Tech buzzwords can be annoying. But if you haven’t yet heard of “agentic AI,” it’s one worth knowing. In short, it’s an AI personal assistant. You give it a goal – such as, “Find the cheapest flights and hotels for a week in Istanbul in April” – and the agent figures out the steps, does the legwork, and comes back for approval. Companies like OpenAI and Perplexity are already building this into their Atlas and Comet browsers. Now it’s Google’s turn.
When I first saw Google’s demo, I had two simultaneous thoughts: this looks incredibly useful, and I’m uneasy about inherently buggy generative AI getting even more access to my life.
Google has begun rolling out its own agentic AI feature, called “auto browse,” in Chrome – by far the most-used browser. It’s a slow rollout, arriving first as a preview for U.S. subscribers to its AI Pro ($19.99/month) and AI Ultra ($249.99/month) plans. It also requires Chrome version 144, available now for Windows, macOS, and Chromebook Plus. The goal is to automate multi-step tasks across multiple websites based on the objective you provide.
Read more: ChatGPT Can Now Launch Apps Like Spotify, Canva, and Expedia
If you have one of those AI plans and an active Gemini account, you may already have access to auto browse – or it may take a few days to reach you. Sign into Chrome with your Google account, click the three dots in the upper-right corner, and go to Settings > About Chrome to check your version. Then go to Settings > Gemini (or AI innovations > Gemini) and make sure “Gemini in Chrome” is enabled. Google hasn’t said when auto browse will roll out more broadly.
Giving Chrome this much control over your digital life naturally raises security and privacy questions. We’ll get to those shortly. First, here’s what auto browse can do.
What auto browse can do for you
Google’s pitch is simple: save you the manual work of using the internet – finding the right sites, digging through pages, searching for products, and filling out forms. If you store passwords in Chrome’s Google Password Manager, auto browse will ask whether you want it to log into sites on your behalf. It can also fill out forms using saved details like your name, address, and phone number.
Most password managers can already do this, but in my experience (at least with Bitwarden), form-filling is often imperfect. Ironically, that’s the one task I’m most curious to try with auto browse.
I use Google Password Manager as an adjunct to Bitwarden and often recommend it to people who are die-hard Chrome or Android users. This doesn’t feel like Google trying to replace password managers. It works with them. But it does give Chrome a much more active role in how your credentials and personal details get used.
Shopping is another use case. Today, finding a product often means running a Google Lens search, sifting through results, clicking through to the right item, logging in, and entering payment and shipping details before you reach checkout.
With your permission, auto browse can handle those steps and present your cart for review. You can watch the process unfold in Chrome, and you can pause, stop, or take over at any time.
Google says auto browse should work on any ecommerce site. To improve reliability, it created a “Universal Commerce Protocol” (UCP) that standardizes how AI agents interact with product listings, carts, and checkout systems, with support from major retailers and payment providers.
In a demo for journalists, Google showed a more complex task: booking a vacation. By giving Gemini access to her Gmail, Parisa Tabriz, VP of Chrome, demonstrated how it could determine when her kids were on spring break, search for safari packages and lodging, and present options for review before purchase.
That Gmail access is, by far, the part that makes me most nervous.
Is it safe to use?
All of this gives Google’s AI more insight into your life – and the ability to take meaningful actions on your behalf. It won’t complete a purchase on its own. But what happens if it lands on a phishing site instead of a legitimate merchant and tries to log in?
Auto browse is “designed to be as secure as we can make it,” says Mike Torres, VP of product for Chrome. Google says it checks site legitimacy, avoids known malware destinations, and relies on Chrome’s Safe Browsing protections, along with on-device AI scam and malware detection. Users must explicitly approve sign-ins, form-filling, and purchases.
Read more: OpenAI Confirms AI-Powered Browsers Leave You Vulnerable to Hackers
Chrome also scans pages for “prompt injection” attacks – malicious instructions embedded in web content that attempt to hijack an AI agent. Google says it isolates untrusted content and checks that every action aligns with the user’s goal. Still, researchers recently showed that hidden prompts in Google Calendar invites could influence Gemini if it had Calendar access. Google says it fixed the issue, but it’s a reminder that AI exploits keep evolving.
I’m less worried about Google’s stated protections than I am about how much additional personal and sensitive information Gemini could learn by being allowed to read Gmail and potentially other apps to “help” with auto browse sessions. Google has extensive privacy guarantees. But the company has also faced recent AI-related exploits and even settled a case about enabling Gemini features in apps without clear user consent. That history makes me cautious.
Google also says auto browse is isolated from website trackers that build ad profiles. I believe they have built it that way. But I worry that a bug, an exploit, or even future policy changes could undermine that separation, as privacy violations across tech are hardly rare.
Should you use it?
This is impressive technology, but, despite Google’s assertions about security and privacy protections, there are plenty of examples showing how AI can go awry in these respects.
For now, I’m using auto browse sparingly out of curiosity. The one task I’m genuinely interested in trying is form-filling. I would not use it for anything involving financial accounts, large purchases, or sensitive transactions.
If you’re curious, you might experiment with it on low-stakes tasks. If you’re not especially curious, there’s no reason to turn it on yet. It will likely take many months – if not a year – before this feature is widespread enough for researchers, security experts, and real-world incidents to reveal how safe and reliable it really is.
[Image credit: Sean Captain/Techlicious via ChatGPT and Nano Banana; Google]
