OpenAI reveals how AI agents protect users from malicious links as automated browsing expands

OpenAI explains how its AI agents avoid malicious links

AI agents can perform tasks on behalf of the user, and this often involves controlling a web browser, sorting through emails, and interacting with the internet at large. And since there are lots of places on the internet that can steal your personal data or otherwise cause harm, it's important that these agents know what they're doing. So, as users migrate away from web browsers and Google Search to AI browsers and agents, AI companies like OpenAI need to make sure these tools don't fall straight into a phishing attempt or click on malicious links. In a new blog post, OpenAI explains exactly how its AI agents protect users. One possible solution to this problem would be for OpenAI to simply adopt a curated list of trusted websites its agents are allowed to access. However, as the company explained in the blog post, that would probably be too limiting and would harm the user experience. Instead, OpenAI uses something called an independent web index, which records public URLs that are already known to exist on the internet, independent of any user data. So, if a URL is on the index, then the AI agent can open it without a problem. If not, the user will see a warning asking for their permission to move forward. As OpenAI explains in its blog post, "This shifts the safety question from 'Do we trust this site?' to 'Has this specific address appeared publicly on the open web in a way that doesn't depend on user data?'" You can see a more technical explainer in a lengthy research paper OpenAI published last year, but the main thing to know is that it's possible for web pages to manipulate AI agents into doing things they shouldn't do. A common form of this is prompt injection, which gives clandestine instructions to the AI model, asking it to retrieve sensitive data or otherwise compromise your cybersecurity. To be clear, as OpenAI states in the blog post, this is just one layer of security that doesn't necessarily guarantee that what you're about to click on is entirely safe. Websites can contain social engineering or other bad-faith constructs that an AI agent wouldn't necessarily be able to notice.

OpenAI Warns Malicious Links Could Undermine Agentic AI | PYMNTS.com

In new guidance on artificial intelligence (AI) agent link safety, the company said on Wednesday (Jan. 29) that malicious links are emerging as one of the most exploitable surfaces as agents move beyond conversation into action. The concern is not abstract. As AI agents increasingly browse the web, retrieve information and complete tasks on behalf of users, links become gateways that can expose sensitive data or manipulate behavior if left unchecked. The warning comes at a moment when AI usage is becoming habitual. PYMNTS Intelligence data shows that more than 60% of consumers now start at least one daily task with AI. As autonomy increases, so does the cost of failure. OpenAI's position is that links should be treated as a core security risk for agentic systems, on par with prompts and permissions. That framing reflects a broader shift in how AI safety is being operationalized as these systems move closer to commerce, payments and enterprise workflows. In traditional browsing, humans decide whether to click a link and implicitly accept the risk. In agentic AI, that decision can be automated. An AI agent researching a product, managing a workflow or completing a transaction may encounter dozens of links in a single task. If even one of those links is malicious, the system can be manipulated into revealing information or taking actions the user never intended. OpenAI highlights the risk of malicious links that embed hidden instructions or deceptive redirects inside web content. When an AI agent consumes that content, it may treat those instructions as legitimate context rather than as an attack. This is especially dangerous when agents have access to tools, credentials or downstream systems. The problem scales with adoption. PYMNTS research shows that consumer trust in AI handling transactions is uneven, with a majority of shoppers saying they trust banks more than retailers to let AI buy on their behalf. That trust is fragile. A single high-profile failure tied to unsafe automation could slow adoption across entire categories. To address the risk, OpenAI outlines a layered approach designed to reduce exposure without undermining usability. One core safeguard is link transparency. AI agents are trained to distinguish between links that already exist publicly on the open web and links that are introduced or modified within a conversation. If a link cannot be independently verified as preexisting, the system treats it as higher risk. This verification step helps prevent attackers from injecting custom URLs designed to capture sensitive data or trigger unintended behavior. Instead of silently following such links, the agent pauses and surfaces the decision to the user. OpenAI also applies constrained browsing, limiting what agents are allowed to do automatically when interacting with external content. Rather than granting blanket permission to fetch or execute actions from any link, the system narrows the scope of autonomous behavior. This reduces the chance that a single malicious page can cascade into broader compromise. For actions that involve elevated risk, OpenAI requires explicit human approval. If an agent encounters ambiguity or a task that could expose private information or initiate a meaningful action, it does not proceed on its own. This introduces friction by design, reinforcing the idea that autonomy should expand only where confidence is high. The company is transparent that these safeguards do not eliminate risk entirely. Instead, they are meant to make attacks harder, more visible and easier to interrupt. That tradeoff is intentional.