OpenAI has released Atlas, a free macOS web browser built around ChatGPT, and it arrives with big ambitions, useful features, and some immediate security questions.
What OpenAI Has Launched, And Why It Matters
OpenAI describes Atlas as “a new web browser built with ChatGPT at its core.” The idea of Atlas is, rather than visiting a website, copying content, and pasting it into a chatbot, the chatbot now lives inside the browser and can see the page you are on. OpenAI has framed it as a chance to “rethink what it means to use the web.”
Just On macOS (Free) For Now
Atlas is available now worldwide on macOS for Free, Plus, Pro, and Go users, with Windows, iOS, and Android versions “coming soon.” Business users can enable Atlas in beta, and Agent mode is available in preview for Plus, Pro, and Business tiers. OpenAI also published release notes and a download link, underlining that Atlas can import bookmarks, passwords, and browsing history from existing browsers.
How It Works In Practice
Atlas opens directly to ChatGPT rather than a traditional home page. Users can type a question or a URL, then work in a split view where ChatGPT summarises, compares, or explains the page they are on. An optional sidebar, “Ask ChatGPT,” follows the user as they browse, designed to remove the copy-paste friction that has characterised earlier chatbot use. OpenAI states that the browser can “understand what you’re trying to do, and complete tasks for you, all without leaving the page.”
Two features really stand out. The first is “browser memories,” which is an opt-in setting that allows ChatGPT to remember context from sites a user visits so it can bring that context back when needed. The second is “Agent mode,” which enables ChatGPT to act on the user’s behalf in the browser, carrying out tasks such as research, form-filling, or making bookings. OpenAI is keen to emphasise the benefit of user control, noting that browser memories can be viewed, archived, or deleted, that browsing content is not used to train models by default, and that visibility for specific sites can be turned off directly from the address bar.
Availability And Controls
At launch, Atlas includes parental controls that carry over from ChatGPT, with options to disable memories or Agent mode entirely. OpenAI says Agent mode can’t run code in the browser, download files, or install extensions, and it pauses on sensitive sites such as banks. Users can also run the agent in logged-out mode to limit access to private data.
Where Atlas Fits In A Crowded Browser Market
This move from OpenAI appears to be a direct challenge to existing players. For example, on desktop, Chrome holds about 73.65 percent of the global browser market, followed by Edge on 10.43 percent and Safari on 5.73 percent (StatCounter, September 2025). For Atlas to gain traction, it must prove both trustworthy and genuinely useful in daily workflows.
Vague Wording? What “AI Browser” Really Means
It seems that “AI browser” is quickly becoming shorthand for a set of common features, i.e., a chatbot that can read what’s on the screen, answer questions about it, and act within context. In Atlas, this takes the form of ChatGPT as a ride-along assistant that can process and recall on-page information.
Microsoft is pursuing the same idea. For example, in its Edge browser, Copilot Mode provides similar capabilities, opening a chat window that can summarise and compare data across multiple tabs. The company has also introduced “Actions,” which can fill in forms or book hotels, and “Journeys,” which group your tab history into ongoing projects.
The Indirect Prompt-Injection Issue
It seems that the most significant technical challenge currently facing Atlas, however, may not be unique to OpenAI. For example, Brave’s security team recently warned that indirect prompt injection is “a systemic challenge facing the entire category of AI-powered browsers.”
In simple terms, prompt injection occurs when a malicious webpage hides instructions that an AI assistant mistakenly interprets as user commands. This could cause the AI to perform unintended actions, such as fetching data from other tabs or leaking information from logged-in accounts.
Brave’s research revealed that similar vulnerabilities have been found in other AI browsers, including Perplexity’s Comet and Fellou, where attackers could hide commands inside website text or even faint image overlays. These instructions can bypass normal safeguards by being passed to the model as part of the page context.
In fact, OpenAI’s own documentation acknowledges this threat. For example, Dane Stuckey, OpenAI’s Chief Information Security Officer, described prompt injection as “a frontier, unsolved security problem” and said the company has implemented overlapping guardrails, detection systems, and model training updates to reduce risk. “Our adversaries will spend significant time and resources to find ways to make ChatGPT agent fall for these attacks,” he wrote, adding that users should run agents in logged-out mode when working on sensitive tasks.
Early Testing And What Researchers Are Seeing
Early demonstrations have already shown why this remains an open concern. For example, independent researchers have reportedly shared examples where Atlas responded to hidden instructions embedded within ordinary documents, producing unexpected outputs instead of the requested summaries. While these examples did not involve harmful actions, they highlight how easily indirect prompt injections can influence AI behaviour when content is treated as part of a legitimate task.
AI security researcher Johann Rehberger, who has documented several prompt-injection attacks across AI platforms, described the risk as affecting “confidentiality, integrity, and availability of data.” He noted that while OpenAI has built sensible safeguards, “carefully crafted content on websites can still trick ChatGPT Atlas into responding with attacker-controlled text or invoking tools to take actions.”
Brave’s recent post about this security issue also warned that agentic browsers can bypass traditional web protections such as the same-origin policy because they act using the user’s authenticated privileges. For example, a simple instruction hidden in a web page could, in theory, make the assistant act across sites, including banks or corporate systems, if guardrails fail.
How OpenAI Says It Has Balanced Power And Control
OpenAI has listed several design choices intended to reduce these risks. For example, users can clear specific page visibility, delete all browsing history, or use incognito windows that temporarily log ChatGPT out. Browser memories are private to the user’s ChatGPT account, are off by default, and can be managed directly in settings.
If a user opts to allow training on browsing content, pages that block GPTBot remain excluded. Agent mode cannot install extensions, access the file system, or execute code, and it pauses on sensitive sites where actions might expose personal data.
OpenAI says its approach is to combine technical safeguards with transparency. Users are shown what the agent is doing step by step, and actions can be stopped mid-flow.
For example, someone planning a dinner party can ask Atlas to find a grocery store, add ingredients to a basket, and place the order, watching each action unfold. Also, a student could use Atlas to ask real-time questions about lecture slides, while a business user can ask it to summarise competitor data or past documents without switching tabs.
Two Days Later, Microsoft Reframes Edge As An “AI Browser”
Just two days after OpenAI’s announcement, Microsoft expanded its own browser to include nearly identical functionality. On 23 October, the company unveiled an upgraded Copilot Mode for Edge, now officially described as “an AI browser.”
Mustafa Suleyman, CEO of Microsoft AI, wrote in a company blog post: “Copilot Mode in Edge is evolving into an AI browser that is your dynamic, intelligent companion.” The update introduces new features called “Actions,” which allow Copilot to fill out forms and make bookings, and “Journeys,” which group browsing sessions around specific goals.
Although Microsoft’s project was likely in development long before Atlas was revealed, the timing and similarity are notable. Both browsers now integrate AI deeply into browsing, both rely on contextual understanding to assist users, and both frame the assistant as a companion that can interpret what is on screen.
Independent reviewers have noted that the new Copilot Mode in Edge is visually and functionally close to Atlas. The layout differs slightly, but the underlying premise is the same: a built-in AI that reads, reasons, and acts on content as you browse. Microsoft says all new features require user consent before accessing tab content or history.
Challenges And Criticisms
While Atlas has been praised for its clean design and intelligent functionality, some experts have already raised questions about privacy, data control, and long-term security. OpenAI insists that browser memories are fully optional and off by default, but data protection specialists warn that even anonymised context retention can reveal behavioural patterns over time.
Also, some commentators have warned that Atlas, like other AI-driven browsers, could raise new privacy and security concerns if not carefully managed. For example, cybersecurity specialists have noted that the browser’s ability to access bookmarks, saved passwords, and full browsing histories could make the trade-off between convenience and data protection more critical than ever. They have also cautioned that combining web activity with chatbot interactions could increase risks such as profiling, targeted phishing, or unintended exposure of sensitive information.
It should also be noted here that early feedback from users has been mixed. For example, some testers have praised Atlas for its clear presentation of information and accurate sourcing, while others have reported slower performance and questioned how effectively Agent mode will operate once the browser is adopted at scale.
Cybersecurity researchers point out that even if Atlas performs safely under current controls, new prompt-injection techniques are constantly being developed. Brave’s researchers have already hinted that further vulnerabilities are likely to surface as more companies introduce AI-driven browsing.
The balance between innovation and oversight, and between convenience and confidentiality could, therefore, be the central test for Atlas and the new wave of AI browsers it represents.
What Does This Mean For Your Business?
OpenAI’s launch of Atlas could be one of the most ambitious steps yet in merging web browsing with conversational AI. It shows how quickly the boundary between search, productivity, and automation is dissolving, with the browser itself becoming a personal assistant rather than a static window to the internet. Yet it also exposes how far the technology still has to go before it can be trusted to act independently in real-world settings.
For users, the attraction is that Atlas promises a streamlined way to find information, take action, and move between tasks without switching tabs or tools. For OpenAI, it provides a direct platform for embedding ChatGPT more deeply into everyday digital life. However, the same integration that makes Atlas powerful also increases the surface area for risk. Allowing an AI agent to see and act within live browsing sessions inevitably raises questions about data access, authentication, and the potential for malicious manipulation through prompt injection or hidden instructions.
UK businesses, in particular, may need to approach Atlas with a mix of curiosity and caution. For example, the prospect of an intelligent browser that can summarise research, handle admin tasks, or automate data collection could boost productivity and streamline workflows. However, organisations will have to consider how it interacts with internal systems, how data is stored and transmitted, and whether its automation features comply with corporate security and privacy policies. For sectors such as finance, healthcare, and education, these considerations will be especially pressing, as even minor missteps could expose sensitive information or breach compliance rules.
For other stakeholders, including regulators and cybersecurity specialists, Atlas may represent an early glimpse of what “agentic” browsing could actually mean for the wider internet. It challenges long-held assumptions about user control, privacy, and accountability. If AI browsers become mainstream, the focus of online safety will need to expand from defending websites against users to defending users against their own automated agents.
In that sense, Atlas is less a final product than a live experiment in how people and machines might share control over digital tasks. Its success will depend not just on speed or convenience but on whether OpenAI can earn sustained trust from users, businesses, and regulators alike. For now, Atlas looks like being both a milestone in browser innovation and a reminder that every step towards automation must also bring new standards of responsibility, transparency, and security.