During a late-night red team exercise, researchers watched a customer's autonomous browser-based AI agent casually leak the CTO's credentials. The trigger was nothing more than a single malicious div tag hidden inside an internal GitHub issue page. The agent was running on Browser Use — an open-source framework that recently raised $17 million in a seed round and has been making headlines in the VC world. watched div tag Browser Use raised That quick proof of concept exposed a much deeper issue. While venture capital continues to pour into the race to make LLM agents faster and more capable, security remains an afterthought. Today, autonomous browser-based agents already access private inboxes, book hotels, and reconcile financial records. Most enterprise AI agents use them as a tool (e.g., an interface to fetch external data). Yet the very industry fueling their growth still treats security as a feature add-on rather than a design premise. According to market researchers, 82% of large companies today run at least one AI agent in their production workflows, with 1.3 billion enterprise agent users forecasted by 2028. market researchers How Hackers Exploit Enterprise AI Agents How Hackers Exploit Enterprise AI Agents Zenity Labs, one of the leading providers of Agentic AI security and governance for enterprises, discovered over 3,000 publicly accessible MS Copilot Studio agents deployed by major enterprises to handle customer service inquiries, process support tickets, access internal CRM systems, and execute diverse business workflows. discovered The investigation by the company revealed a full-fledged attack chain. It began with reconnaissance, where OSINT techniques were used to map and identify publicly exposed Copilot Studio agents. From there, attackers could move into weaponization, crafting carefully designed prompts and emails to manipulate the agent's processing logic. This step paved the way for compromise, as the agents were hijacked without any human interaction — essentially becoming an automated backdoor into enterprise systems. Finally came exfiltration, where attackers could dump entire CRM databases and expose sensitive internal tools, all by exploiting vulnerabilities in agent workflows that lacked proper guardrails. reconnaissance weaponization compromise exfiltration The security of Copilot Studio agents failed because it relied too heavily on soft boundaries, i.e., fragile, surface-level protections (i.e., instructions to the AI about what it should and shouldn't do, with no technical controls). Agents were instructed in their prompts to "only help legitimate customers," yet such rules were easy to bypass. Prompt shields designed to filter malicious inputs proved ineffective, while system messages outlining "acceptable behavior" did little to stop crafted attacks. Critically, there was no technical validation of the input sources feeding the agents, leaving them open to manipulation. With no sandboxing layer separating the agent from live production data, attackers can exploit these weaknesses to access sensitive systems directly. This and other enterprise AI agents' zero-click exploits were demonstrated at Black Hat USA 2025, with the key finding being that the more autonomous the AI agent, the higher the security risk. the more autonomous the AI agent, the higher the security risk. the more autonomous the AI agent, the higher the security risk As they start acting independently, they become attack surfaces that most of organizations aren't aware of. According to multiple sources, many enterprise AI agents are prone to security exploits. For instance, Salesforce's Einstein platform was once manipulated to redirect customer communications to attacker-controlled email accounts. Google's Gemini could be exploited as an insider threat, capable of intercepting confidential conversations and disseminating false information. Additionally, researchers managed to trick Google's Gemini into controlling smart home devices. The hacking attack switched off the lights, opened the blinds, and started the boiler — all without any commands from the residents. controlling From AI Browsers to Enterprise Backdoors From AI Browsers to Enterprise Backdoors A new study by Guardio finds that AI browsers, such as Perplexity's Comet or Dia from the Browser Company, are susceptible to fraud and accidental disclosures of confidential data, as they are not yet capable of distinguishing between fake and real sites and links. study Comet Dia In multiple controlled tests conducted by Guardio, AI browsing agents demonstrated just how easily they could be manipulated by fraudulent schemes — placing real users at risk. The first experiment examined how agents perform online purchases. A tester opened a fake Walmart website, and Comet loaded it without triggering any fraud alerts. The agent flawlessly completed the task — purchasing an Apple Watch. Even more concerning, the browser automatically filled in the payment details and shipping address, despite clear red flags indicating that the site was a scam. Another test focused on email functionality. Researchers sent a phishing email disguised as a Wells Fargo message containing a malicious link. Comet interpreted it as a legitimate request from the bank and immediately clicked through. On the counterfeit page, the agent entered sensitive banking details without hesitation or verification, fully exposing the user to financial theft. A third exploit highlighted a subtler risk: hidden prompts embedded directly into websites. These invisible instructions were executed by the AI agent without the user's knowledge, enabling attackers to force unwanted actions such as downloading malicious files or leaking confidential information. Guardio's researchers highlight a concerning trend: developers of AI browsers currently prioritize user experience over robust security. developers of AI browsers currently prioritize user experience over robust security. developers of AI browsers currently prioritize user experience over robust security. In practice, this means that safety mechanisms are often relegated to third-party tools such as Google Safe Browsing — solutions that are frequently inadequate against modern, AI-driven threats. How to Give Agentic AI a Security-First Mandate How to Give Agentic AI a Security-First Mandate The takeaway is clear: systems that interpret and act on live web content must be built on a "security-first" architecture and hard boundaries, i.e., actual technical controls that can't be bypassed through prompt manipulation. "security-first" architecture and hard boundaries, i.e., actual technical controls that can't be bypassed through prompt manipulation Researchers stress that investors channeling eight-figure sums into agentic startups must now allocate an equal share of resources to security — threat modeling, formal verification, and continuous stress testing under adversarial conditions. Financial injections into functionality alone are no longer sufficient; security must become a foundational principle of architecture. stress threat modeling formal verification continuous stress testing For enterprises piloting such solutions, this sets a new standard of requirements. Agentic systems should operate in isolation: the planner, executor, and credential module must exist as separate, mutually distrustful processes that communicate only through signed and size-bounded messages. Sensitive actions should be governed by a "two-key rule" — no critical task should be executed without human co-signature. Security checks should also become part of the daily engineering routine: adversarial HTML injections and jailbreak prompts should be built directly into CI/CD pipelines, with any single failure blocking release. At the same time, vendors need to provide more than classic Software Bills of Materials (SBOMs). They should be able to publish risk maps that clearly indicate which data, roles, and permissions an attacker would gain if the agent were compromised. This echoes the AI Risk Management Framework (AI-RMF), which calls for transparency on both individual risks and broader societal impacts. AI Risk Management Framework (AI-RMF) Ultimately, deployments in critical infrastructure should undergo regulatory stress tests. Much like in the banking sector, independent red-team evaluations with mandatory public disclosure of high-level findings will become a prerequisite for trust and alignment with international practices in the U.S. and EU. Otherwise, the pace of agentic AI adoption will soon outstrip our ability to manage its risks.
