AI systems are increasingly taking actions like opening web pages or following links to assist users, but these actions create risks, particularly around data privacy. One major concern is URL-based data exfiltration, where an attacker tricks the AI into accessing a URL that contains sensitive user information. For example, an attacker could craft a URL that looks benign but captures data from the user's conversation when the AI fetches it. This can happen without the user’s awareness, especially if the request occurs in the background. To mitigate these risks, OpenAI is moving beyond traditional methods like “trusted site lists,” which can be bypassed through redirects. Instead, they focus on whether a URL has been previously seen and verified as public by an independent web index. If the URL matches one from this index, it can be fetched automatically. If it doesn’t, the system requires user confirmation before proceeding. This approach emphasizes the exact URL's safety rather than just the reputation of the website. The safeguards specifically aim to prevent the AI from leaking user-specific data through URLs. However, they don’t ensure that the content of the fetched pages is trustworthy or free from manipulative practices. OpenAI acknowledges the complexity of web safety and continues to refine its defense strategies against evolving threats, including prompt injection and other potential vulnerabilities. The focus remains on creating a secure environment for users while enhancing the functionality of AI agents.