I started with a simple claim: if you're using AI tools that browse the web, access your apps, and take actions on your behalf, a VPN is non-optional.
I was wrong. Not about the risk — about the scope.
VPN is one layer. A reasonable one. It encrypts your traffic, blinds your ISP, and protects you on public wifi. But the real threat isn't someone intercepting your packets. It's that the AI agent you just authorized has your credentials, your context, and the ability to act — and the security model for that doesn't exist yet.
The agent you trust more than your coworkers
Think about what a modern AI browser agent has access to. Your email. Your calendar. Your files. Your logged-in sessions across every SaaS tool. When you tell it to "book that meeting" or "fill out that form" or "find me the cheapest flight," it's operating inside your authenticated sessions with the same permissions you have.
A study testing eight major browser agents released in 2025 — including ChatGPT Agent, Google Project Mariner, and Amazon Nova Act — found 30 vulnerabilities across every product tested. Every single one.
Six of eight agents didn't show safe browsing warnings when directed to known phishing pages. Four of eight accepted all cookies even when a "deny all" option was right there and equally accessible. These aren't experimental prototypes. These are tools millions of people are handing their login sessions to.
The numbers that should stop you
According to Gravitee's State of AI Agent Security 2026 report, 88% of organizations confirmed or suspected an AI agent security incident in the past year. Not "could happen." Happened.
In multi-agent system testing, a single compromised agent poisoned 87% of downstream decision-making within four hours. One bad actor in the chain, and the entire system's output becomes unreliable.
45.6% of teams use shared API keys for agent-to-agent authentication. When a breach occurs, there's no way to determine which agent acted and what it accessed. Every agent that shares credentials is a blast radius multiplier.
65% of agentic chatbots have never been used but still hold live access credentials. Zombie agents with active keys, sitting in enterprise environments, waiting.
A supply chain attack on the OpenAI plugin ecosystem compromised credentials from 47 enterprise deployments. It went undetected for six months. Attackers accessed customer data, financial records, and proprietary code — all through the agent layer.
The VPN that stole your AI conversations
Here's the irony that killed my original thesis.
Urban VPN Proxy — a browser extension with over 6 million users — was caught intercepting and exfiltrating users' private AI conversations. ChatGPT prompts. Claude responses. Gemini queries. Perplexity searches. All of it — prompts, responses, conversation IDs, timestamps, session metadata — scraped and sold. Eight million users affected.
A VPN extension. The tool people install to protect their privacy was the tool stealing their data.
This isn't a flaw in the VPN concept. It's a flaw in the trust model. Users swapped one untrusted intermediary (their ISP) for another (a free VPN provider) without the ability to evaluate the trade. The security layer became the attack vector.
Prompt injection: the attack you can't see
The most insidious threat to AI agents isn't credential theft. It's prompt injection — hidden instructions embedded in content that the agent processes and the user never sees.
Researchers found that a maliciously crafted prompt injected into one SaaS platform can propagate through a browsing agent to execute commands in another platform where the user is logged in. Because agentic browsers lack strict isolation boundaries, a single prompt injection can access local files and every logged-in service.
Check Point Research demonstrated that AI assistants supporting web browsing can be abused as covert command-and-control relays — attacker traffic blending into legitimate enterprise communications, invisible to traditional security monitoring.
A vulnerability in Claude's Chrome Extension allowed any website to silently inject prompts as if the user typed them. No clicks. No permission prompts. Zero interaction required. More than 10,000 Claude Desktop users were exposed to a separate zero-click flaw triggered by a single malicious Google Calendar event.
VPN protects none of this. These are application-level attacks. The agent itself is the attack surface.
What the security model should look like
The cloud security industry spent a decade learning three principles the hard way: zero trust, least privilege, assume breach. Every one of them applies to agentic AI — and almost nobody is applying them.
Zero trust for agents. No agent should be trusted by default, regardless of who built it. Every action an agent takes should be verified against the user's actual intent. "I told it to book a flight" doesn't mean it should also have access to your email, your files, and your banking session.
Least privilege, enforced. Agents should have the minimum permissions required for each specific task, scoped to that task, revoked when the task is complete. The current model — give the agent access to everything and hope it behaves — is the same mistake enterprises made with admin credentials in 2010.
Assume breach. Treat every agent session as potentially compromised. Rotate credentials. Sandbox agent activity. Monitor for anomalous behavior. If 88% of organizations have already experienced an incident, the baseline assumption should be that your agent environment is already partially compromised.
And yes — encrypt your traffic. VPN matters. Use a reputable, audited provider. Don't use free browser extensions. Especially on public wifi, especially when agents are making API calls that carry your credentials. Network-level encryption is the floor, not the ceiling.
The bottom line
My instinct was right about the risk and wrong about the prescription. VPN is one layer in a security posture that needs to be fundamentally rethought for a world where AI agents act on your behalf.
The real problem: we're handing autonomous tools — tools that can't identify phishing pages, that accept cookies indiscriminately, that share credentials broadly and hold them indefinitely — the ability to operate inside our most sensitive digital environments. Inside a security architecture that was designed for a human with a mouse and a healthy sense of suspicion.
The tools are ahead of the guardrails. The threat model has shifted from "protect the network" to "protect the agent." And the infrastructure for that second job barely exists.
Lock the front door. But also take back the keys.
- TechCrunch: The Glaring Security Risks with AI Browser Agents
- Moonlock: VPN Browser Extensions Caught Spying on AI Chats
- KOI.ai: 8 Million Users' AI Conversations Sold by "Privacy" Extensions
- Help Net Security: Browser Agents Don't Always Respect Privacy Choices
- Palo Alto Networks: AI and the New Browser Security Landscape
- Kaspersky: Cybersecurity and Privacy in LLM-Powered AI Browsers
- Dark Reading: AI Agents Are Bringing Back Browser Insecurity
- arXiv: The Hidden Dangers of Browsing AI Agents
- Check Point Research: AI in the Middle — Turning AI Services into C2 Proxies
- SecurityWeek: Critical Vulnerability in Claude Code
- The Hacker News: Claude Extension Flaw Enabled Zero-Click XSS
- eSecurity Planet: 10K Claude Desktop Users Exposed
- Wiz Blog: Hacking Moltbook — 1.5M API Keys Exposed
- Bessemer: Securing AI Agents — The Defining Cybersecurity Challenge of 2026
- Microsoft: Secure Agentic AI End-to-End
- Lakera: Agentic AI Threats — Over-Privileged Tools & Uncontrolled Browsing
- CyberArk: AI Agents and Identity Risks in 2026