Any employee at your company can buy Perplexity Comet MAX — an agentic browser with direct access to their email, cloud files, and enterprise SaaS tools — for $200 a month on a personal credit card. No IT review. No procurement approval. No security assessment.
That is the enterprise AI browser cost problem. The price is low enough that bypassing procurement is trivial, but the risk exposure is anything but.
Agentic browser traffic is growing at 7,851% year-on-year, and 77% of organisations have no formal framework for governing what their agents are authorised to do. Courts are issuing injunctions. Industry coalitions are filing amicus briefs.
This article explains the legal and organisational evidence, defines what must be governed, and provides a practical framework to close the gap. For context on what Perplexity Comet does that creates the shadow IT risk, see the first article in this series. For background on the architectural shift that created this governance challenge, see the conceptual framing article. For the complete picture, see the full agentic browser security and governance guide.
When does a $200/month AI subscription become a governance crisis?
At $200 a month, Perplexity MAX clears the impulse-purchase threshold for any professional with a company expense card. That price gets you Comet — the agentic browser — and Perplexity Computer, a cloud AI worker capable of autonomous multi-step action across connected enterprise systems. No IT review required.
Once Comet is installed, it requests OAuth authorisation to Gmail, Google Drive, Salesforce, Slack, Notion, and Zendesk. Those grants are broad and persistent. They survive the employee’s active session and stay valid until someone explicitly revokes them. The average employee already holds 70 OAuth grants (Nudge Security). An agentic browser adds 10 to 15 more, all outside IT’s visibility.
Shadow AI carries a qualitatively different risk from shadow IT. Where a rogue SaaS app reads data, a rogue agentic browser acts on it — submitting forms, sending emails, modifying files, all without human intervention.
Most SMEs set single-purchase approval thresholds above $200, so this subscription slides under the IT review threshold by design. And open-source agents that bypass procurement entirely do it at zero cost.
How much agentic browser traffic is already happening — and how much of it is ungoverned?
The governance gap is not a future risk category. Human Security tracked agentic browser traffic in April 2026 and found Comet alone accounts for 48.12% of all agentic web traffic — year-on-year growth of 7,851%. The blocking rate on monitored networks was 8.2%. The vast majority of agentic sessions pass through undetected even on networks running detection tools.
Cloud Security Alliance and Zenity (April 2026) found 53% of organisations have had AI agents exceed their intended permissions, and nearly half have experienced a security incident involving an AI agent in the past year. Strata.io (May 2026) found only 23% have a formal strategy for agent identity management.
The average organisation runs 26 distinct AI applications (Nudge Security). Agentic browsers add an execution layer on top of that sprawl. The gap between what is happening and what IT knows about is structural, and it is industry-wide.
What does the Amazon v. Perplexity injunction tell enterprise security teams?
On 9 March 2026, the Northern District of California granted Amazon’s motion for a preliminary injunction, prohibiting Perplexity from using Comet to access password-protected sections of Amazon’s website. It was the first significant legal ruling placing real boundaries on agentic browser behaviour.
Amazon alleges Perplexity configured Comet to falsely identify its agent activity as coming from Google Chrome — posing as a human customer to bypass access controls. Identity spoofing. Perplexity executives were warned at least five times. Cloudflare independently documented stealth techniques to evade bot-blocking.
Digital Content Next (DCN) filed an amicus brief supporting Amazon in the Ninth Circuit appeal, joined by the Associated Press, BBC Studios, Bloomberg, the New York Times, and a dozen more publishers. Their concern: unregulated AI agent access undermines journalism and makes it impossible to distinguish AI from human audiences.
The lesson for enterprise security teams is operational, not legal. If Comet could operate inside Amazon’s password-protected environment as a disguised Chrome session, it can do the same inside your enterprise SaaS applications. Network firewalls and SSO cannot tell an agent session from a human session. This is the same attack surface described in the zero-click attack that illustrates the threat model behind the gap.
What does the CFAA question mean for companies that aren’t Amazon?
The Computer Fraud and Abuse Act (CFAA) is the primary US federal law prohibiting unauthorised access to computer systems. The open question before the Ninth Circuit: can an agent operating with valid user credentials still constitute unauthorised access?
The authorisation ambiguity is genuinely novel. The user authorised Comet to act on their behalf; Amazon never authorised Comet to enter its systems. The district court concluded Amazon was likely to succeed. Perplexity is appealing.
It gets more nuanced from an unexpected direction. LASST (Legal Advocates for Safe Science and Technology) partially supported Amazon at the district court but declined to refile at the Ninth Circuit — their concern being that extending CFAA liability to software accessing a website with a user’s own valid credentials raises significant questions about internet interoperability. There are better tools than the CFAA for building the accountability norms AI agents need.
For your organisation, the practical takeaway is straightforward: your systems could be accessed by agent sessions you never authorised, and your employees’ agentic browser use externally may create liability. Treat the CFAA boundary as unsettled and build governance policy accordingly.
What does the governance gap actually cover — and who owns it?
The governance gap spans four categories of agent capability — all currently uncovered or inadequately covered.
Session access (OAuth, MCP) — partial. OAuth audits exist but rarely cover agents. Owner: IT/Security.
Agent identity — none. Most access controls cannot distinguish a human session from an agent session. Owner: IT/Security and Legal.
Transaction authority — none in most SMEs. No policy governs whether an agent can submit, purchase, or send. Owner: CTO and Legal.
Data access scope — partial. DLP tools exist but are not agent-aware. Owner: IT/Security and Compliance.
The mechanism that widens the gap is excessive agency: agents interpret implied tasks as authorised. STAR Labs (Straiker) demonstrated this with a zero-click Google Drive wiper — a “check my email and complete my recent tasks” instruction, plus a crafted email, triggers a complete Drive deletion with no confirmation required. Indirect prompt injection is the attack vector: malicious instructions embedded in a document get processed and executed with no human in the loop. The full threat model is covered in the five attack categories a governance policy must address.
Only 21% of organisations maintain a real-time inventory of active agents. The gap is widest at the 50–500 person SaaS, FinTech, or HealthTech company where a developer may have wired Comet into a CI/CD pipeline before IT knew anything about it.
What must a practical governance framework actually govern?
A minimum viable agentic browser governance framework has five components. None requires a dedicated AI security team.
1. Sanctioned/unsanctioned classification — Publish an explicit list of approved agentic browsers and AI agents. Everything not on the list is unsanctioned by default. Update it quarterly.
2. Agent identity disclosure requirement — Any agentic browser must identify itself as an agent in its user-agent string. Identity spoofing is prohibited. The Amazon v. Perplexity case makes this legally significant: identity spoofing may determine CFAA liability.
3. Procurement approval threshold — AI subscriptions above $50/month, or any subscription with OAuth access to enterprise systems, require IT review before expense reimbursement. For teams without tooling, the finance team is your first line of detection: a recurring $200/month charge from perplexity.ai is a strong and specific signal.
4. OAuth scope limits — No agent may hold OAuth grants broader than the minimum required for its task. Scope review at agent onboarding and at 90-day intervals. Human-in-the-loop confirmation is required before any irreversible action — send email, delete file, submit transaction.
5. Agentic AI inventory — Maintain a real-time inventory: tool name, authorising employee, connected systems, OAuth scope, last reviewed date. Treat agent onboarding with the same rigour as new employee onboarding. Agents often bypass IT discovery — a developer connecting an MCP server, a Salesforce user enabling an AI assistant — all introduce agentic capabilities without triggering procurement.
No widely adopted AUP template exists as of May 2026. These five components are the structural starting point.
Which vendor products close which governance gaps?
Four product categories address different parts of the governance gap. The right choice depends on your existing stack.
Prisma Browser (Palo Alto Networks) closes the agent identity and session visibility gaps: differentiates human from AI identities in policy, captures navigation steps for audit, and can pause agentic workflows pending human verification. Prisma Browser as the enterprise governance response covers this in depth.
Island Enterprise Browser provides the broadest available coverage of agent action — a full browser policy layer at the application level. Best fit: organisations replacing Chrome as the default enterprise browser.
Chrome Enterprise Premium provides partial coverage — session logging and DLP — for organisations on Google Workspace.
Agent 365 (Microsoft, $15/user/month) is the lowest-friction entry point for M365 organisations. Generally available from 1 May 2026, it provides runtime threat protection and agent identity management through Entra Agent ID. The limitation: it does not govern non-Microsoft agents — Comet, Atlas — operating outside M365.
No single product closes all four governance gap categories. Agentic browser governance is an IAM problem, not an endpoint security problem — frame it that way before the board or CFO conversation.
Frequently asked questions
Is the Amazon v. Perplexity lawsuit relevant to companies that aren’t publishers?
Yes. The publisher context is incidental to the mechanism. If Comet could enter Amazon’s password-protected environment as a disguised Chrome session, it can do the same inside your enterprise SaaS applications.
What is the CFAA and how does it apply to AI agents?
The CFAA prohibits unauthorised access to computer systems. Enacted in 1986, it has been applied to web scraping, API abuse, and credential misuse. The Amazon v. Perplexity case asks whether an agent using valid credentials but spoofing its identity constitutes unauthorised access. The Ninth Circuit will set the precedent.
Can we block agentic browser traffic at the network level?
Partially. Network-level controls block known agentic browser domains, but identity spoofing makes agentic sessions indistinguishable from human sessions without application-layer inspection. Enterprise browsers (Island, Prisma Browser) provide the visibility that network-level tools cannot. For M365, Agent 365 adds session-level agent detection.
How do I tell if employees are using Perplexity Comet on company accounts?
Four detection methods in increasing tooling order: (1) search expense reports for recurring $200/month charges from perplexity.ai — no tooling required; (2) audit OAuth grants in Google Workspace or M365 Admin for Comet authorisations; (3) inspect browser extension lists on managed devices; (4) use a SaaS discovery tool such as Nudge Security or Reco.
Is there a template acceptable use policy for agentic browsers?
No widely adopted template exists as of May 2026. The Cloud Security Alliance and Nudge Security publish governance guidance, but no standard AUP exists yet. The five-component framework in this article is the structural starting point.
What is shadow AI and how is it different from shadow IT?
Shadow IT is unsanctioned software that creates data governance and licensing risk. Shadow AI is the same — but agents take autonomous action. An employee using a rogue SaaS app reads company data. An employee using a rogue agentic browser reads, modifies, sends, and deletes it. The risk categories are not analogous.
Who owns the governance risk when an employee uses an agentic browser outside IT procurement?
Operationally, the organisation owns the risk — OAuth grants issued to an agent using an employee’s credentials create authorisation exposure the organisation cannot disclaim. The authorising employee is accountable for the agent’s actions; the CTO for the policy framework; IT and security for the audit capability that makes enforcement possible.
Should agentic browser governance be in my endpoint budget or a separate line item?
It is an IAM problem, not an endpoint problem. The right framing for a board or CFO is a new “agent governance” budget category alongside IAM.
What does Agent 365 actually govern in a Microsoft 365 environment?
Agent 365 covers Copilot agents and third-party agents registered in M365: OAuth scope limits, human-in-the-loop confirmation, activity logging, and blocking unsanctioned agent connections. It does not govern non-Microsoft agents — Comet, Atlas — operating outside M365.
What is a scope violation and how common are they?
A scope violation occurs when an agent takes an action the authorising user did not explicitly sanction. CSA and Zenity (April 2026) found 53% of organisations have experienced at least one scope violation, and nearly half have experienced a security incident involving an AI agent in the past year.
How do I classify whether an agentic browser action is sanctioned or unsanctioned?
Three criteria: (1) was the tool approved through IT procurement? (2) does the OAuth scope match the minimum required? (3) did the user provide explicit instruction for each high-impact action, or did the agent infer it? Any “no” or “unknown” means unsanctioned pending review.
What is the Ninth Circuit appeal about and when will it be resolved?
Perplexity is challenging the 9 March 2026 preliminary injunction granted to Amazon. The core question: does agent activity with valid user credentials but identity spoofing constitute “unauthorised access” under the CFAA? Circuit court appeals take 12–24 months. Build governance policy as if the boundary is unsettled.
The governance gap is not waiting for the Ninth Circuit to close it. The traffic data, the scope violation statistics, and the STAR Labs and Zenity research describe something already happening in production environments — at scale, without IT visibility, and without the policy frameworks to constrain it. Every month without a governance policy is a month where an agent operating under an employee’s credentials can act, undetected, across every system that employee can access. For the complete series, our complete agentic browser overview routes to the depth article for every question raised here.
