AI on autopilot: Navigating the risks of an automated web

Published: October 8, 2025

Person at a desk using two screens with AI web interfaces, in a dimly lit shared workspace with others in the background.

The way you interact with your browser is fundamentally changing. Forget traditional browsers that just show you a page; agentic browsers are intelligent assistants that can understand your goals and act on your behalf. Imagine a browser that doesn’t just display information but actively helps you achieve your goals, understanding context and even making decisions on your behalf.

The good, the bad and the agentic browser

This transformation brings incredible possibilities and significant challenges. Let’s look at a few scenarios.

The good:

Scenario 1: Your personal research assistant

You’re a student writing a literature review. You tell your agentic browser: “Find the 20 most recent studies on how climate change and invasive species are impacting white oak trees in the Greater Toronto Area. Summarize the key findings, identify any local conservation efforts and organize it all into a research outline.” Within minutes, the browser delivers a complete, organized document, saving you hours of tedious work. You are free to focus on critical analysis, not information gathering.

Scenario 2: Your personal event planner

As a staff member, you need to plan a department retreat for 50 people. You tell your agentic browser: “Plan our annual retreat for Oct. 25 to 26. Find a venue, coordinate with staff calendars, send invitations and manage RSVPs.” The browser takes over, handling all the logistics and allowing you to manage the big picture rather than getting bogged down in details.

The bad:

Scenario 3: The unintended data breach

A faculty member uses their agentic browser to autofill a grant application. Unknown to them, the browser navigates to a convincing but fake grant portal. Because the agent is designed to fill forms and handle data, it confidently enters the user’s sensitive information into the malicious site, leading to a data breach and potential identity and intellectual property theft.

Scenario 4: The automated malicious attack

An attacker injects a malicious command into an otherwise benign website. When a staff member’s agentic browser visits the page, the agent “sees” and executes the hidden instructions. The malicious agent then begins to operate autonomously, attempting to log in to university systems, search for sensitive documents and transfer data without permission, turning a simple browsing session into a full-scale institutional security breach.

Understanding the risks and best practices

These scenarios highlight an important shift: the browser is no longer a passive window to the web but an active participant with the ability to act on your behalf.

It’s important to recognize that while agentic browsers don’t necessarily create new categories of attacks, they act as a powerful force multiplier. They dramatically accelerate and scale existing security risks, making them faster, more efficient and more dangerous than ever before.

With these new security challenges, it’s important to adopt new best practices to navigate this web safely and responsibly.

For more guidance on the use of AI, refer to Information Security’s artificial intelligence guideline.

Implications for the university

The rise of agentic browsers doesn’t just present a general cyber security challenge; it directly impacts key aspects of university life, from academic integrity to institutional security.

Agentic browsers introduce a new challenge to academic integrity. The temptation to use an agent to “do the work for you” rather than as a learning tool is significant. An agent could autonomously write a paper, complete an online quiz or post to a discussion board. This erodes the link between a student’s effort and their work, making it harder for faculty to assess genuine learning and skill development. Ultimately, it raises questions about intellectual honesty and the value of your education. Misuse of these tools could result in serious academic misconduct consequences.
These tools present both an opportunity and a major challenge for faculty members. An agent’s ability to automate student work makes it difficult to verify genuine learning, and a compromised agent could inadvertently expose confidential student data, such as grades or accommodation details, stored in your browser, a university portal or within your emails. In the research context, these tools pose risks to the integrity of scholarly work, as an agent could compromise research data or steal intellectual property. Ultimately, greater reliance on these tools raises questions about the evolving nature of academic work and our dependence on automation.
Staff members are responsible for managing some of the university’s most sensitive information. From HR and finance records to confidential student data, this information is a high-value target for attackers. An agentic browser with broad permissions can be tricked into misusing its access to these platforms, providing attackers with a direct path to university systems and jeopardizing sensitive data across the university.

Key risks from agentic browsers

This is a top concern. An attacker can embed hidden, malicious instructions on a webpage — such as in a forum comment, a research article’s abstract or even a news story. Your agentic browser, designed to follow instructions, might “read” and execute these commands without your knowledge. This could lead to serious issues, from sensitive data being stolen to the agent taking unauthorized actions on your behalf.
Traditional phishing relies on tricking a human, but agentic browsers make it easier for attackers to succeed. Instead of a convincing email, they create malicious websites designed to manipulate the automated browser, not the user. Since the agent lacks human skepticism, it can be tricked into submitting your information on a fake site it perceives as legitimate, bypassing the warning signs you might have noticed.
Because agentic browsers operate with all your privileges (accessing previously entered passwords, session data, APIs and browser history), a compromised agent becomes an extremely valuable target. A single successful attack could give a malicious actor access to all your online accounts, from email and banking to institutional portals, leading to a much wider theft of sensitive information than a traditional attack.
Unlike a traditional browser where you consciously select, type and navigate, an agentic browser can perform complex, multistep actions in the background. Without clear logs or user-friendly oversight, it can be difficult to know what the agent is doing. This lack of transparency means a compromised agent could be secretly working against you for a long time without you realizing something is wrong.

Best practices and mitigations

Protecting yourself and the university from these risks requires a combination of awareness and technical safeguards. It’s time to adapt our online habits to this new emerging technology.

An agentic browser’s memory of past conversations and actions is what makes it powerful but it also creates a major vulnerability. This persistent memory can be a repository for sensitive information. Make it a habit to routinely clear your agent’s memory, just as you would clear your browser history. Look for settings that allow you to manage your activity, set auto-delete periods and control whether your data is used to train the underlying AI models. This minimizes the risk of “memory poisoning” where an attacker could inject false information to manipulate the agent’s future behaviour.
For students, the use of agentic browsers must always align with the university’s academic integrity policies. If a task or assignment prohibits the use of automated tools, that rule extends to these browsers. When in doubt, always check with your course instructor and/or teaching assistant.
These systems can act quickly in the background. Choose a browser that can show you a clear, step-by-step log of its actions. This transparency helps you spot errors and understand how the agent reached its decision. Many new tools now include explainable AI (XAI) features that can show you the “why” behind its actions, not just the “what.” Always look for these features and insist on a final confirmation step for high-stakes tasks to ensure you maintain ultimate control.
Agentic browsers often support plugins or integrations that extend their capabilities. Each new plugin is a potential security risk. Only use plugins from trusted and reputable developers and be cautious about granting them broad permissions.
The power of automation can lead to over-reliance. Always keep a human in the loop for critical tasks. For example, if an agent drafts an email or submits a form, always review the action before giving your explicit approval.
For now, avoid using agentic browsers when handling confidential information. This includes not just your financial accounts but also internal documents, student records, non-public information about colleagues and any proprietary research data. These browsers can unintentionally expose this data through their memory, introduce errors as part of automation or be tricked by a malicious instruction.
These habits are the foundation of securing your digital life. Be aware of suspicious sites and emails by hovering over links before you click and be cautious of messages that create a false sense of urgency. Practice good password hygiene by using a unique password for every account, storing them within a password manager and enabling multi-factor authentication (MFA). Finally, always keep your browser, operating system and all applications up to date with the latest security patches. Information Security provides numerous resources on how to improve your online safety.
As this technology evolves, so will the threats and the best practices. Stay up to date on the latest security advisories from your browser’s developer, the Canadian Centre for Cyber Security’s alerts and advisories page and the university’s Information Security department.

Support

Like any powerful tool, agentic browsers must be used with caution and respect for their potential for harm. By understanding the risks and adopting these best practices, we can harness their power while protecting our personal and institutional security. Remember, support is available — please reach out to your local IT team or Information Security for assistance.

Resources

Related articles

Three people stand by a glass wall covered with sticky notes and charts, reviewing and discussing the information.

Practical threat modelling exercises for researchers

August 20, 2025

Guidance on international travel for university activities

July 14, 2025
A woman carefully reviews a potentially fraudulent message on her mobile phone.

Phishing 101: How to identify and report a phishing attempt

July 14, 2025