Contents

"I asked an AI, and it opened the browser, looked things up on its own, and even filled out a form for me." In 2026, this is no longer just a staged demo. AI agents that "see, click, and type" in the browser — so-called agentic browsers — have arrived all at once: ChatGPT Atlas, Claude for Chrome, Gemini/Chrome, Perplexity Comet, and more.

So how far can they actually automate? The short answer: the reality splits cleanly into three tiers. "Researching" is basically production-ready, "form filling" is conditional, and "booking and payment" is something you should still do yourself. Use these tools without knowing that gap, and you will get burned. This article lays out the current state of the art, where each vendor stands, the benchmark numbers, and — often overlooked — the security pitfalls, giving you an honest picture of the "reality."

AI BROWSER CONTROL · THE REALITY

Same "browser control" — but three levels of "can it"

— By the nature of the task, the signal turns green, yellow, or red

🟢

Research

Read-only = production-ready

○ Delegate it
🟡

Form filling

Works, but verify

△ Conditional
🔴

Booking / payment

Fails on CAPTCHA / checkout

× Do it yourself
Research benchmarks 89-98% Complex tasks below human level Biggest wall is security

* Benchmark figures, vendor specs, and pricing in this article are quoted from various public materials, news reports, and company announcements (as of June 2026). These products update fast, and their supported OSes, pricing, and capabilities can change. Numbers vary by methodology — read them as directional.

1. What is "AI browser control"? Two approaches

"An AI operating the browser" actually comes in two technical flavors. Both run the same agent loop — see the screen (perceive) → decide the next action (plan) → click or type it (act).

🧭

① Consumer: built into a browser/extension

The AI lives inside the browser you already use — as a dedicated browser (ChatGPT Atlas) or an extension (Claude for Chrome) — and handles research and form filling using your own logged-in session. Easy to adopt, but it comes with the security caveats discussed below.

e.g. Atlas / Claude for Chrome / Gemini in Chrome / Comet

⚙️

② Developer: automate via API/OSS

Drive a browser in a sandbox from code. With OpenAI's computer-use tool or the open-source browser-use, you can run repetitive web tasks unattended. Closer to an evolved RPA, well suited to embedding in workflows.

e.g. computer-use (CUA) / browser-use / Skyvern / Steel

This article focuses mainly on ① the consumer side to gauge "how far it goes." Note that ② often uses the same AI models under the hood, so the strengths and weaknesses tend to be shared.

2. The major players in 2026

From late 2025 into 2026, agentic browsers arrived all at once — and just as quickly, consolidation (shakeout) set in, with standalone products being folded into their parent services. Here is the current lineup.

Product Form Status (as of June 2026)
ChatGPT Atlas
OpenAI		 Dedicated browser (Chromium-based) Launched 2025/10/21. Agent mode for Plus/Pro/Business etc. Initially Mac-centric; Windows/mobile rolling out. Cannot run code, download files, or read passwords by design.
Claude for Chrome
Anthropic		 Chrome extension (side panel) Beta on paid plans (Pro/Max etc.). Navigates, clicks, fills forms, runs multi-tab, multi-step flows. Available models differ by plan.
Gemini / Chrome
Google		 Browser integration The experimental "Project Mariner" ended 2026/5/4 and its tech was folded into Gemini/Chrome. Chrome's "Auto Browse" automates complex flows.
Perplexity Comet
Perplexity		 Dedicated browser Popular for research. But multiple prompt-injection vulnerabilities were reported (see below); fixes shipped in early 2026.
ChatGPT Agent
OpenAI (ex-Operator)		 Built-in + API The standalone "Operator" ended 2025/8/31; its capabilities moved into ChatGPT and the Agents SDK (computer-use). Its exit speaks to the "reality" (see below).
browser-use
OSS		 Library (MIT) Over 78k GitHub stars. Plug in any LLM to build your own automation. Sister OSS like Skyvern and Steel are active too.

What stands out is the wave of "integration and shutdown" of standalone products. Both OpenAI's Operator and Google's Mariner dropped their separate apps and were absorbed into the parent service. It reflects an industry shift from "flashy experiments" to "features embedded in products people use daily" — and, equally, the flip side: fully autonomous control is still hard on its own.

3. How far can it go? The reality in 3 tiers

This is the heart of it. Even within "browser control," practical reliability splits sharply by the nature of the task. Let's flesh out the opening traffic light with concrete examples and benchmarks.

🟢 Research / info gathering = the most "usable" today

Compare prices across sites, summarize reviews, watch competitors for updates, pull numbers from an API-less dashboard — "read-only" work is production-ready. On WebVoyager, which tests real websites, top agents reach 89-98%, effectively saturating the benchmark. Since a wrong action costs little here, this is where to start delegating.

🟡 Form filling = doable, but needs a "watcher"

Contact forms, draft applications, transcribing into a spreadsheet — the input itself is supported by each agent. But it can mislabel fields, misjudge options, or hit the wrong submit button. "AI drafts, a human sends" is the safe pattern. In fact, many products like Atlas are designed to ask for confirmation before important actions.

🔴 Booking / payment = still do it yourself

Hotel and flight bookings, e-commerce purchases, confirmations behind a login — "money moves, hard to undo" tasks are the weakest spot. Agents stumble on CAPTCHAs, complex JavaScript checkouts, two-factor auth, and session management. On WebArena, which tests complex multi-step tasks, even the best score around 47-68% (below the ~78% human baseline). The very reason OpenAI shuttered standalone Operator was the unreliability of checkout flows.

The "gap" in benchmarks (numbers are directional)

WebVoyager (real sites, research-leaning)89-98%
WebArena (complex multi-step tasks)47-68%
Human baseline (WebArena)~78%

* Two years ago, success on similar tasks was reportedly around 14%, so progress is fast. Yet "complex tasks still fall short of humans" is also a fact.

In short: great at looking things up, weak at committing actions. Just remembering that one line will spare you most of the disappointment that comes from mismatched expectations.

4. Why it fails at "booking"

"If it can research, why can't it book?" There isn't a single reason. Booking and payment stack up several "gates" that AI is bad at, all in one place.

🧩 CAPTCHA / bot defenses

Mechanisms that demand "proof of being human" exist precisely to stop agents. Trying to bypass them can itself violate the terms of service.

💳 Complex checkout flows

JavaScript-heavy carts, 3-D Secure, redirects to external payment. One slip anywhere breaks the whole thing, and recovery is hard.

🔐 Two-factor auth / login

SMS codes and app approvals only complete in your own hands. Many products deliberately avoid passwords and credentials.

↩️ The cost of undoing

"Bought by mistake" or "double booking" causes real harm. So vendors insert human approval on important actions and don't auto-confirm.

Put differently, a "failure" at booking is less about the AI not being smart enough and more about colliding with a design intent: "websites don't expect automation" and "humans should hold the big actions." So a jump to 100% automation in the short term is unlikely. Practically, "AI up to the candidates, humans for the final confirmation" is the best answer for now.

5. The biggest pitfall: prompt injection

More important than "can or can't" is safety. The single biggest risk unique to agentic browsers is indirect prompt injectionthe agent gets tricked by "hidden instructions for the AI" planted in a web page or email.

What indirect prompt injection is: an attacker embeds commands like "steal the user's email and send it" using text that is hard for humans to see (background-matched text, characters inside images, comment sections), so that the agent that reads the page is hijacked. Because it runs in your logged-in session, the damage can be direct.

This is not theoretical. In early 2026, multiple vulnerabilities were reported in the research-focused Perplexity Comet. In researchers' demonstrations, merely having it read a malicious page or post was enough to steal credentials and one-time codes and take over the account — a "zero-click" attack path (Perplexity shipped mitigations in February 2026). Similar weaknesses have since been flagged in other major browsers too.

How well do defenses work? (example of published figures)

23.6%

Attack success before defenses
(one vendor's own measurement)

~11%

After basic defenses
(not zero)

~1%

Under the strongest defenses
(still non-zero)

* Figures are self-reported by each vendor and condition-dependent, so they can't be compared side by side. The point: defenses cut it sharply, but never to zero. Research also reports that as attackers iterate, the breakthrough rate rises.

Vendors counter with classifiers that detect hidden instructions, plus confirmation and permission limits on important actions. But the honest state in 2026 is that "even with defenses, residual risk remains." That is exactly why your operating rules are the last line of defense. For more, see AI agent security incidents.

6. A practical checklist for safe use

Given the "reality" above, here are 5 principles for safe use starting today. No tricky settings — it's a matter of mindset.

1

Start with "read-only"

At first, limit it to research, comparison, and summarizing — work where a failure costs nothing. Expand to input tasks only once you're comfortable.

2

A human must approve sends and payments

"AI up to the draft, the final button is yours." Don't set it to confirm without review.

3

Don't hand over sensitive info or passwords

Don't use it for online banking, payments, or confidential screens. There's a reason many products are designed not to touch credentials.

4

Don't run the agent on untrusted sites

Suspicious pages and links from unknown senders are breeding grounds for hidden instructions. Pause before letting the agent "read" them.

5

Least privilege, in a dedicated profile

Don't give it access to every logged-in tab. Where possible, run it in a separate work profile to limit the blast radius.

The bottom line: "convenience" and "privilege" are a trade-off. The more power you grant the agent, the more it can do — but the greater the damage if it's hijacked. Start small and expand as you see results — the same basic rule as in business automation use cases.

Summary

AI browser control took a big step in 2026 from "experiment" to "everyday tool." But it's not all-powerful — the reality splits into three tiers.

Key takeaways

  • 🟢 Research, comparison, and summarizing are production-ready — start here.
  • 🟡 Form filling works, but assumes "a human confirms" at the end.
  • 🔴 Booking and payment are still weak — the CAPTCHA/checkout/2FA walls. "AI to the candidates, human to confirm."
  • ⚠️ The biggest wall is security — prompt injection persists despite defenses. Protect yourself with operating rules.

"An excellent research partner; do the money-moving actions yourself." Keep that distance and AI browser control will save you a lot of time. Start today with "research," where a mistake doesn't hurt. For the fundamentals of agents overall, see what an AI agent is; for safety, dig into security incidents.

FAQ

Q. Can I leave the whole booking to an AI?

A. Not recommended as of 2026. It easily stumbles on CAPTCHAs, complex checkouts, and two-factor auth, risking wrong purchases or double bookings. "AI up to comparing candidates, the final confirmation by a human" is safe.

Q. Which should I use? What's the difference between ChatGPT Atlas and Claude for Chrome?

A. The big difference is form: Atlas is a "dedicated browser," Claude for Chrome is a "Chrome extension." If you already use Chrome, the extension is easy; to try a whole new environment, go with the dedicated browser. Pricing and available models differ by plan — see the pricing comparison.

Q. Should ordinary users worry about prompt injection?

A. Yes. Because the agent runs in your logged-in session, the damage can be direct. Just three habits — don't run it on shady sites, have a human approve payments and sends, and don't use it on screens with sensitive info — cut the risk substantially.

Q. Can I try it for free?

A. It depends on the product. Many agent features are for paid plans, but there are free options like the OSS browser-use that you can build yourself (you'll still pay for LLM usage separately). First check what your existing AI service supports.

Q. For simple routine work, is traditional RPA better?

A. If the steps are exactly the same every time, traditional automation can be more stable and faster. The strength of AI agents is work that's "a little different each time" or "needs judgment." The two aren't rivals — use the right one for the job.