To help journalists better understand the risks of artificial intelligence and set boundaries around which AI systems and tools make sense to use, adjust, or avoid, we’ve put together a series of guides on the most common ways in which you, and your sensitive data, are likely to interact with AI.
In the first part of this series, we outlined safety considerations for using stand-alone AI tools, like dedicated chatbots and transcription apps. Our second guide tackled AI enhancements to existing tools.
Next up: AI agents and operating system integrations.
AI agents
If you’ve listened to a podcast or watched TV recently, you’ve probably heard an advertisement touting the benefits of AI agents, software that simulates a person controlling another piece of software on your behalf.
Perhaps the most widely accessible example of agentic AI comes in the form of agents in your web browser. In addition to dedicated AI-enabled browsers like ChatGPT’s Atlas, AI agents are increasingly showing up in traditional browsers like Chrome and Edge as well.
These types of AI agents offer a number of options for journalists looking to streamline their work, including automating research and public source discovery, compiling materials to prepare for interviews, and conducting real-time monitoring and alerting on a particular topic or beat. While these and other possibilities may be enticing, they also introduce a number of significant risks.
Most AI agents need permission to browse the web in the same way you would — navigating and reading sites, clicking links, filling forms — to do work on your behalf. The agents will also often request access to other accounts and sensitive data, such as your email, calendar, and credit card information, to perform tasks like scheduling meetings, sending messages for you, and booking travel.
Depending upon the terms and conditions of the agents (or bugs in their code), they may even have access to data and systems that you would naturally assume to be off-limits. This expansive access deepens the data privacy and security risks of other forms of AI outlined in the previous guides in this series.
Given the wide-ranging ability to act independently, an AI agent also introduces an increased risk of escaping the boundaries of the “sandbox” established to constrain its behavior and data access. This escape can occur organically, as an agent pursues its objective through unintended pathways, or it can occur through prompt injection — a type of attack in which a website, message, or other piece of data that an AI system comes across is maliciously crafted to trick the AI into taking an undesired action.
Prompt injections can have a particularly strong impact when targeted at AI agents, because agents often have access to private data, the ability to externally communicate, and exposure to untrusted content. Such an attack can trick agents into exposing sensitive data, and potentially direct actions like downloading untrusted software, posting on your social media pages, or making purchases without your consent or awareness.
Unfortunately, prompt injection is not a solved problem, and likely won’t be anytime soon (if ever). So journalists should avoid the use of AI agents on any devices or networks that access, share, or store highly sensitive information.
Companies like Anthropic, Google, and OpenAI have made progress in reducing the potential for successful prompt injection attacks in their underlying models and AI platforms. So if you have a lower-risk profile and are interested in using an AI agent, make it one that follows industry best practices and clearly states its approach to addressing these evolving threats.
Of course, never grant an agent access to systems that contain private information that you wouldn’t want a service provider to see, and don’t connect any accounts that, if abused, could cause you serious reputational harm.
Operating system integrations
Operating system AI integrations are becoming the new default through Apple Intelligence on Macs and iPhones, Copilot in the latest Windows computers, and Gemini on many newer Android devices. Much like the agents described above, these integrations offer journalists an enticing opportunity to automate a wide range of regular tasks. That said, they also present the same risks. So, if you’re handling highly sensitive data on your device, we’d similarly suggest avoiding these integrations wherever possible.
Depending on your operating system, you may be able to disable OS integrations relatively easily. You can disable Apple Intelligence on iPhones and Macs, and there are some steps you can take to claw back Copilot’s access on Windows computers. However, not every operating system will make this choice straightforward. Google’s Gemini, for example, is near-ubiquitous in its services. Check out this article for a breakdown of why turning off Gemini on Android is, unfortunately, much more challenging.
Where this data ends up, and the risk of unauthorized third parties gaining access to it, depends upon your device. Apple Intelligence is built into iOS and MacOS so that most basic queries do not leave your device. While more complex queries do leave your device, Apple says it uses its Private Cloud Compute to shield this data from itself (and any third parties that might request such data). Given this approach, there is relatively limited risk of Apple Intelligence exposing your data directly to Apple.
Unfortunately, that is not the case for Copilot on Windows and Gemini on Android, which both share significant amounts of data to cloud servers accessible to Microsoft and Google, respectively.
Intent on making use of these, or other, forms of AI in your journalistic work, but still have questions about how to do so safely? Feel free to reach out to our team with any questions.
And check out the other pieces in this series on stand-alone AI tools and AI enhancements to existing tools.
