a webpage can override the user’s commands; the AI can no longer distinguish between what you typed and what the page secretly tells it to do. If an employee visits such a page while logged into corporate SaaS, the assistant can be coerced into reading emails, scraping calendars or moving data between business apps, effectively turning the browser into an automated insider threat.
“These threats are real and material,” says Aaron Bugal, field CISO, Sophos Asia Pacific & Japan. AI-powered browsers extend an LLM’s decision-making into web actions and authenticated sites, which creates new attack surfaces that traditional web security controls weren’t designed to handle. Attackers can deliver the malicious content via compromised web pages, deceptive emails that the agent is asked to summarise, or via malicious browser extensions/sidebars. “Security audits identified serious flaws in Perplexity’s Comet, showing how malicious inputs can cause data leakage,” he adds.
“For businesses, the risks come in three forms we see again and again,” says Huzefa Motiwala, senior director, Technical Solutions, India and SAARC, Palo Alto Networks. First, privacy: once an agent digests an injection, it can pivot to other tabs or SaaS apps and behave as you. Second, tool misuse: give an agent permission to send email, or run code, and a prompt attack can misuse those very capabilities in ways that look legitimate to your systems. Third, persistence. Attackers can poison long-term memory so bad instructions survive across sessions and quietly trigger later.
2026 Outlook
India is already under sustained pressure: Check Point Research reports companies facing an average of 3,237 cyberattacks per week over the last six months, with education and government among the most targeted sectors. The company’s global threat intelligence shows GenAI-linked data exposure rising sharply, with risky prompts now touching over 90% of GenAI-using enterprises. In that context, AI-driven browsing is likely to accelerate three risks by 2026: automated account takeover via indirect prompt injection, silent data exfiltration from SaaS and cloud apps, and large-scale policy violations as employees use AI assistants in browsers without controls.
“Going into 2026, this will most certainly play a big role,” says Motiwala. “Adoption is rapid, and Indian enterprises are under growing pressure to ship AI features and productivity wins. That lifts the upside, and the exposure. Local bodies are already publishing guidance on enterprise GenAI risk, and boards are asking how to allow experimentation without losing control of data.”
To prepare, organisations must recognise AI browsers as a distinct, high-risk attack surface, not just another application, says Diwakar Dayal, managing director & area vice president – India & SAARC, SentinelOne. They must also have strong AI governance and acceptable-use policies and a prevention-first architecture. “For Indian enterprises, the message is simple: you can’t manage AI-driven browsing with human oversight alone – you need AI-powered, browser-aware defences that can see and stop attacks at machine speed,” adds Balasubramanian.
