A new breed of browser

2025’s browser market is being reshaped not by rendering engines but by language models. OpenAI's ChatGPT Atlas, Microsoft Edge with Copilot Mode, The Browser Company’s Dia and Perplexity’s Comet have all introduced what the industry calls “agentic” browsing: assistants that do more than answer questions — they reason across tabs, remember context and, in some cases, act on your behalf (filling forms, booking reservations, even shopping).

Proponents say this evolution can save time and unlock new workflows. OpenAI CEO Sam Altman has described the vision as a proactive assistant that helps you when you need it. Critics warn the convenience comes with larger privacy, security and legal risks than anything mainstream browsers have handled before.

What agentic browsers can (and can’t) do

Agentic browsers share common capabilities but diverge sharply on autonomy, memory and data handling:
  • Atlas (OpenAI): An AI-native browser that exposes page DOM, tab lists and history to ChatGPT and offers a full Agent Mode capable of multi-step workflows — opening and closing tabs, filling forms and completing bookings. Agent Mode is available to paid ChatGPT tiers; Atlas launched on macOS with other platforms planned. Atlas keeps short-term “browser memories” (summaries retained roughly 30 days) as an opt-in feature and surfaces consent prompts before taking actions. Official details: OpenAI Atlas.
  • Copilot Mode (Microsoft Edge): A built-in AI layer inside Edge that reasons across tabs, summarizes “Journeys” and offers constrained “Copilot Actions” (e.g., clearing cache, unsubscribing) with enterprise controls, Prompt Shields and Azure safety layers. Microsoft pitches this as a governance-friendly option for organizations that want AI assistance but not free-roaming agents. See Microsoft’s Copilot pages for context: Microsoft Copilot Mode.
  • Dia (The Browser Company): An AI-first Chromium-based browser optimized for reading, writing and structured workflows. Dia puts a stronger emphasis on local-first storage and encryption: history, chats and notes are stored locally and cloud calls are scoped. The assistant is powerful for in-place editing and reusable “Skills,” but Dia intentionally limits open-ended DOM automation. Official site: Dia Browser.
  • Comet (Perplexity): A highly agentic personal assistant browser that integrates deeply with email, calendars and third-party services to run long-running workflows including end-to-end shopping. Perplexity touts local storage defaults and selective cloud uploads, and offers integrations such as 1Password for encrypted vaults. Comet is feature-rich — but it has the steepest risk profile among the four. More: Perplexity Comet and Perplexity’s 1Password partner page: 1Password.

    • Where the risks come from

    Agentic browsers change the browser’s threat model. Instead of a page list, the model may receive page snippets, DOM elements and account-context to reason about actions. That increases both the attack surface and the sensitivity of data being transferred to cloud models.

    Security researchers and privacy advocates have flagged multiple concerns:

  • Prompt‑injection attacks: Agents that read entire pages can be tricked by hidden or adversarial instructions embedded in sites — a malicious site can try to make the agent execute unwanted actions or leak data. Independent researchers (including teams at LayerX and others) have demonstrated such attacks and warned that the risk grows with agent autonomy.
  • Data exposure and model training: Many AI browsers send page content and metadata to provider servers to produce answers. Even when companies offer opt-outs, the reality is that once data reaches a vendor’s servers it can be hard to control. Lena Cohen of the Electronic Frontier Foundation cautions that “once your data is on another company's servers, you have very little control over what happens to it.”
  • Platform and legal friction: Perplexity’s Comet has already faced legal pressure — retailers including Amazon have raised complaints about automated shopping behavior — and security audits have urged caution with Comet’s deeper service integrations.
  • Usability and reliability gaps: Reviewers say many agentic actions remain slow, inconsistent or prone to hallucination. For some users the automation does more harm than good until reliability improves.

    • Different design philosophies

    The four products illustrate three distinct philosophies about how much autonomy to give an AI in a browser:
  • Aggressive automation (Atlas, Comet): Maximize what the agent can do inside the browser. These browsers unlock end-to-end flows but accept higher privacy and security risk and require clearer consent and defenses.
  • Controlled enterprise-first (Edge + Copilot Mode): Add cross-tab reasoning and limited actions while retaining administrative controls and auditability for business users.
  • Privacy- and workflow-first (Dia): Prioritize local data, encryption and constrained automation to preserve user control, favoring content transformation over autonomous web operations.

    • Each approach has trade-offs depending on whether your priority is automation, governance or privacy.

    What experts advise users to do

    Security and privacy experts recommend caution and concrete steps:
  • Start logged out or with minimal privileges when testing agentic features.
  • Disable model training and “improve the model” toggles if you don’t want your interactions used for training — and understand that opting out of training doesn’t stop telemetry from reaching servers during inference.
  • Limit agent access to sensitive accounts (banking, email) and use protective tools like password managers and separate service accounts.
  • Keep agentic mode off for unknown or untrusted sites; agents are most vulnerable to prompt injections on unfamiliar domains.

    • As TIME and NPR reporting and security audits emphasize, the safest stance for most users today is to try agentic features cautiously and avoid entrusting agents with high-value credentials or financial transactions until defenses mature.

    Who should try what

    If you’re deciding which browser fits you, consider these rough heuristics:
  • Choose Atlas if you want the deepest in‑browser automation and are an early adopter willing to manage cloud-based privacy trade-offs (agent mode is tied to paid ChatGPT tiers).
  • Choose Edge + Copilot Mode if you need AI assistance inside a Microsoft-governed environment and want constrained actions with enterprise controls.
  • Choose Dia if you prioritize local-first privacy, writing and research workflows and prefer limited automation.
  • Choose Comet if you want the fullest personal assistant experience and are prepared to follow security advisories and accept platform-policy risks.

Bottom line

Agentic AI browsers point to a future where the browser is a working agent rather than a passive tool. That promises genuine productivity gains — and genuine headaches for privacy, security and platform governance. For now, the sensible path is pragmatic experimentation: use these browsers for low-risk tasks, limit their privileges, follow official guidance on data settings, and wait for firms to harden defenses against prompt injection, accidental data leaks and legal friction.

The agentic browser era is here. Treat it like a powerful new appliance: learn its safe operating procedures before you plug it into your most important accounts.

AI BrowsersPrivacySecurityOpenAIPerplexity