The vulnerabilities identified fall into three interconnected categories, each with distinct implications for public sector deployments across the EU and UK.
What the Research Actually Found
Prompt injection is the most alarming of the three. This attack type involves malicious instructions embedded within web content that an AI browser assistant then inadvertently executes. The AI cannot reliably distinguish between a legitimate user instruction and a hostile one hidden inside a webpage it is summarising or interacting with. That ambiguity is not a bug awaiting a patch; it is an architectural flaw baked into the current design paradigm.
Unlike traditional cross-site scripting, prompt injection exploits the very intelligence that makes AI browsers commercially appealing. A civil servant using an AI-assisted browser to summarise a policy document or draft a response to a constituent could, in theory, be exposed to a manipulated web page that redirects the AI into leaking session data or producing misleading outputs.
Data leakage represents the second major concern. When an AI assistant processes a browsing session, reading page content, summarising documents, and suggesting responses, it necessarily handles sensitive information. Researchers have demonstrated scenarios in which this data can be exfiltrated through carefully crafted web content, or inadvertently included in AI model queries transmitted to remote servers. For public sector bodies subject to GDPR, that transmission of personal data to a remote AI inference server, without adequate safeguards, could itself constitute a breach.
Wojciech Wiewiorowski, the European Data Protection Supervisor, has made clear that AI systems processing personal data must meet the same standards as any other data processor. Speaking in the context of the EU AI Act's interaction with GDPR obligations, he has consistently argued that opacity in AI data flows is unacceptable, particularly in public sector contexts. The browser vulnerability disclosures give his position fresh urgency.
The third vulnerability category involves agentic browsing behaviour. As AI browsers evolve from passive assistants into active agents capable of filling forms, executing purchases, and navigating sites on a user's behalf, the attack surface expands dramatically. A compromised AI agent operating with user-level permissions is, in effect, a compromised user account. For a public sector employee with access to citizen records or procurement systems, the consequences of such a compromise are severe.
The European framing of this risk differs meaningfully from other regions. GDPR fines of up to 4% of global annual turnover are not theoretical. The Irish Data Protection Commission's enforcement record against major US tech firms demonstrates that regulators are willing to apply the full weight of the regulation to systemic failures in how AI systems handle personal data.
The EU AI Act adds a further layer of complexity. AI systems integrated into browsers and used in public sector contexts may fall within the Act's high-risk classification, depending on their function. High-risk AI systems are subject to conformity assessments, logging requirements, and human oversight obligations that most current AI browser implementations do not yet satisfy.
Dragoș Tudorache, the Romanian MEP who co-led the European Parliament's work on the AI Act, has argued repeatedly that the legislation was designed precisely to catch this kind of systemic risk, where AI capabilities are deployed at scale before the safety architecture has been validated. AI browsers are a textbook example of that dynamic.
The Competitive Landscape and the Fragmentation Problem
The browser market in Europe is not monolithic. While Chrome and Edge dominate market share, a number of emerging AI-enhanced browsers are gaining ground, including products from European-backed ventures as well as international entrants marketing heavily to enterprise and government users. The security implications of this fragmentation are significant.
Larger vendors such as Google and Microsoft have the resources and institutional knowledge to respond to vulnerability disclosures, even if the pace has been criticised as insufficient. Smaller or newer entrants may lack equivalent security review infrastructure. For procurement officers in EU member state governments, this creates a genuinely difficult evaluation problem: the AI feature set that makes a browser attractive is precisely the feature set that introduces the greatest risk.
What Vendors Are Doing and Why It Is Not Enough
Google and Microsoft have acknowledged the existence of AI-related browser vulnerabilities and are working on mitigations. The measures under discussion across the industry include:
- Sandboxing AI processing to limit its access to sensitive session data
- Implementing strict content security policies that flag or block potential prompt injection attempts
- Requiring explicit user permission before AI agents take any action on a user's behalf
- Conducting independent third-party security audits of AI browser features before release
- Increasing transparency about what data is transmitted to remote AI servers during a browsing session
These measures are sensible. Security experts are equally clear that they are incremental responses to what may be a foundational challenge. Sandboxing reduces the blast radius of a successful attack; it does not resolve the underlying problem that a probabilistic, instruction-following AI system has been integrated into a security-sensitive environment without the architectural rethink that environment demands.
The Vulnerability Matrix
| Vulnerability Type | How It Works | User Impact | Patch Feasibility |
|---|
| Prompt Injection | Malicious instructions embedded in web content executed by AI | Data theft, misleading outputs, unintended actions | Difficult: architectural issue |
| Data Leakage | Sensitive session data exfiltrated via AI query transmissions | Privacy breach, regulatory exposure | Partial: requires sandboxing |
| Agentic Misuse | AI agents manipulated to perform harmful actions with user permissions | Account compromise, financial loss | Requires user consent frameworks |
What Users and Public Sector IT Teams Can Do Right Now
While vendors work on structural fixes, users and IT departments are not without recourse. The following steps can meaningfully reduce exposure:
- Disable AI features for sensitive browsing sessions, particularly when conducting financial transactions or accessing healthcare or government portals.
- Review browser privacy settings and disable any features that transmit browsing content to remote servers by default.
- Keep browsers updated: vendors are releasing patches as vulnerabilities are confirmed, and unpatched browsers carry the highest risk.
- Treat AI-generated summaries of third-party web content with scepticism, especially on sensitive topics, as the source material may have been manipulated.
- Consider separate browser profiles for AI-assisted and non-AI browsing, isolating session data where possible.
- For public sector IT teams: review procurement contracts with AI browser vendors to establish data processing agreements that satisfy GDPR Article 28 obligations.
Comments
Sign in to join the conversation. Be civil, be specific, link your sources.