Picture this: You ask an AI to buy you a new outfit for your holiday party. Simple enough, right? But what if that AI accidentally ends up on a phishing website and sends your credit card details to cybercriminals? This nightmare scenario is exactly why OpenAI, the company behind ChatGPT, is taking its time to release its AI agents, even as competitors race ahead.

While 2025 is being dubbed the year of AI agents, with Google’s Project Mariner and Anthropic’s Claude already offering computer control features, OpenAI’s notable absence from the scene has raised eyebrows. A recent Bloomberg report sheds light on why the AI powerhouse is proceeding with caution.

The heart of the matter lies in a cybersecurity concern called “prompt injection attacks.” These attacks can trick AI models into ignoring their original instructions and following malicious commands instead. It’s like having a very capable but naive assistant who might be too trusting of strangers — except this assistant has access to your sensitive information.

The scale of this challenge becomes clear when you consider ChatGPT’s massive user base of hundreds of millions. Even if only 2% of AI agents fell victim to such attacks, that could mean millions of compromised users. For OpenAI, whose brand has become synonymous with AI excellence, such risks are unacceptable.

The company is instead focusing on developing a more controlled solution — a general-purpose tool that operates within the safety of a web browser. This approach mirrors Google’s Project Mariner, which demonstrates how AI agents can safely perform tasks like researching companies and finding contact information, all while staying within predetermined boundaries.

Anthropic’s experience with Claude offers valuable lessons. When they released their computer-control features, they recommended specific safety measures: using dedicated virtual machines, limiting internet access to approved websites, and requiring human confirmation for significant decisions like financial transactions.

The nature of AI models themselves further complicates the challenge. These systems can sometimes interpret text within images, which creates another potential vulnerability for prompt injection attacks. What’s more, the same instruction might produce different results from one user to another, making it harder to identify and fix security issues.

Despite these challenges, OpenAI isn’t standing still. While they might not be first to market, their cautious approach reflects a deeper understanding of the risks involved. When they do release their AI agent, likely accompanied by an impressive demonstration, it will probably feature robust safety measures to protect users from the invisible threats lurking on the internet.

The delay might be frustrating for some, but in the world of AI, where a single mistake could affect millions of users, perhaps being fashionably late is better than arriving at the party with security vulnerabilities. After all, when it comes to handling sensitive user data, it’s better to be safe than sorry.