AI Browser Extensions: The Hidden Security Risk No One Is Talking About

One in six employees in a business already uses at least one AI browser extension - and most IT teams have no idea. That is the sobering finding of a major report published in April 2026 by security firm LayerX, which analysed browser extension usage across enterprise environments worldwide. For companies and public institutions across Europe, the findings carry serious implications.

Browser extensions are small programs that run directly inside a web browser - Chrome, Firefox, or Edge. They can improve writing, translate pages, store passwords, or summarise meetings. What sounds convenient hides a significant risk: these programs sit inside the browser itself, with direct access to everything users do there. They can read typed content, access stored credentials, and transmit data in the background - often without anyone noticing.

The LayerX report demonstrates that AI extensions carry substantially greater risks than other browser add-ons. They are 60 percent more likely to contain a known security vulnerability. They are also three times more likely to have access to browser cookies - small data packets that store login information and session data. Anyone with access to those cookies can potentially enter accounts without knowing the password.

The permission structures of these tools are especially concerning. AI extensions are two and a half times more likely than standard extensions to execute scripts inside the browser, meaning they can run their own code on a device. This opens the door to data extraction or silent redirection to fraudulent websites. Compounding this, around 60 percent of enterprise users have at least one AI extension that expanded its permissions within the past year - often without any active consent from the user.

For European organisations, the issue has an additional regulatory dimension. The General Data Protection Regulation (GDPR) requires companies to control and document how personal data is handled. When an AI extension quietly accesses customer data, internal documents, or login credentials, that can constitute a GDPR violation - carrying significant financial penalties. Businesses in Germany, Austria, and Switzerland, subject to particularly strict regulatory frameworks, face elevated exposure.

The scale of the problem is already significant. According to the report, 99 percent of enterprise employees run at least one browser extension, and more than a quarter have ten or more installed. Yet most IT departments cannot reliably answer basic questions: which extensions are in use, who installed them, and what data they can access.

The situation is further complicated by the fact that extensions change over time. A tool considered safe today can request new permissions with the next update - or change ownership entirely. Around 40 percent of all extensions have not received an update in more than a year, suggesting poor maintenance and potentially unpatched vulnerabilities.

Real-world examples from Europe illustrate the exposure clearly. A tax advisory firm in Munich using an AI formatting extension might be unaware that it is quietly accessing sensitive client data. A hospital in Vienna whose staff use a browser-based translation tool for patient records may not know that data is being routed to servers outside the EU.

For individuals, the rule of thumb is straightforward: always check the permissions a new extension requests before installing it. Does a simple writing assistant really need access to all website data and browsing history? If in doubt, do not install it - or remove it immediately after testing. Unused extensions should be deleted regularly.

At the European policy level, awareness of this issue is growing. Under the NIS2 Directive, which has applied across the EU since 2024, organisations in critical sectors are already required to maintain oversight of their entire software landscape. Browser extensions should be explicitly included in that scope.