Researchers found that interest in AI agents has undoubtedly skyrocketed in the past year. The number of research papers mentioning “AI agents” or “agent AI” in 2025 more than doubled from 2020 to 2024 overall, and a McKinsey survey found that 62% of companies reported that their organizations were at least experimenting with AI agents.
With so much interest, the researchers focused on 30 leading AI agents in three different categories: chat-based options like the ChatGPT agent and Cloud Code; browser-based bots like Perplexity Comet and ChatGPT Atlas; and enterprise options like Microsoft 365 Copilot and ServiceNow Agent. Although the researchers did not provide precise figures on how many AI agents are deployed on the Web, they did provide a lot of information about how they are operating, which is largely without a safety net.
Of the 30 AI agents put under the magnifying glass by MIT CSAIL, only half include published security or trust frameworks such as Anthropic’s Responsible Scaling Policy, OpenAI’s Readiness Framework, or Microsoft’s Responsible AI Standard. One in three agents do not have any security framework documentation, and five in 30 do not have any compliance standards. This is troubling when you consider that 13 of the 30 systems reviewed met threshold levels of agency, meaning they can operate largely without human oversight over extended task sequences. Browser agents typically operate with a high degree of autonomy. This would include things like Google’s recently launched AI “AutoBrowse,” which can complete multi-step tasks by navigating to different websites and using user information to do things like log in to sites on your behalf.
One problem with allowing agents to browse freely and with few limitations is that their activity is almost indistinguishable from human behavior, and they do little to remove any confusion that may occur. The researchers found that 21 out of 30 agents did not provide any disclosure to end users or third parties that they were AI agents and not human users. This results in much AI agent activity being mistaken for human traffic. MIT found that only seven agents published static user-agent (UA) strings and IP address ranges for verification. Many clearly use Chrome-like UA strings and residential/local IP references to make their traffic requests appear more human, making it nearly impossible for a website to distinguish between authentic traffic and bot behavior.
For some AI agents, this is actually a marketable characteristic. Researchers found that BrowserUsage, an open-source AI agent, sells itself to users by claiming to bypass anti-bot systems to browse “like a human.” More than half of all bots tested do not provide any specific documentation about how they handle robots.txt files (text files that are placed in the root directory of a website to instruct web crawlers how they can interact with the site), CAPTCHAs that are meant to authenticate human traffic, or site APIs. Tangle has also made the case that agents acting on behalf of users should not be subject to scraping restrictions because they act “exactly like a human assistant”.
The fact that these agents are in the wild without much protection means there is a real risk of exploitation. There is a lack of standardization for security assessment and disclosure, leaving many agents potentially vulnerable to attacks such as prompt injection, in which an AI agent catches a hidden malicious prompt that could break its security protocols. Per MIT, nine out of 30 agents have no documented protections against potentially harmful actions. Almost all agents fail to disclose internal security testing results, and 23 out of 30 do not provide any third-party testing information on security.
Only four agents—ChatGPT Agent, OpenAI Codex, Cloud Code, and Gemini 2.5—provided agent-specific system cards, meaning that security assessments were tailored to how the agent actually works, not just the underlying model. But while fringe labs like OpenAI and Google offer more documentation on “existential and behavioral alignment risks,” they lack details about the types of security vulnerabilities that arise during day-to-day activities—a habit the researchers refer to as “security washing,” which they describe as publishing high-level security and ethics frameworks while only disclosing the empirical evidence needed to rigorously assess risk.
There has been at least some movement toward addressing the concerns raised by the MIT researchers. In December, OpenAI and Anthropic (among others) united and announced a foundation to create a development standard for AI agents. But the AI Agent Index shows how wide the transparency gap is when it comes to agentic AI operations. AI agents are operating on the web and in the workplace with a tremendous amount of autonomy and minimal oversight. At this point there is little to indicate that the security will reach scale any time soon.
<a href