Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Agentic browsers: are your browser controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9236
Topic starter  

TL;DR: Agentic browsers combine web access, LLM reasoning, and action-taking inside one session, creating a broader attack surface than traditional browsers and raising risks such as prompt injection, data leakage, and unsafe autonomous actions, according to TROJ.AI. Existing browser security and AI governance controls now need to operate together, not separately.

NHIMG editorial — based on content published by TROJ.AI: AI Security, The Rise of the Agentic Browser: What Every CISO Must Know

By the numbers:

Questions worth separating out

Q: What breaks when a browser can act on behalf of the user?

A: The main failure is that the browser is no longer just rendering pages, it is executing delegated actions inside a live session.

Q: Why do agentic browsers complicate zero trust and least privilege?

A: They complicate both because the browser can inherit a user’s identity and then take further actions without the user explicitly initiating each step.

Q: How do security teams know if an agentic browser is operating outside its intended boundary?

A: Look for unexpected page traversals, unapproved form submissions, unusual data movement, and actions taken outside the user’s normal workflow.

Practitioner guidance

  • Classify agentic browsers as governed execution environments Separate ordinary browsing from agent-enabled sessions and assign them distinct privilege, logging, and access policies.
  • Restrict high-risk browser actions by default Require explicit confirmation before the agent submits forms, connects to internal systems, or moves data across trust boundaries.
  • Combine browser telemetry with AI audit logging Feed agent activations, prompt traces, page interactions, and unusual navigation into SIEM or XDR so investigations can reconstruct what the agent saw and did.

What's in the full article

TROJ.AI's full blog post covers the operational detail this post intentionally leaves for the source:

  • Specific examples of browser actions that should remain blocked, confirmed, or permitted in enterprise rollout
  • Detailed control sequencing for sandboxing, telemetry, and policy enforcement across agentic browser deployments
  • Practical guidance on training users to recognise prompt injection, unexpected agent behaviour, and unsafe context handling
  • Session design ideas for separating sensitive browsing from agent-enabled browsing without breaking productivity

👉 Read TROJ.AI's analysis of agentic browser risk and enterprise controls →

Agentic browsers: are your browser controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8675
 

Agentic browsers collapse the separation between browsing and delegated execution. A browser that can reason and act is no longer a passive client, so the governance model has to treat its session as a non-human identity with active authority. That changes the scope of browser risk from content exposure to identity-enabled action. Practitioners should stop classifying this as a niche productivity feature and start governing it as an execution surface.

A few things that frame the scale:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to SailPoint.

A question worth separating out:

Q: Who is accountable when an agentic browser completes a harmful action?

A: Accountability sits with the organisation that defined the permissions and the user or team that allowed delegated action in that context. If the policy did not specify which browser actions were approved, the governance gap is internal, not technical. Frameworks such as the NIST AI Risk Management Framework help structure that responsibility.

👉 Read our full editorial: Agentic browsers expand enterprise attack surface beyond web controls



   
ReplyQuote
Share: