– I am a longtime community college writing instructor in the San Francisco Bay Area. I’ve written an OER textbook on writing and went on AI, and I got involved early on curating resources and leading workshops and being in discussions on social media around AI and education. So, I’m here today to talk about uses and abuses of AI agents, specifically agentic browsers in education. And I really am planning just to offer a quick overview of where I think we are as an educator watching the space and experimenting, not as a technical expert. And I’m hoping more and more people will be sharing and discussing this just with a sense of urgency and curiosity as well as caution. It’s changing very quickly.

So, first, I just wanna kind of clarify what I’m referring to here as an AI agent. That term gets used in a lot of different ways. And so, I’m not talking so much today about custom chatbots because there’s been a lot of discussion of that. So, a chatbot with special instructions in Microsoft 365 or a custom GPT or PlayLab, that often gets called an agent, but today, I wanna talk about kind of a newer development, which is specifically systems that do more than chat. Agentic AI browsers will actually take actions on our behalf online. They move around digital environments. They do things that a human would normally do. They’re designed to behave like a personal assistant or a coworker with more direct action. So, this basically looks like a combination of a browser and a chat bot, but the chat bot can take control of the browser. So, it looks usually like an alternate version of Chrome, or now it actually could be Chrome, because Chrome just got this capability January 28th, and there’s a chat window next to the browser, and this AI system can see whatever is on the webpage or whatever is in the HTML of the webpage. And it can move the cursor, it can click, it can fill out forms if the user grants permission. And the user can specify levels of access and permission. And this is sort of it’s not new, but it’s newly easy to access. We’ve seen systems like this coming out for a couple of years, but it’s really since Fall 2025 when Perplexity offered its Comet browser free to students, and later free to the public, that this became more widely known and easier to use. We saw OpenAI offer ChatGPT Atlas browser, Anthropic offer a browser extension called Claude in Chrome, and those were at the $20 a month level in the Fall. And then as of a couple weeks ago, Google has offered this for free in Gemini, which I just learned today, so I’ve been learning and adjusting my slides right up to the last second here.

So, I wanna just show you what this looks like if you haven’t seen a demonstration. I’ve done a few tests, and in this one, I have ChatGPT Atlas browser while I’m logged into a personal free account. This is not my institution’s learning management system, but it is Canvas Learning Management System. I’m logged in on this personal account where I’ve joined as a student to a public course. And here in the browser, in the sidebar, I’ve asked the agent to take a test. And it is narrating its actions. And you see that in this case, there’s no hesitation, there’s no reference to academic integrity. There’s variability. In some of these tests, you see refusals. Sometimes the refusals are easy to overcome, sometimes they’re not. But most of my tests have shown very little barrier. The agent is just doing it. It’s moving that cursor, it’s clicking the test questions, it’s gonna submit the quiz, and it’s narrating as it goes. I could take over if I want, but I could also walk away and do something else, and I wouldn’t even know what had been on the test, right? So, it is going to submit this quiz, and I think it gets five out of six. It actually misses one, so that’s kind of a funny warning. Yes, they do still make lots of mistakes. So, obviously, you know, we’ve gotta decide what we do about this. If we don’t know if it’s the student or a bot, we can’t assess learning in these online environments.

So, could we know by looking at some learning management system logs if it was the agent or a student? It seems that that’s not likely to work. Cornell’s Center for Teaching Innovation has said that faculty will not find evidence of academic dishonesty in Canvas logs. That this form of cheating is nearly impossible to detect through Canvas monitoring. And Canvas itself has said that quiz logs should not be used to validate academic integrity or identify occurrences of cheating. Now, could a learning management system block these AI agents from completing learning activities on the student’s behalf? You might think they could, but it seems pretty questionable. Blackboard has said that they are not able to do that, that it’s not possible in a blog post. I don’t know if that’s their final word. Canvas spokesperson has said that they are researching approaches for institutions and faculty to manage this, discussing the challenges with OpenAI, but they have also referred to partners in lockdown browsers and seem to suggest that they don’t see a direct way to block this.

So, a lockdown browser is sort of, you know, a software that requires the student to take the test in a separate app, or it blocks extensions, like the AI agent. And this is just different from any video monitoring. It doesn’t include video monitoring. And it does seem that lockdown browsers would sort of block this kind of direct auto completion. A number of institutions like Colorado State University, Cornell, and University of Missouri have recommended these lockdown browsers as kind of a stop stopgap measure to prevent agentic AI auto completion. Of course, students can have another device where they are accessing AI as they use the lockdown browser. So, this doesn’t prevent all AI cheating, but it would prevent the direct auto completion where the student is taking the test. Could we see cybersecurity software that could block these agents from learning management systems? People are researching this, so Lonestar College professor Tim Mousel sort of cooked up his own system that did successfully block some of these agents. And I think not Perplexity Comet, but he’s developed a framework based on that. I know that my community college system chancellor’s office is exploring piloting solutions with cybersecurity partners. So, this is an open question, but it’s not straightforward. However, I think what could be straightforward would be AI companies telling their systems, “Do not complete learning activities in learning management systems on a student’s behalf.” Right? It’s actually could be very, very simple. Their systems know when they’re in an LMS and they could simply refuse to fill out forms in there.

So, I’ve made an argument for this, and that would do a lot to reduce this kind of direct auto completion. That means learning loss, right? Or to make it less tempting. Don’t let the big platforms do it. However, we’ve gotta acknowledge that even if those big companies told their agents not to take tests or assessments, you could still have open source, open weight, smaller companies, even individuals making systems that run on their own machine that are perfectly willing to cheat. And that would not be too difficult these days with vibe coding. So, you know, this wouldn’t be foolproof. An interesting project in this regard. One approach is to systematically test these systems as they release updates and just see, are they willing to cheat? How willing are they? Do you have to push them? Do you have to pretend that you’re doing it for practice? And this is David Wiley’s idea, he’s an open education leader, and he has just launched this cheatbenchmark.org, and has put out a manifesto, if you’re interested and willing to sign it, that would be wonderful, just to sort of establish a benchmark and a leaderboard that no company wants to lead, hopefully, at least not publicly, to show, you know, some transparency here. Are these systems willing to cheat? Are they willing to masquerade as students, right? Because it is a form of fraud. They’re passing themselves off as a student in an authenticated session.

So, I, you know, have worked with on this task force of the Modern Language Association, where we put out a statement that was approved by the executive board calling for collaboration, cross-sector collaboration, learning management system providers, lawmakers, AI developers, and educators and educational institutions to work together to block this kind of sort of unnecessary direct academic fraud. So, that’s kind of where I’m coming from. And in part, it’s because, you know, I feel strongly along with Jory Hadsell, a community college leader who has put out a strong message recently that we cannot give up on online learning. We cannot allow the value of those degrees to disappear because this is often the path to social mobility for working adults and marginalized learners, this is access to education, and it doesn’t make sense to just abandon it.

So, you know, I’m going quickly, but I wanted to pause and just ask you to weigh in in a Mentimeter. Oh, I need to put that link in the chat. One second. Let me grab the link and put that in the chat for you. You can also scan the QR code or type in menti.com and enter 7308 7355. So, first, there’s a multiple-choice question of like, which approaches do you think are worth even trying here? And then there’s an open-ended, you know, what else do you wanna share or try? And I see there’s a lot going on in the chat, and yes, I think there are a lot of concerns with lockdown browsers about perpetuating inequities, tech literacy, accessibility, and I think we need to look at that. I don’t see them as a great solution, but I just wanted to sort of show that they can do some direct locking of this kind of thing. And yeah, about the cheat manifesto, I think the idea is to create public pressure on the companies by sort of having a more rigorous way to independently test whether their systems will cheat and to publicize that. My hope is that we’ll see a lot more journalistic coverage of this because we did see Google roll back a previous sort of homework help feature that was over-helping. They buried it, so they made it less obvious, but there was some progress there because of coverage in the Washington Post by Geoffrey Fowler. So, that’s one avenue that I think that cheat manifesto could help with.

Okay, so let me just briefly show the Mentimeter. And yeah, thanks for participating. Of course, you know, the first one is designed for intrinsic motivation, and I would say that’s absolutely the first most important, most powerful approach. I just don’t feel like it’s enough, you know? I had a rough semester already teaching online, doing everything I could. It was okay, we made it, there was learning happening, but it was challenging, even without the challenge of agentic browsers. And so, I just feel like we have to do a lot more. We can’t just redesign pedagogy, even though we need to do that. And it helps and it works, but it’s not enough. So, that’s interesting that that’s number one on this list, but people are also saying we should pressure the LMS companies as the second most. And then in-person proctoring. You know, I’m starting to consider with online courses, do we need to combine with some in-person proctoring? Of course, that raises concerns about access that I just mentioned. But these are all sort of strategies, I think, we have available.

So, thank you for that. I wanna make sure that I do cover what I promised to cover, so I’m gonna kind of go on and I will share the results in the slide deck after so you can continue to reflect on those. But I wanted to talk about this idea of, okay, now we know about this challenge to academic integrity, but what about our own use? Should we be considering using AI agents or should we only see them as a threat to learning? And I do wanna make a case that there are some good reasons to try these systems as well as good reasons not to. But I would argue that this is a powerful tool that changes work paradigms, it makes things possible that were not before. And I do see it as akin to, you know, the advent of ChatGPT or the rise of the computer or the rise of the internet. It’s a new way to interact with computing systems, and we do, I think, need to really get it experientially in order to help us guide students and establish guardrails. And I also think it can be useful. So, there was just a podcast, the New York Times “Hard Fork” technology podcast about this, and Kevin Roose said, “I worry that in the world where this stuff does actually continue to improve, where it’s not just productivity theater, if people aren’t even aware that these tools are out there, that people who are using them are getting some benefits from it, I just worry that they’re going to get left behind.” Of course, that’s always, you know, possibly hype, right? There are a million reasons to be aware of these systems.

So, they are known to have many security and privacy risks, so, you know, one that OpenAI has said is not likely ever to be fully solved is called prompt injection, and that is where you have a website that hides some malicious instructions that only the AI agent is going to read, and it basically redirects the agent to do things like harvest data or make changes or get your bank account number or, you know, introduce a virus and hold your hard drive ransom. So, you know, this company has said there is no perfect fix for this type of attack. And very simply, you know, whatever is in that site is shared with the company, the AI browser company, and so that’s also a privacy concern. And also another quote from “Hard Fork,” Casey Newton said, “Like when you free solo a giant skyscraper, there is some risk involved with installing an AI agent into your main machine.” Now, he was talking about something beyond AI browsers. He was talking about the Clawdbot/Moltbot/OpenClaw phenomenon, which is sort of a system that has full access to your computer as well as your browser. I’m not even going there at this point, but, you know, I think the quote still holds even for AI browsers. It’s very risky. And it’s great that these institutions have sort of taken leadership in putting out summaries of risks and cautions for faculty. University of Tennessee, University of Missouri, Indiana University have some great pages sort of with specific guidelines, cautions, and links. And specifically for education, the concern is that they can capture elements of student records, internal messages, advising notes, research datasets, all kinds of institutional data that we’re not legally allowed to share and that we shouldn’t be sharing, right?

So, there’s one really simple rule, which is, we should not, at this point, give them access to our institutional accounts. We shouldn’t be logged into Canvas or any institutional system and then be asking a browser agent to do things for us, unless maybe we were given explicit permission by the institution for some kind of pilot project with some kind of safeguards. I don’t know. But it’s pretty clear that, you know, we are prohibited from sharing access to our work accounts. That is in almost every acceptable use policy. And I’ve linked to sort of an authoritative template from the SANS Institute, and that can pretty clearly be applied to sharing it with these agentic browsers. We’re not allowed to do it. So, as I said, it could compromise sensitive data, it could expose our accounts to malicious attacks, and very likely, it will do things by mistake without any malicious intention that, like, it could just delete a whole bunch of stuff, right? But if we want to experience these systems, what might be some possibly legitimate better ways? So, if we’re using them when we’re not logged into accounts, like a meeting polling system like WhenIsGood, if we set them to ask permission before acting, set them to ask before accessing new websites, so hopefully we won’t let them go to websites that are likely to have malicious prompt injection instructions, if we’re using them with personal accounts, like a free trial Canvas account like I mentioned.

This is the kind of thing I’ve been trying. I have found that Perplexity Comet, Claude for Chrome, and ChatGPT Atlas are still fairly clunky, slow, not trustworthy, but they have still been useful to me, modestly useful. So, one made a meeting poll, one looked up and summarized my colleague’s teaching schedules through the college’s schedule web app, so it wasn’t something that the chat bot could do by browsing. It was something I had to use the browser extension for. And so, that’s one use, is, you know, if it’s something that your chat bot won’t do, maybe the browser extension or the browser will be able to. And I’m sorry I’m not able to keep up with the chat right now, but I just wanna make sure I do share with you what I’ve got. I just discovered today the wonderful Liza Long, OER textbook author and AI sort of public intellectual, I don’t know, thought leader. She shared a workflow for fixing accessibility in her OER textbooks or in anyone’s. And she describes all the challenges with working out a good process for that, and so she notes that when she first tried to do it, this agentic browser was making all kinds of changes to her textbook that she had not asked for, so she had to work out a system where she was more micromanaging and verifying a lot more and structure it so that verification was possible. Michelle Kassorla is another leader who’s really been experimenting. She used a agentic browser to fill out a required Google form about her syllabus, so that was public data in a public form, and she has a whole guide to agentic AI for higher ed professionals.

Joel Gladd has shared sort of ‘how to’ – if you’re ready to – vibe code, you could actually use Claude Code or Codex to make some big changes to your online courses, not even through the browser, but through the API. And this is probably more efficient and more effective, but it does require you to have some enterprise protection and permission from your institution and some willingness to look at coding and kind of think about coding environments. I’m not quite there yet, but I’m hoping to try it. And then I would just note that it’s getting more and more common to be able to connect any chat bot to a lot of your other services like email, calendar, now your hard drive through Claude CoWork. So, that’s another way in which we’re seeing this feel more like working with a personal assistant if we’re giving permission for access to those workspaces in which we function. So, it’s always a good, you know, idea to ask whether it’s worth it to even try and experiment with an agentic browser. Often it’s not. It’s hard to gauge how much time it might save, how much time and energy it’ll take to manage and check the agent. How much do we need the psychological sense of support that it might give? Could we get that fulfilled in some other way? Very difficult and requires experimenting. And I love that Casey Newton on the podcast said, “Honestly, it just does not enable that much new stuff. It’s not that clear to me that this is gonna help me in my life.” But he also said he thought it’s a compelling vision of the future. “What if instead of having a bunch of apps on your computer, there was just a genie who lived inside your computer?” So, you know, you talk to it and it does things for you. So, that’s really what I have. I wanted to invite you to weigh in on what you would like to be able to try if privacy and security were taken care of and what you will actually try. So, you can use the arrow in the same poll to go to that next question, or it’s the same link. We can repost that Mentimeter link. And then I’m happy to answer questions. I don’t know if, Niya, if you wanna tell me any high priority questions?

– [Niya] Yeah resources.

– Yeah.

– Yeah, so we have two questions in the Q&A. One is from Merrill that says, it’s about the AI agent, “Does this agent only do multiple choice questions or how adept is it in short answer or essay question quizzes and exams?”

– Yeah, it will do anything. Like, it will fill out any form, and everything in online learning is a form, right? So, yeah, it will write as well. Yeah, and I’ve tested that too. I have some videos up on my YouTube channel of it posting to a discussion forum as if it were a student making things up of introducing itself, yeah.

– [Niya] Okay, thank you. Another question from Karen. “First off, thank you for all that you’re doing. Second, do we know how the agents handle links to external documents such as putting a Google Doc template assignment into the LMS?”

– I mean, it’s a browser, so it could follow any link, but if it gets to a point where it needs a login, then it would ask the user. Like, you know, if you have an assignment that involves a Google Doc template, then the browser’s trying to do that assignment, it goes to the Google Doc, and it might then say, “Okay, in order to do this, I need to be logged into a Google account.” And at that point, it just stops and asks the user, and the student might log them into their Google account, and it would continue. That’s my understanding. I haven’t tested that specific thing, though. Yeah.

– [Niya] Okay. Do we have time for one more?

– Sure.

– Yeah.

– I can stay a few more minutes if, you know, but I don’t wanna run over if folks need to go. Yeah.

– Okay. So, from Adam, “Do you have to prompt the agentic AI to act or is it free to change anything it pleases? How can we or can we limit its actions?”

– So, all of these browsers have different levels that you can set it to, different levels of permission, and you can go in and out of a mode where it can act, and you can tell it, like for example, not to act at all or only to, say, summarize the pages you’re on. Or you can give it permission to act and you can give it permission only on certain websites and not others. You can tell it to ask you before acting. So, you have a lot of choices and, you know, that’s a question of user interface, but I think almost all of these options have different settings you can explore that are important to explore. And yeah, I do think it has more environmental impact. That uses a lot of tokens, these agent systems. And we should still compare that, I think, to things like streaming media. I don’t think there’s good research out on it yet, but I did note in Liza Long’s Substack post that she noted how incredibly token hungry it was working with an agentic Claude system. So, yeah. And I just wanna invite folks to continue the conversation on, you know, LinkedIn, Bluesky, Substack, wherever you wanna contact me. And I did come up with this slide deck myself, though. I used AI for research assistance and a little bit of formatting. Thank you so much for coming, and I’m gonna save the chat and go through it ’cause I know there were a bunch of great resources shared, and maybe I can put some of those into a final slide so you could still have access to that later.

– That would be amazing, Anna.

– Thank you so much for having me. I learned so much in just preparing for this.

– Well, thank you so much for your time. It was an awesome presentation and discussion. It was an awesome chat, so thanks to everyone for being so active and involved, and we hope to see you again at the next one.