Agentic AI browsers create a new security problem by letting hidden code manipulate the model and slip past protections built into traditional browsers.
José Antonio Márquez Russo, a Principal Scientist at Adobe, explains that this design returns the web to early-era vulnerabilities but with far more skilled attackers.
The only realistic path forward is purpose-built enterprise browsers with security built in from the start, since user oversight and industry standards are unlikely to keep up, he says.
Agentic AI browsers introduce a new class of security exposure that has the potential to undo decades of progress in web standards. Their core risk comes from how they ingest full page code and pass it to an AI model that struggles to separate legitimate content from manipulation, giving hidden elements a pathway to influence the model. Early versions of this pattern are appearing most clearly in consumer tools, but the underlying weakness has clear implications for enterprise environments that rely on stable, predictable browser controls.
José Antonio Márquez Russo is a Principal Scientist at Adobe with a history of senior engineering roles at the companies that built the modern web, including Twitter and Google. Márquez believes that in the current race to innovate, some corners of the industry risk ignoring the hard-won lessons of the past.
As the web grew from interactive pages to full-blown applications, it created new threats like clickjacking that prompted the industry to build rules like the Content Security Policy (CSP), which allows websites to tell browsers what to trust. The primary vulnerability of consumer agentic browsers, Márquez explains, is their tendency to operate outside of these established rules. "The moment a browser starts acting for you, all the guardrails built over thirty years go out the window and the AI cannot tell when it is being tricked," says Márquez. These early cracks offer a glimpse of the risks enterprise browsers may inherit next.
A ghost in the code: Because the browser agent consumes the full code of a page, malicious actors can embed hidden commands that remain invisible to the user but are still interpreted by the AI. This creates a quiet and effective attack vector that exposes users to phishing attempts and malicious code injection. "I can build a page that looks like nothing more than an image, then hide text that instructs the AI to send me a user's bank password or ping a URL with that password included. The user never sees it, but the model does, and the consequences are a nightmare," he says
Back to the beginning: The security regression has created a new frontier in web security risks. Márquez explains that the dynamic repeats the past, but with more dangerous tools. "We've returned to an early-Internet starting point, but with a far larger pool of people who know how to exploit the gaps. Attackers no longer need to deceive a user. They only need to deceive the model, and the model cannot tell when it is being manipulated."
Márquez identifies a key source of the problem in the market itself: many of the new AI companies releasing these browsers are 'outcome-driven,' prioritizing speed and functionality over the deep security architecture of some established players. This difference in priorities has led to predictable friction, creating business conflicts over data and a clear sign of institutional caution, with many large enterprises banning the tools outright.
Finding a path forward requires a multi-layered approach, as major players are now actively considering new guardrails for this technology. Márquez suggests that any path forward will require solutions at the individual, systemic, and industry-wide levels.
Armed with knowledge: One proposed fix is to expect users to understand what an agentic browser is doing with the code it consumes. "You would need users who can track the logic the AI applies to the code it reads," Márquez says. "That means understanding the code itself, how the model processes it, and where that can go wrong." But he notes that this level of fluency is rare even in technical teams, which makes user oversight an unrealistic and unreliable safeguard.
Winner takes all: Even the idea of a new standards body similar to the W3C is unlikely, he says, because the competitive climate leaves little incentive to collaborate. "The AI race is not a race to the bottom, but a race to obliterate everybody and dominate the market. Why would you contribute to a standards body if you could just dictate the standards yourself?"
Ultimately, any long-term solution will require enterprise-focused browsers that take security into account from the start rather than adding protections after deployment. That work depends on teams who understand how modern attacks operate, how models interpret code, and how guardrails can be applied throughout the system. Consumer tools will continue to experiment, but enterprise settings require architecture that treats AI as part of the threat model instead of something that sits outside it.
"We can only make this work if the browser is built by people who understand the security story from the first line of code," Márquez concludes. "If the model is going to act for the user, the system around it has to know exactly what that means and control it at every step."
The views and opinions expressed are those of José Antonio Márquez Russo and do not represent the official policy or position of any organization.
