Google Adds AI Agent to Chrome, Escalating Browser Security Race

Google’s announcement this week that it is integrating Gemini 3 directly into Chrome marks a pivotal escalation in the rapidly evolving agentic browser market. The tech giant is leveraging Chrome’s dominant 65% market share to enter a space pioneered by AI-native companies. The headline feature, “auto browse,” allows the browser’s AI agent to navigate websites autonomously, handling complex, multi-step tasks such as finding pet-friendly apartments on Redfin or planning a family vacation across multiple travel sites. Available exclusively to U.S. subscribers of Google’s AI Pro ($20/month) and AI Ultra ($250/month) plans, the AI operates from a persistent side panel, maintaining context across tabs while pausing for user confirmation before sensitive actions like purchases.

This strategic move places Chrome in direct competition with a growing field of specialized competitors. OpenAI launched its “Agent Mode” for ChatGPT in October, enabling autonomous web navigation for its Plus, Pro, and Business users. Anthropic offers the Claude for Chrome extension, while Perplexity has its Comet browser, which integrates web search directly into browsing at high inference speeds. Other entrants include Opera Neon, Norton’s NEO browser, and the controversial Dia Browser from The Browser Company. Even open-source projects like BrowserOS are emerging, offering privacy-first alternatives that run AI agents locally. Google’s primary advantage is ubiquity; the company is betting that most users will not switch browsers for AI capabilities when their current one, Chrome, has just become significantly smarter, especially with deep integration into Google’s ecosystem via Workspace, Calendar, and Photos.

The convenience of agentic browsing comes with a substantial new set of security risks, a reality Google has explicitly acknowledged. The “primary new threat” identified is indirect prompt injection, where malicious websites hide instructions within their code to trick the AI agent into exfiltrating sensitive data or initiating unauthorized transactions. Similar vulnerabilities were recently discovered and patched in Perplexity’s Comet browser, highlighting the pervasive nature of the risk. For a platform with Chrome’s scale, these threats are not theoretical; they represent a critical attack vector that could impact millions of users.

In response, Google has implemented a layered defense strategy. This includes a separate “User Alignment Critic” model that double-checks every proposed AI action, deterministic checks against blocklists of sensitive sites, and mandatory user confirmations before any financial transaction. The AI agent is also restricted from directly accessing passwords—it must request permission from Google Password Manager—and is prevented from downloading files or running code. Furthermore, origin isolation techniques are employed to stop the AI from wandering to unrelated websites. In a clear acknowledgment that no system is bulletproof, Google is offering bounties of up to $20,000 through its Vulnerability Rewards Program for researchers who can successfully bypass these safeguards.

Beyond security, Google’s foray into agentic browsing signals a potential transformation for the digital economy. The company is actively co-developing the Universal Commerce Protocol, an open standard created with major retailers like Shopify, Etsy, Wayfair, and Target. This protocol aims to standardize transactions for AI agents, enabling them to transact seamlessly across different e-commerce platforms. If widely adopted, this could fundamentally reshape online shopping, positioning AI intermediaries as the primary interface between consumers and retailers—a shift that would upend the current model of direct browsing and, consequently, the digital advertising landscape that Google dominates.

For now, Google is proceeding cautiously. The “auto browse” feature is labeled as preview software, remains U.S.-only, and is gated behind a subscription paywall. The company plans a gradual rollout, collecting user feedback before a wider deployment. Versions for Windows, iOS, and Android are in development, though no specific timeline has been announced. This measured approach reflects the high stakes involved. By weaponizing the world’s most popular browser with advanced AI, Google is not just joining a race—it is attempting to define the track, betting that its unparalleled distribution, integrated ecosystem, and new commerce standards will secure its dominance in the next era of web interaction, despite the inherent security challenges it introduces.