Browsers with integrated artificial intelligence have arrived on the market with features that promise to summarize pages, answer questions in browsing context, execute automated tasks, and interact with external services on behalf of the user. In March 2026, this trend has matured enough to raise real alerts in the security community.
What Changed with AI in Browsers
Traditional browsers are passive: they render content and execute JavaScript code confined to the page sandbox. AI browsers add an active agent that reads, interprets, decides, and acts. It can interact with page content, trigger external APIs, access installed extensions, and even execute actions on the operating system via Model Context Protocol (MCP) or proprietary APIs.
This paradigm shift creates attack surfaces that traditional controls simply don't see.
Main Attack Vectors Identified
1. Prompt Injection via Page Content
Malicious pages can embed hidden instructions in text or metadata that manipulate the AI agent to execute unintended actions by the user, such as exfiltrating session data, redirecting to fraudulent sites, or sending information to external servers.
2. Session and Context Exfiltration
The AI agent frequently has access to the complete tab content, session cookies, authentication tokens, and browsing history to provide contextual responses. An isolation failure can allow one site to access data from another tab open in the same session.
3. MCP Integration Abuse
The Model Context Protocol allows the browser to use external tools like calendars, emails, and file systems. Researchers have demonstrated that a compromised agent can use these integrations to send emails, create events, read local files, and execute commands without explicit user interaction.
4. Extensions with Broad Permissions
Browser extensions with broad read access can capture all traffic between the AI agent and LLM APIs, including prompts and responses containing sensitive user or organization data.
Impact for Companies
The risk is amplified in corporate contexts where employees use AI browsers to handle confidential data: emails, internal systems, contracts, financial spreadsheets. A successful attack can result in silent exfiltration of critical information without any indicators in traditional security controls.
Recommended Controls
1. AI Browser Inventory and Assessment
Map which browsers with AI functionalities are in use in the organization, what agent capabilities each has, and what corporate data could be exposed.
2. Traffic Monitoring for LLM APIs
At the proxy or outbound firewall level, monitor and control calls to LLM API endpoints (OpenAI, Anthropic, Google, etc.) originating from the corporate environment. Unidentified traffic to these destinations is a warning sign.
3. Strict Browser Extension Management
Implement an approved extension policy (allowlist), centrally managed by MDM or GPO. AI extensions with broad permissions must undergo security review before any release.
4. User Training on Prompt Injection
Users need to understand that asking the browser assistant to "summarize this page" may involve sending data to an external server. And that malicious sites can try to manipulate the assistant to act against the user's own interests.
5. Review of External Integration Permissions
Periodically audit which tools and APIs are integrated into the browser's AI functionality via MCP. Revoking unused integrations reduces the attack surface.
Checklist for Security Teams
- Inventory AI browsers in use in the organization and map their agent capabilities.
- Verify if AI functionalities send data to external APIs and what data is included.
- Review and restrict browser extensions with broad read permissions.
- Implement TLS traffic inspection to identify calls to LLM APIs.
- Include AI browsers and prompt injection in the security training program.
- Update the acceptable use policy to cover corporate use of AI assistants in browsers.
Conclusion
The integration of AI agents in browsers is irreversible. The productivity it offers is real β but so is the attack surface it creates. Organizations that don't review their security posture to include this layer will be exposed to vectors that their current controls simply don't see.
