al-ice.ai

Forbes — Gartner Tells CISOs to Block All AI Browsers as Prompt Injection Defenses Fail

Security by al-ice.ai Editorial

AI relevance: Gartner's formal advisory to block AI browsers like ChatGPT Atlas and Perplexity Comet reflects a fundamental shift — analyst consensus now treats agentic AI surfaces as untrusted, with 65% of organizations lacking dedicated prompt injection defenses.

  • Gartner issued a December 2025 advisory telling CISOs to block all AI browsers — including ChatGPT Atlas and Perplexity Comet — citing indirect prompt injection, credential exposure, and absent mature controls.
  • Despite the advisory, Cyberhaven found 27.7% of organizations already had at least one user with Atlas installed, showing the gap between policy and adoption.
  • CrowdStrike's 2026 Global Threat Report documented prompt injection attacks at more than 90 organizations during 2025, with injected prompts used to steal credentials and cryptocurrency.
  • AI-enabled adversary operations increased 89% year-over-year, and 82% of intrusions involved no traditional malicious code — prompts now function as the attack vector itself.
  • Anthropic's Claude Opus 4.6 system card measured graphical-interface agent hijack rates: 17.8% on a single injection attempt, rising to 78.6% across 200 attempts without safeguards and 57.1% with published defenses.
  • Google reported its most effective documented attack against a Gemini deployment still succeeded 53.6% of the time even after adversarial fine-tuning.
  • OpenAI acknowledged publicly in December 2025 that prompt injection — like scams and social engineering — is unlikely to ever be fully solved, relying on reinforcement-learning attackers to discover strategies pre-emptively.
  • 65.3% of organizations have no dedicated prompt injection defenses, relying solely on vendor-shipped guardrails plus policy documents.
  • LayerX demonstrated BioShocking AI, a technique that tricks agentic browsers into bypassing guardrails using game-like prompts that expose credentials and user data across ChatGPT Atlas, Perplexity Comet, and Claude in Chrome.
  • The UK NCSC and Germany's BSI issued parallel warnings alongside Gartner, signaling international consensus that current AI browser architectures cannot be secured through model-level fixes alone.

Why It Matters

When an analyst firm tells CISOs to block an entire product category — not patch it, not monitor it, but block it — that signals a structural failure, not a bug. The math is stark: a 1% per-attempt failure rate against an agent running thousands of times daily still produces dozens of successful breaches per month. Enterprise AI deployments with mail, code, payment, and file-share access face this arithmetic today. The agentic stack has expanded the attack surface from chat into infrastructure, and the defense stack has not followed.

What to Do

  • Audit AI browser adoption now. Check Shadow IT logs for Atlas, Comet, and Claude in Chrome installations. Gartner's block advisory predates most enterprise deployments.
  • Cap agent authority. Limit each agent's privilege to the minimum its task requires. Require human approval for mail, code execution, payments, and access-control changes.
  • Segment retrieval sources. Tag RAG content by sensitivity and exclude restricted classes from ingestion by default. Treat all external data as potentially hostile.
  • Allowlist agent egress. Network teams should restrict the domains agents can reach — not just what they can access internally.
  • Log full reasoning traces. Every consequential agent action should produce an auditable reasoning chain that security teams can replay.

Sources