Agentic browsers turn the enterprise browser into a new identity risk

At a glance

What this is: This is an analysis of agentic browsers and how they change the browser from a passive interface into an active identity and execution surface.

Why it matters: It matters because IAM teams must now govern software actions that run inside human sessions, affecting NHI controls, autonomous behaviour, and human access accountability at the same time.

By the numbers:

• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

👉 Read JumpCloud's analysis of agentic browsers and enterprise identity risk

Context

Agentic browsers change the browser from a rendering surface into an execution surface. That matters to identity teams because the browser is where employees authenticate, hold active sessions, and carry the cookies and autofill data that make access work across business systems.

The governance gap is straightforward: existing browser security and IAM models assume the human user remains the decision-maker. Once the software can act on the session, identity controls must account for software-initiated actions inside human credentials, not just user clicks.

For NHI teams, this is not a browser-only story. It is a delegation story, a session story, and a trust story at the same time, which is why browser risk now belongs in the same conversation as workload identity, privileged access, and human access assurance.

Key questions

Q: What breaks when agentic browsers can act inside a human session?

A: The browser stops being a passive interface and becomes a delegated actor with the user’s live privilege. That breaks assumptions behind URL-based trust, click-by-click authorisation, and many review models that expect humans to notice and stop suspicious steps before submission. Once the agent can act faster than the user can inspect, the control point shifts from identity verification to action governance.

Q: Why do agentic browsers complicate zero trust architecture?

A: Zero Trust assumes each action can be verified continuously, but agentic browsers reuse legitimate sessions while making independent decisions inside them. That makes the trust problem harder because the session may be valid even when the action is malicious. Teams need controls that validate intent, destination, and data handling at the moment the browser acts, not only when it authenticates.

Q: How can security teams measure whether browser-agent risk is controlled?

A: Look for evidence that high-risk tasks cannot be completed without a human checkpoint, that browser actions are fully logged, and that sensitive portals are excluded from agentic completion. If the organisation cannot show where the agent stops and the human begins, the programme is not controlling delegated browser risk effectively.

Q: Who is accountable when an agentic browser submits the wrong action?

A: Accountability stays with the organisation that allowed software to use human sessions and sensitive data without clear guardrails. In practice, that means IAM, endpoint, browser management, and security operations all share responsibility for defining what the agent may do, what must be reviewed, and what must never be delegated.

Technical breakdown

How agentic browsers execute goals across active sessions

An agentic browser uses an LLM-driven planning loop to turn a natural language instruction into browser actions. It senses page structure through the DOM, plans a sequence of clicks and form fills, then acts using the user’s live session cookies and autofill data. That is a different operating model from a traditional browser, which waits for explicit human input at each step. The security consequence is that the browser no longer just displays content. It can carry authority across sites and tasks, which makes intent, not just authentication, the weak point.

Practical implication: inventory where browser sessions can be reused by software actors and restrict high-risk actions to human-confirmed steps.

Prompt injection and confused deputy behaviour in agentic browsing

Agentic browsers are vulnerable to instructions hidden in page content, metadata, or even invisible text. If the browser treats those instructions as task-relevant, a malicious page can override the user’s intent without ever stealing credentials directly. That creates a confused deputy problem: the agent is legitimate, the session is legitimate, but the action is not. The failure is not authentication failure in the classic sense. It is instruction handling failure, where the browser cannot reliably distinguish the user’s goal from an attacker’s embedded goal.

Practical implication: treat hidden instructions as a control problem and place policy checks between page parsing and any sensitive action.

Why privacy and auditability break when the browser keeps memory

Many agentic browsers retain context across sessions so they can finish tasks faster and appear more helpful. That context can include emails, history, documents, and other sensitive data that may move to third-party processing environments. The audit problem is that users often see only the final result, not the intermediate reasoning, prompts, or data flows that produced it. For identity and compliance teams, that means the browser is not only an access client. It is also a data handling system that can expand the evidence gap in investigations.

Practical implication: require traceable logs for prompts, actions, and context retention before allowing agentic browsers near sensitive portals.

Threat narrative

Attacker objective: The attacker wants to turn a legitimate user session into a machine-paced pathway for phishing, data leakage, or fraudulent actions without triggering the human skepticism that normally blocks the attack.

1. Entry occurs when a user opens an agentic browser and grants it a live session that can read cookies, autofill data, and internal content.
2. Credential access happens when the browser carries that valid session into a spoofed page or malicious instruction set, using the user’s own identity to act.
3. Escalation follows when the agent completes high-trust tasks, bridges isolated tabs, or submits data and commands the user did not authorise consciously.
4. Impact is fraudulent purchases, credential leakage, context exfiltration, or unauditable access to sensitive internal systems through a trusted workstation session.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Browser session authority is now an identity control problem, not just a web security problem. The article shows that the browser can act with the same privileges as the logged-in employee, which collapses the old boundary between user intent and software execution. Traditional controls like SOP and URL inspection were built for human-driven navigation, not software that can carry identity across tabs and tasks. Practitioners should treat browser session authority as governed identity, not mere application state.

Trust-by-intent is the new failure mode. The browser no longer depends only on authenticating a user; it also has to interpret instructions correctly when a page tries to steer the agent. That means the real control gap is not just missing MFA or weak passwords, but an instruction boundary that cannot reliably separate legitimate goals from malicious embedded commands. Teams should recognise this as a governance problem for delegated action, not a simple phishing variant.

Access review assumes a human can inspect what happened, but agentic browsers compress action and exposure into the same session. The review model was designed for stable, observable privilege held long enough to be audited after the fact. With browser agents, the sensitive action may complete before anyone can examine the trail, which makes retrospective certification a weak control for this class of behaviour. The implication is that governance must shift toward pre-action constraints and action-level attribution.

Context harvesting is a named concept this article makes unavoidable. Agentic browsers gather history, emails, documents, and open tabs to improve task completion, but that same convenience creates a persistent memory surface that can move sensitive data outside the organisation’s control. The browser becomes both the worker and the warehouse for context, which is a governance pattern most IAM programmes still do not model. Practitioners should treat context retention as an identity-adjacent risk surface, not a UX feature.

Zero Trust must now extend to software acting inside a human session. The article’s core lesson is that the browser can behave like a trusted insider while still being influenced by hostile content. That invalidates the assumption that trusted sessions are inherently trustworthy when the actor inside the session is autonomous enough to choose actions. Security teams should reframe browser access as a delegated identity channel that needs continuous verification at the point of action.

From our research:

• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption, according to The 2026 Infrastructure Identity Survey.
• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
• For a broader governance baseline, review OWASP NHI Top 10 for agentic risk patterns that overlap with browser-mediated execution.

What this signals

Browser-agent governance is now a front-line identity problem. With 70% of organisations granting AI systems more access than they would give a human employee performing the exact same job, the browser is becoming one of the easiest places for over-privilege to hide. That is why the control conversation must move from browser hardening alone to delegated identity governance across session, device, and action.

Context retention is emerging as a distinct risk surface. Agentic browsers collect enough working memory to blur the boundary between local work and enterprise data handling, which creates a new class of context leakage that traditional endpoint tools rarely describe well. Teams should expect more pressure to prove where prompts, history, and data fragments are stored, transformed, and erased.

The practical next step is to treat agentic browsing as part of the access model, not a standalone productivity tool. If a browser can file expenses, move data, or submit forms inside a trusted session, then identity policy, endpoint policy, and browser policy must be evaluated together, with explicit review of delegated action paths and the logs that prove them.

For practitioners

• Define browser action boundaries Classify which browser actions may be completed by software and which require a human confirm step before submission, payment, or permission changes. Use managed policies to block agentic completion of high-risk workflows.
• Separate session use from sensitive task execution Prevent agentic browsers from carrying live cookies into HR, finance, admin, and internal control-plane portals unless the action is explicitly approved and logged. Tie the browser session to managed device trust and per-app policy.
• Require auditable prompts and action logs Demand logs that capture prompts, page targets, intermediate actions, and any context retained across sessions. Without that trail, incident response cannot explain whether the user or the agent initiated the action.
• Rework access reviews for delegated browser use Add review questions that test whether software actors can use a user’s session to complete tasks the user never directly observed. This is especially important where browser agents touch regulated data or privileged portals.

Key takeaways

• Agentic browsers turn the browser into a delegated identity actor, which breaks assumptions built for human click-through workflows.
• The strongest evidence of risk is not only phishing, but the combination of active session reuse, hidden instructions, and weak auditability.
• Practitioners should govern browser actions at the point of execution, because retrospective review is too late when software can complete the task first.

Key terms

• Agentic Browser: A browser that can interpret a goal and complete multi-step tasks on behalf of a user. Unlike a traditional browser, it does not only display content. It can navigate, select actions, and submit data using the user’s active session, which creates delegated identity risk as well as web risk.
• Confused Deputy: A failure mode where a legitimate actor is tricked into using its authority in ways the real user did not intend. In agentic browsing, the browser can carry a valid session into a malicious destination and complete harmful actions while still appearing authenticated and authorised.
• Context Harvesting: The collection and reuse of browser memory such as tabs, history, emails, and documents to complete tasks more effectively. In an identity context, this is not just convenience data. It is sensitive enterprise context that can expand exposure, create retention risk, and weaken auditability when processed by an agent.
• Delegated Session Authority: The practical ability of software to act within a human user’s authenticated session. This matters because the software inherits access, cookies, and trust relationships that were originally granted to a person, which means identity governance must control the delegated action, not only the login event.

Deepen your knowledge

Agentic browser governance and delegated session control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is starting to confront software actions inside human sessions, it is worth exploring.

This post draws on content published by JumpCloud: agentic browsers and the changing browser attack surface. Read the original.