AI Browsers Are the New Shadow IT: Governing ChatGPT Atlas, Perplexity Comet, and Agentic Browsers

AI Browsers Are the New Shadow IT: Governing ChatGPT Atlas, Perplexity Comet, and Agentic Browsers

Short answer: AI browsers like ChatGPT Atlas and Perplexity Comet turn the browser itself into an agent that reads pages, fills forms, and uploads files on the user's behalf, so extension policies and browser isolation cannot govern them. Only on-device egress inspection can see which AI browser is in use, allow the sanctioned tenant while blocking personal accounts, and catch sensitive data leaving in an AI action. dope.security does this at the endpoint with its Fly Direct SWG, Cloud Application Control, and Dopamine DLP.

Your web filter was built to decide whether a person can visit a site. AI browsers break that assumption. The user is no longer the only one clicking. The browser is now an agent that navigates, reads, and acts, and it can move data to an AI backend without anyone touching a keyboard. That is a new category of shadow IT, and it is already on laptops in your company.

We have been tracking this shift in our work on shadow AI detection: the tools your people adopt faster than you can review them. AI browsers are the sharpest version yet, because the productivity app and the exfiltration path are the same piece of software. The complete guide to AI visibility and governance is the hub for this topic. This post is about the browser-shaped hole in it.

What is an AI browser, and why is it different?

An AI browser embeds a large language model directly into the browsing experience. ChatGPT Atlas and Perplexity Comet are the best-known, and every major vendor is shipping something similar. Instead of you reading a page and deciding what to do, you give the browser a goal and it does the reading, clicking, and typing for you. Some can log into sites, pull data across tabs, and complete multi-step tasks on their own.

That is genuinely useful, and it is why adoption is fast. It is also why the old controls do not fit. A traditional browser shows a page to a person. An AI browser is an autonomous actor with your user's session, their cookies, and their access, deciding on its own what data to gather and where to send it. The question is no longer 'can this person visit this site.' It is 'what is this agent about to do with our data.'

Why browser-only and isolation controls miss AI browsers

The instinct is to reach for a browser-level control: a managed extension, an enterprise browser, or remote browser isolation. Each has the same blind spot when the browser itself is the AI.

Extension-based controls assume you can install and enforce an extension in the browser your users run. AI browsers are new, standalone applications, and an extension built for Chrome does not govern Atlas or Comet. Remote browser isolation renders a session in the cloud and streams pixels back, which adds the lag its own vendors concede and still does not inspect what an AI agent uploads through its own backend. A secure enterprise browser only helps if you can force everyone onto it, and the whole appeal of an AI browser is that a user downloads it themselves. We wrote about the limits of the browser-only approach in do you actually need a secure enterprise browser. The short version: if your control lives inside one specific browser, the next browser is your blind spot.

What governing AI browsers actually requires

Governing AI browsers comes down to three things, and none of them depend on which browser the user chose. You need to discover that an AI browser is in use at all. You need to enforce tenant control, so the corporate ChatGPT or Claude account is allowed and the personal one on the same domain is not. And you need to inspect the data the browser sends, because an agent that uploads a file or pastes a customer list is a data-loss event, not a browsing event.

Here is how the common options compare.

AI browser governance needManaged extensionBrowser isolation (RBI)dope.security
Works no matter which browser is usedNo: tied to a supported browserOnly inside the isolated sessionYes: inspects egress on the device
Discover which AI browsers are in useNoNoYes: Shadow IT discovery
Allow corporate tenant, block personalPartialNoYes: Cloud Application Control
Inspect data the agent uploadsNoNoYes: Dopamine DLP, zero-retention

How dope.security governs AI browsers on the device

dope.security does not care which browser the traffic came from, because it inspects at the point every browser has in common: the egress on the device. An AI browser still has to send its requests out over the network, and that is where the agent looks at them. There is nothing to install inside Atlas or Comet, and nothing to force users onto.

Discovery surfaces the AI browsers and AI endpoints your people are already reaching, so the first time someone installs Comet you can see it rather than find out in an incident review. Cloud Application Control does the move nobody else does cleanly: allow the corporate ChatGPT or Claude tenant and block the personal account on the same domain, which requires reading a header inside decrypted TLS on the device. And Dopamine DLP inspects what the browser actually sends, so a customer spreadsheet an agent decides to upload gets classified and blocked, warned, or logged before it leaves. This is the same three-layer model we describe in governing ChatGPT, Claude, and Gemini without blocking them, applied to the browser that now does the acting.

Do not ban them, govern them

The reflex is to block AI browsers outright. That backfires the same way blocking ChatGPT did: people run it on a personal device or a phone, and you lose the visibility you had. The better move is to make the sanctioned path work. Allow the corporate tenant, inspect the data, and let people use the productivity gain inside a boundary you can see. When you can see every AI app in use, an AI browser is just one more thing on the list you already govern, not a fire drill.

AI browsers are going to keep shipping, and the next one will not look like the last. A control that lives on the device, not inside a specific browser, is the only one that survives that churn. Inspect the egress, govern the tenant, classify the data, and the browser your user picked stops being the thing that keeps you up at night.

Frequently Asked Questions

What is an AI browser?

An AI browser embeds a large language model into the browsing experience so the browser can read pages, fill forms, and complete multi-step tasks on the user's behalf. ChatGPT Atlas and Perplexity Comet are leading examples. Because the browser acts autonomously with the user's session and access, it is both a productivity tool and a new data-exfiltration path, which is why dope.security governs it at the device egress rather than inside any one browser.

Can a managed browser extension control an AI browser?

Usually not. Extensions are tied to a specific supported browser, and AI browsers like Atlas and Comet are new standalone applications an extension was never built for. dope.security avoids this problem by inspecting traffic on the device, so governance applies no matter which browser a user installs.

How do you allow corporate ChatGPT but block personal accounts in an AI browser?

You inspect a header inside the decrypted TLS session on the device and enforce tenant control, which DNS filters and browser-only tools cannot do. dope.security Cloud Application Control allows the sanctioned corporate tenant and blocks the personal account on the same domain, so people keep the tool without the personal-account data risk.

Should we just block AI browsers?

Blocking usually pushes users to personal devices where you have no visibility, the same lesson companies learned blocking ChatGPT. dope.security lets you allow the sanctioned path, inspect what leaves, and keep the productivity, which is more durable than a blanket ban that quietly fails.

How does dope.security stop data from leaking through an AI browser?

Dopamine DLP inspects what the browser sends as data in motion and classifies it through a zero-retention API. If an agent uploads a file or pastes content containing PII, PCI, PHI, or source code, dope.security can block, warn, or log based on your policy, so sensitive data does not leave in an action you never saw.

See which AI browsers are already on your network. Start a free trial or book a 20-minute demo.

AI Governance
AI Governance
AI Security
AI Security
Shadow IT
Shadow IT
back to blog Home