With AI browsers, IT pros consider a severe strategy: block

Chatbot-and-browser combinations such as Comet by Perplexity AI, ChatGPT Atlas, and an agentically equipped Opera Neon all arrived in 2025. These AI browsers offer chatty assistance for users searchingbrowsing the web.

Atlas, for example, has an “Ask ChatGPT” option at the side of a browser session. In an introduction video posted on Oct. 21, OpenAI showed Atlas field requests like, “Heading to the beach with the kids tomorrow! Can you grab the usual stuff?” and offer suggestions for towels and bucket hats.

IT pros—frequently tasked with the tough job of understanding how the latest tech tools impact their company data and security—now have to consider the implications of employees using an AI-powered browser.

Jason Rebholz, CEO of agentic AI protection company Evoke Security, has seen organizations saying “no” to AI browsers, or at least “veering towards the path of not allowing it.”

Unlike many software-as-a-service tools, he argued, an IT pro can’t see—or control—what’s going on in the shadows of a browser powered by a third-party AI vendor.

“There’s almost no visibility that security leaders have, to try to understand what users are doing,” Rebholz said. “This essentially puts people right now in more of the draconian method of, ‘Do we allow it, or do we not allow it?’ Not even: ‘How do we try to do this securely or safely?’”

Don’t be prompt. Rebholz shared examples of possible risks in his Weekend Byte newsletter, including a threat known as prompt injection, which tricks an agentic model into performing an unintentional, nefarious action. A demo from a team at Brave—an organization offering a free and open-source browser—recently revealed how a hidden natural-language prompt in a Reddit comment section could command the Comet AI browser to extract a user’s email address and initiate an account takeover. (In an email to IT Brew, Perplexity spokesperson Beejoli Shah wrote that the company has worked with Brave to repair the identified prompt injection.)

“The risks at this point, they seem low, but it’s because we're just entering this new realm of what all the risks are looking like,” he told IT Brew, also recommending a block of AI browsers until IT teams “can get a better handle on how to safely use them and enforce secure policies.”

Out of our control. Enterprise browsers like Google Chrome Enterprise and Microsoft Edge, which increasingly integrate GenAI capabilities, allow IT professionals to configure policies like URL filtering and authentication controls to support secure network access.

With the new class of AI browsers, however, Rebholz sees fewer opportunities for that kind of IT management. For example, ChatGPT Atlas has safeguards like a “logged out” option for its agent mode and a disallowing of code execution, according to details from its Oct. 21 announcement, but many new AI-centric browsers still require an individual to make security-minded selections.

An enterprise version of Atlas allows disabling of agent mode and user-level privacy controls; other features (like IP allowlists and certification coverages) are “not covered yet.” Perplexity, too, offers enterprise controls for its Comet browser. According to the company’s Aug. 14 blog post, admins can control uploads and downloads, and “browsing history, search queries, and AI interactions are stored locally on user devices with end-to-end encryption.”

According to an emailed statement by Opera Head of Security Pawel Kurzelewski shared via company spokesperson Michael Tegos, enterprises ultimately have to weigh the risks of using agentic technologies versus the productivity gains that such tools bring.

“Crucially, agentic browsers fundamentally use the same browser technology as those classic counterparts which can be fully managed by IT departments—there should be no inherent difference in securing them,” Kurzelewski wrote to IT Brew, comparing agentic browsers to endpoint software, which is subject to controls like endpoint detection and response (EDR), data leak prevention (DLP), and firewalls.

“If a human user cannot bypass a security measure put in place by an IT team, neither can an automated agent,” Kurzelewski concluded.

BYOAI! AI browsers add a new wrinkle, perhaps even a new letter, to the “BYOD” (bring your own device) trend that’s challenged IT pros for many years. IT pros allowing personal devices onto their networks still need effective access and monitoring capabilities to protect sensitive data.

For Rebholz, BYOD defenses apply with AI browsers: any access to the organization’s most sensitive information—say, anything within Slack, Teams, or email—“absolutely has to originate from an approved company device that has the right monitoring on it,” he said.

First steps. Anthony Oren, CEO at Nero Consulting, is someone used to doing a lot of Googling as he troubleshoots IT problems. He recently started using Atlas, and his early review is a positive one. He really likes the smart browser’s way of directly answering questions and providing sources in its own separate tab, and he encourages his employees to use it.

His approach at Nero is to educate employees about risks as they’re known, but only block specific apps and sites (including AI-integrated ones) if they’re absolutely necessary for security reasons.

“I feel like we’re going to be a step behind if we’re not using AI,” he said.

A study from the Federal Reserve Bank of St. Louis found that adoption of generative AI at work rose from 33% in August 2024 to 37% in August 2025. This poll of 25,000 US adults also found that nonwork adoption increased from 36% to 49% over that same span.

Given the variety of available AI and people’s appetites for using it, Rebholz recommends understanding why someone might want to use an AI browser and seeing if there’s another option that offers the same capabilities with more top-down control. In other words: enable AI without increasing risk.

So maybe for now: Hold onto your bucket hat, IT pro, and block AI browser access.

“That’s the challenge right now, is nobody knows how to do that the right way, because there is no right way at this point,.” Rebholz said.