The agentic browser is the new unmanaged endpoint
Comet, Atlas, and Dia turn every employee's browser into an autonomous actor with that employee's logged-in sessions. Your security stack can't tell the agent's clicks from the human's — and attackers already can.
Marcus Reyes
Writes about AI infrastructure economics
The browser wars restarted, and this time the product isn't speed or tabs — it's autonomy. Perplexity's Comet, OpenAI's Atlas, and The Browser Company's Dia all pitch the same upgrade: a browser that doesn't just render the web but acts on it — researching, filling forms, completing multi-step workflows on the user's behalf.
Employees are installing them the way they installed every productivity tool of the last decade: without asking. Which means the newest autonomous agent in your enterprise didn't come through procurement, doesn't appear in any inventory, and runs with something no server-side agent ever had — your employee's entire logged-in life. Email, SSO sessions, internal dashboards, the works.
An agent with your cookies
The security problem isn't hypothetical. Varonis Threat Labs investigated Comet, Atlas, Edge Copilot, and Brave Leo and showed that hidden instructions embedded in ordinary page content — even a page title — could influence agent behavior, escalating from data theft toward clicking UI elements, navigating to sensitive domains, and sending email without authorization. Brave's researchers demonstrated a proof-of-concept where instructions hidden in a Reddit comment walked Comet's agent through retrieving an account email, triggering a one-time password, reading it from a logged-in Gmail tab, and posting the credentials to an attacker's page.
This class of attack — indirect prompt injection — is not a bug a vendor patches once. A recent academic benchmark found that even frontier models with advanced reasoning remain vulnerable to realistic injected payloads. The agent's defining feature is that it reads untrusted content and acts on what it reads. That is also its defining vulnerability.
Why your existing stack is blind to it
- →Your DLP and CASB see one identity. When the agent exfiltrates data through the user's session, the logs say the user did it. Zenity's analysis is blunt: these actions propagate across connected systems before monitoring tools notice anything unusual.
- →Endpoint agents can't see inside the sidebar. Palo Alto notes that AI-triggered actions on the page evade extension-level monitoring — and that several AI browsers shipped without core Chrome/Edge protections like safe browsing.
- →It's shadow AI squared. Shadow AI used to mean an unapproved SaaS subscription. Now it lives inside the browser chrome itself, on managed and unmanaged devices alike.
As these browser-based agents spread across both managed and unmanaged devices, the enterprise attack surface grows in ways that most teams can't quantify.
— Zenity, on securing agentic browsers
The governance play, in order
You won't ban these browsers — the productivity pull is real, and banning creates the same underground adoption that shadow SaaS did. The workable sequence is the one that worked for cloud: discover, then bound, then verify. Inventory which agentic tools are actually in use. Decide what corporate resources an agent-driven session may touch, and enforce it somewhere the agent can't argue with. And keep a record of agent-initiated actions that's separate from the human's, because the first incident-response question will be "who actually did this — the employee or the agent?"
Where Vantio fits
Vantio governs the agents your company runs — the workflows, copilots, and backend agents built by your own teams — with exactly that discover-bound-verify loop: every action attributed to a trace identity, policy enforced where the agent executes, everything sealed in a tamper-proof ledger. On Enterprise, kernel-level monitoring flags any process making LLM calls without a valid trace identity, which is how you find the agents — browser-embedded or otherwise — that nobody registered.
The agentic browser wave is a preview of the next few years: autonomy arriving faster than governance, through the front door, on your employees' machines. The teams that do well won't be the ones that said no. They'll be the ones that could say "yes, and here's the record."
Sources
PII redaction, spend caps, and host blocking — live in under an hour.
Put real guardrails on your agents →Get the next one
Subscribe to The Brief — occasional, signal-only.
No spam. Email only — unsubscribe anytime.