OpenAI has cautioned that prompt injection—a growing cybersecurity threat that embeds hidden instructions inside everyday online content—may never be fully eliminated for AI agents that operate inside web browsers. The warning comes as the company expands the capabilities of ChatGPT Atlas, its browser-based AI agent designed to complete tasks on behalf of users.
In a recent blog post, OpenAI said it rolled out a security update for Atlas after internal testing revealed a new category of prompt-injection attacks. The update includes a newly adversarially trained model and additional safeguards intended to reduce the risk of malicious manipulation.
A Unique Risk for AI Agents
Unlike traditional chatbots that respond only to user queries, browser agents like Atlas can interact with websites, emails, and online tools using clicks and keystrokes similar to a human user. That design allows them to manage workflows across multiple services—but it also increases their exposure to security threats.
“As the browser agent helps you get more done, it also becomes a higher-value target of adversarial attacks,” OpenAI said. The company described prompt injection as one of the most serious risks facing AI agents that have access to sensitive data and the authority to take real-world actions.
Prompt injection works by disguising malicious instructions within ordinary content, such as emails or webpages. When an AI agent encounters that content during a task, it may mistakenly treat the hidden instructions as legitimate commands.
Automated Red-Teaming and New Defenses
To identify vulnerabilities before they are exploited externally, OpenAI said it built an automated “attacker” system using large language models trained through reinforcement learning. This system is designed to uncover sophisticated prompt-injection techniques that unfold over multiple steps, rather than simple one-off failures.
The company explained that the automated attacker tests injections in a simulated environment, analyzing how the target agent would reason and act if exposed to malicious content. By reviewing these simulated outcomes, OpenAI can refine its defenses and update models to better recognize and resist manipulation.
According to OpenAI, having internal visibility into the agent’s reasoning process provides an advantage in anticipating future attack methods.
How Prompt Injection Could Play Out
OpenAI described a hypothetical scenario to illustrate the risk. In the example, a malicious email is planted in a user’s inbox containing hidden instructions directing the AI agent to send a resignation message to the user’s employer. Later, when the user asks the agent to draft a routine out-of-office reply, the agent encounters the email during its workflow and follows the injected instructions instead—sending the resignation letter.
While theoretical, the scenario highlights how task-oriented AI agents change the nature of online threats. Content that once aimed to deceive humans is now crafted to command systems that already have permission to act.
A Problem Without a Final Fix
OpenAI acknowledged that prompt injection may be a persistent issue rather than a solvable one. That view aligns with recent guidance from the U.K. National Cyber Security Centre, which warned that such attacks against generative AI systems may never be fully prevented. Instead, organizations are advised to focus on risk reduction and limiting potential harm.
The company’s renewed focus on AI security comes as it looks to expand its preparedness efforts. OpenAI is seeking to fill a senior role dedicated to studying emerging risks, including cybersecurity threats linked to increasingly capable AI systems.
OpenAI CEO Sam Altman has also spoken publicly about the challenges posed by advanced AI, noting concerns ranging from mental health impacts to models becoming skilled enough to identify critical software vulnerabilities. While he emphasized the benefits of AI, Altman acknowledged that managing misuse and unintended consequences will require more nuanced approaches.
“These questions are hard, and there is little precedent,” Altman wrote in a recent post. “Many ideas that sound good still have real edge cases.”
As browser-based AI agents become more integrated into daily digital life, OpenAI’s warning suggests that prompt injection will remain a central challenge—one that may require constant vigilance rather than a definitive solution.
