
Agentic AI Browsers & Prompt Injection
A new kind of assistant is quietly arriving on corporate laptops. Instead of an AI that answers questions in a chat window, agentic browsers such as OpenAI's Atlas and Perplexity's Comet can act. Ask one to book a meeting, reconcile an invoice or clear your inbox, and it will click, type and submit on your behalf, using the accounts you are already logged into. That convenience is real, and so is the problem security teams are now waking up to: the same web page an agent reads to do its job can also tell it what to do.
Agentic browsers act with your logged-in sessions, so a hidden instruction buried in a web page or email can turn a helpful assistant into an attacker's proxy. The technique is prompt injection, and the people best placed to catch it are still your own staff.
From reading to acting
Earlier AI assistants were mostly passive. They summarised a document, drafted a reply or explained a spreadsheet, and a human did the clicking. An agentic browser removes that step. It holds the keys to whatever you are signed into, from email and cloud storage to the finance system and the HR portal, and it carries out multi-step tasks without pausing for approval at each stage.
This is a genuine productivity gain. It is also a much larger blast radius. A traditional phishing email has to convince a person to hand over a password or click a link. An agent that has already inherited your authenticated sessions does not need to be phished in that way. If an attacker can slip instructions in front of it, the agent can reach email, files and internal applications at the same time, with the access rights of the employee it works for.
Why prompt injection is the weak point
Large language models have a structural blind spot. They do not reliably separate the instructions they are meant to follow from the ordinary content they are meant to process. To the model, a system instruction, a user request and a paragraph of text scraped from a web page can all look like the same stream of words. Prompt injection exploits exactly this. An attacker plants commands inside content the agent will read, and the model treats those commands as if they came from you.
The Open Worldwide Application Security Project (OWASP) ranks prompt injection as the number one risk for large language model applications, and its separate Top 10 for agentic applications adds threats such as goal hijacking and memory poisoning. This is not a fringe concern flagged by a single researcher. OpenAI's own security leadership has described prompt injection as a "frontier, unsolved security problem" for browser agents, which is a striking admission from the company shipping one.
A concrete example
Researchers at the browser maker Brave showed how a booby-trapped web page, in one case an ordinary looking Reddit post, could quietly instruct Perplexity's Comet assistant to open the victim's email, read a one-time passcode and pass it to an attacker-controlled server. The user did nothing unusual. They simply asked their assistant to look at a page. The malicious text was invisible to the human but perfectly legible to the agent, and because the agent was already logged into the mailbox, it had everything it needed to complete the theft.

Memory poisoning: an attack that lingers
The more unsettling variants do not stop when you close the tab. The security firm LayerX demonstrated a related technique against Atlas, using a cross-site request forgery to write malicious instructions into the assistant's long-term memory. Once planted, the instructions persisted across sessions and even across devices, waking up later when the user made an entirely innocent request. An attack that survives a browser restart and follows the account to a new machine is closer to malware than to a one-off scam, and it is far harder to spot because there is no suspicious file to find.
This is a human risk problem too
It is tempting to file all of this under "AI security" and hand it to whoever owns the model. That misses where the exposure actually sits. Prompt injection is social engineering aimed at a machine, but the machine is acting for a person, using that person's access, often with that person watching. The employee who tells an agent to "sort out my inbox" on a whim, or who approves a batch of agent actions without reading them, is the same colleague you already train to hover over links and question unexpected requests.
That is why the human layer matters as much as the technical one. Staff who are used to spotting a manipulative email are well placed to notice when an assistant proposes something odd, such as forwarding data to an unfamiliar address or logging into a service it has no business touching. Regular simulated phishing and short, practical coaching keep that instinct sharp, and a culture where people report suspicious behaviour quickly turns a single alert user into an early warning system for everyone else.
What security teams can do now
There is no single patch for prompt injection, and vendors have been honest that there may never be one. The realistic goal is to reduce what a hijacked agent can reach and to keep a human in the loop for anything that matters. A practical starting point looks like this:
- Treat agentic browsers as privileged software. Approve specific tools, block unsanctioned ones, and stop shadow adoption before staff quietly install their own.
- Apply least privilege to the agent. It should only be able to reach the accounts and actions a task genuinely needs, not the full range of a user's logged-in sessions.
- Require human approval for high-risk actions. Sending money, changing permissions, sharing files externally or altering account settings should never be fully automated.
- Keep sensitive workflows off agentic browsers entirely. Banking, privileged administration and access to regulated data are poor candidates for autonomous clicking.
- Treat all web and email content as untrusted input. Assume any page an agent visits could contain instructions, and monitor agent activity the way you would monitor a service account.
- Invest in awareness, not just controls. A well-run security awareness programme gives people the confidence to question an assistant's output and the habit of reporting anything that feels wrong.
None of these steps is exotic. They are the same principles of least privilege, segregation and human oversight that security teams already apply elsewhere, pointed at a fast-moving new tool before it becomes embedded in daily work.
The bottom line
Agentic browsers are useful enough that people will adopt them whether or not the security team is ready, which makes waiting a poor strategy. The risk is not that the technology is broken but that it does exactly what it is told, including when the instructions come from a stranger who hid them in a web page. Decide now which tools are allowed, limit what they can touch, keep a person in the loop for consequential actions, and make sure staff know that an over-eager assistant deserves the same suspicion as an over-eager email. Get those basics in place and you capture most of the benefit while closing off the easiest path an attacker has to abuse it.
Phishing Tackle offers the tools businesses need to strengthen their human risk strategies, with multi-platform testing, real-time behavioural insights, and actionable data to keep your organisation ahead of modern cyber threats.
Contact us today to learn how Phishing Tackle can help safeguard your organisation from the growing array of cyber risks.
