Enterprises should not install OpenAI’s new Atlas browser, analysts warn

5gDedicated

Companies that might be eyeing OpenAI’s new ChatGPT Atlas browser should not rush to use it because of potential security risks, analysts said this week.

The browser was unveiled on Tuesday after it had been teased for months as a work in progress. It is currently available for MacOS only.

Atlas can help automate online browsing based on user preferences. The browser has ChatGPT as its landing page, where the technology can take control of the browser to run web-based tasks.

If a user is viewing a recipe and wants to make it, for example, the browser will automatically go to sites like Instacart and place an order for the ingredients. Or the agent chatbot — which sits in a side panel — can make changes to documents in Google Docs based on user requests. (Google Docs already has a prompting feature to automate document changes.)

Critics were quick to point out that Atlas is vulnerable to prompt hijacking, where malicious prompts embedded in webpages could lead to data theft.

The browser relies heavily on personal data to personalize browsing. Prompt hijacking could lead to identity or intellectual property theft, said Bob O’Donnell, principal analyst at Technalysis Research.

“Enterprise is going to be cutting off access as they are already concerned about security,” O’Donnell said, adding, “that’s clearly a huge issue that needs to be fixed before it becomes mainstream.”

Organizations should treat AI browsers like Atlas as high-risk technologies, said Oded Vanunu, chief technologist and head of product vulnerability research, in a research note posted Wednesday.

These kind of browsers require “enhanced monitoring, clear acceptable-use policies, and restrictions on accessing sensitive data until security practices mature,” Vanunu said.

“I would not recommend enterprises deploy any new browsers without a thorough testing process to confirm there are no security issues, but also that any existing browser-based apps installed in the company work correctly,” said Jack Gold, principal analyst at J. Gold Research.

Atlas is promising for enterprise productivity because its agentic capabilities can navigate sites, execute multi‑step tasks, and coordinate actions across tabs while preserving human oversight and auditability across sensitive workflows, said Arnal Dayaratna, research vice president for software development at IDC.

“That having been said, it has not been battle‑tested in regulated, large‑scale environments, and resilience to agent abuse, prompt‑injection, and other browser‑specific threats remains unproven,” Dayaratna said.

A macOS‑only rollout further limits short‑term suitability for broad enterprise adoption — at least until cross‑platform availability and stronger security assurances materialize.

“Organizations should treat Atlas as an early pilot candidate, not a default browser replacement, while they and the user community evaluate its capabilities, security and governance controls, red‑team results, and roadmap clarity for Windows and managed deployments,” Dayaratna said.

Responding to security concerns, OpenAI’s chief information security officer, Dane Stuckey, acknowledged some of them in a post on X.

Attackers could bias an AI agent’s opinion while shopping, or get an agent to fetch and leak private data, such as sensitive information from your email or credentials, Stuckey said.

“It can still make (sometimes surprising!) mistakes, like trying to buy the wrong product or forgetting to check in with you before taking an important action.”

That said, OpenAI has taken steps to mitigate security risks, Stuckey said. 

The agent ramps up security if it senses personal data on a page. It also has a “logged out mode” where a ChatGPT agent can take action without access to user credentials.

OpenAI has a history of releasing versions of its software publicly then later fixing issues based on user feedback. Companies such as Google, Meta, and Netflix have done the same for decades as part of the DevOps model.

Despite the inherent risks, analysts remain intrigued by the possibilities Atlas could offer as it matures.

The browser would have more value if it included an on-device AI model that could run without requiring access to the internet, O’Donnell said. “This provides a channel through which they can get hundreds of millions of people to download their model,” he said.

In that scenario, the browser could access heavyweight AI models in the cloud to handle  more demanding tasks.

Aside from Atlas, OpenAI is also building a productivity app to compete with Microsoft 365 and Google Workspace, both of which are adding more AI features to Edge and Chrome, respectively. The could allow Atlas to serve as a conduit to deliver productivity apps to desktops— especially as browsers become the interface for corporate and consumer apps, Gold said.

The big question is how much exposure OpenAI wants to provide to its main cloud-based ChatGPT model, which is fully available only with a subscription. “AI adoption will primarily occur through enterprise app integration…as individual users represent a small revenue share,” Gold said.

Early adopters will certainly want to try out Alas, said Patrick Moorhead, principal analyst at Moor Insights and Strategy. But it’s hard to see the new browser kid on the block quickly supplanting mainstays.

“I am skeptical of its widespread popularity versus Chrome or Edge as more mainstream, beginners, and corporate users will just wait for their favorite browsers to offer this capability,” Moorhead said.

Edge already provides many of those capabilities, he said.

Beyond Atlas, AI browsers are being touted as a whole new way to surf the web. Perplexity released its AI browser called Comet, which offers similar functionality. Meanhwile, Atlassian is taking an enterprise-first approach and prioritizing security with its AI browser called Dia, which it got with the $610 million acquisition of The Browser Co. That deal was completed this week.Enterprises should not install OpenAI’s new Atlas browser, analysts warn – ComputerworldRead More