ChatGPT Atlas - The First Step Toward AI Operating Systems

By: Oded Vanunu, Chief Technologist & Head of Product's Vulnerability Research at Check Point Software 

The Security Challenge: Trust and Boundaries Breaking Down

Cybersecurity fundamentally relies on trust and boundaries. Traditional computing maintains clear boundaries: apps run in isolation, websites can't access each other's data, users approve every action. AI-native computing dissolves these boundaries.

Browsers are already among the most exploited attack surfaces in computing. They're the gateway to authenticated sessions and sensitive data. Now add AI that operates with your full privileges across all logged-in sessions banking, email, healthcare, and the corporate system, and the attack surface expands dramatically.

The New Attack Vector: Invisible Commands

AI browsers introduce a dangerous vulnerability: indirect prompt injection. Malicious instructions hidden in webpage content can hijack the AI assistant to execute unauthorized actions. Attackers embed commands in nearly-invisible text that humans can't see but AI reads perfectly.

When an AI browser processes a webpage, it can't distinguish your legitimate instructions from malicious commands hidden in the content. Traditional security boundaries like same-origin policy become ineffective when AI agents act with your full privileges. The AI follows hidden commands as if they came from you, because it treats all text as potentially actionable.

Demonstrations have shown how a single malicious URL can exfiltrate emails, calendar data, and credential because the AI assistant has access to everything you do.

The Privacy Challenge

AI browsers require unprecedented data access to function effectively. The more context about your browsing history, documents, communications, and behavior, the more useful they become. But this creates a fundamental tension: every webpage you visit, every form you fill, every authenticated session becomes training data for the AI to understand you better.

Sensitive information, financial data, medical records, proprietary business communications all flow through these systems. The AI must process everything to provide intelligent assistance, creating comprehensive surveillance infrastructure even if unintended.

What Needs to Happen

The AI-native computing era has begun. The transformation from application-based to AI-native interfaces is inevitable—the economic and user experience benefits are too compelling. The question is whether we can build adequate security before widespread adoption creates systemic vulnerabilities.

The industry must establish security-by-design principles: this means architectural isolation between user commands and untrusted web content, explicit user confirmation for security-sensitive actions, and granular permission controls for AI capabilities.

Organizations should treat AI browsers as high-risk technologies requiring enhanced monitoring, clear acceptable-use policies, and restrictions on accessing sensitive data until security practices mature.

Regulators need frameworks specifically designed for AI-native computing risks, addressing data processing transparency, security incident disclosure, and liability when AI systems act autonomously.

“For many people, ChatGPT and other large language models have already become the go-to alternative to traditional search engines. OpenAI’s new Atlas project makes that shift official, but it also raises serious privacy and security concerns," says Lionel Dartnall, Check Point's Country Manager: SADC.

"The move toward ‘agentic browsing’ is the logical next step for the internet, evolving from simple search to an incredibly powerful, context-aware co-pilot. While this integration promises convenience, it also introduces a critical hidden vulnerability: misplaced trust.

Features like memory and agentic behaviour mean these systems can learn about you over time, build detailed profiles, and even act on your behalf. That’s convenient, until it isn’t. The more you use it, the more sensitive data it collects, from personal identifiers to health or financial information. In the wrong hands, this can be exploited for scams, data breaches, or unwanted profiling by advertisers or insurers.

The technical risks are just as real. Attacking AI systems no longer requires sophisticated code. Modern exploits now rely on natural language and social engineering, drastically lowering the bar for entry. As games like Lakera’s Gandalf demonstrate, attackers can trick models into revealing confidential information using only clever prompts, a tactic that could easily scale across large AI platforms," he says.

Bottom Line: Atlas is the opening move in computing's transformation to AI-native interfaces. The next 24 months will determine whether security catches up to innovation. The boundaries that kept us safe for decades are dissolving. Those who build adequate protections first will define the next generation of computing for billions worldwide.