The State of VPNs and AI, 2026

For roughly two decades the consumer VPN sold one durable promise. It put an encrypted tunnel between your device and the open internet, hid your IP address behind a server's, and stopped the network in between from reading or selling the record of where you went. Your internet provider, the cafe Wi-Fi, the hotel router: none of them could see your traffic. That was never the whole of privacy, but it was clear, it was testable, and for the threats most people actually faced it was enough.

Artificial intelligence has not broken that promise. It has changed the board around it, on two fronts at once. Machine learning has become very good at the one thing VPNs were built to stop: identifying, fingerprinting, and blocking encrypted tunnels at national scale. And a new class of AI, the autonomous "agents" now acting on your behalf inside your logged-in sessions, has opened a category of risk that lives entirely past the point where any VPN's protection ends.

A VPN in 2026 is still necessary, and in some respects it works harder than ever. Against the AI threats that matter most this year, it is also close to irrelevant. Knowing exactly where the tunnel's protection stops, and why, is the most useful thing a privacy-minded reader can take from the year.

1. The two-front change

Two questions hide inside the marketing phrase "AI and privacy," and they pull in opposite directions.

The first is about the network. Can machine learning defeat what a VPN does at the network layer: masking your address, encrypting your traffic, hiding the fact that you are using a VPN at all? The news is mixed. Detection and circumvention are escalating against each other, and providers are, for now, mostly keeping pace.

The second is about the endpoint and the account. Can AI compromise your privacy without ever touching the network path, by reading the files on your machine, inheriting your logged-in identity, or profiling you from behaviour rather than from your IP? Here the news is worse. A VPN offers essentially no defence, because these threats land on the inside of the tunnel, where it has already done its job and stepped aside.

Both fronts are real, and they are not the same fight. Conflating them is how people talk themselves into one of two errors: complacency ("I have a VPN, so AI can't profile me") or fatalism ("AI defeats encryption, so why bother"). Neither holds.

2. How AI now hunts VPN traffic

For most of their history, VPNs were easy to spot even when they were impossible to read. The encryption held; nobody could see the contents. But the standard protocols announced themselves. OpenVPN and WireGuard both have well-documented packet structures, so a censor's firewall could be programmed to recognise the signatures and drop the connection. Blocking is not breaking. A state does not need to decrypt your traffic to cut it off. It only needs to know the encryption belongs to a VPN.

What has changed is the sophistication of the detection. A 2026 analysis of the obfuscation landscape reports that China's Great Firewall and Russia's Roskomnadzor now deploy machine-learning-based deep packet inspection, trained on millions of real traffic samples, that can identify VPN usage from statistical patterns alone: timing, packet sizes, the rhythm and shape of a flow, even when no recognisable protocol signature is present and the payload is fully encrypted.(Le VPN, 2026) Older censorship matched known fingerprints. A model can be trained to notice that traffic merely behaves like a tunnel, and to flag connections no rule was ever written for.

The counter is an obfuscation race. The mechanisms are worth knowing, because the marketing label "stealth mode" papers over a real spread of approaches:

• Protocol wrapping and TLS tunnelling. The commonest defence disguises VPN traffic as ordinary HTTPS, wrapping the tunnel inside the same TLS that secures normal web browsing and running it over TCP port 443. The logic is blunt: a censor cannot block port 443 wholesale without blocking most of the web.
• Packet scrambling and traffic morphing. More advanced techniques randomise packet headers and payloads to erase tell-tale signatures, then reshape packet sizes and timing to imitate the statistical profile of ordinary browsing. This answers ML-based detection directly. If the model is trained to spot traffic that looks like a tunnel, you make the tunnel look like something else.
• Borrowing a real connection. The newest approach, the REALITY transport for the VLESS protocol, abandons faking altogether. Instead of imitating a TLS connection, the VPN server relays the genuine TLS handshake of a real, widely trusted website, so that to an observer the traffic looks like an authentic connection to one of the most-visited sites on the internet. You cannot block it without blocking the site it is impersonating.

Obfuscation is, for now, winning enough. In heavily censored networks, strong obfuscation keeps connectivity alive; in less restrictive ones, ordinary protocols are adequate and faster. But "winning enough" is not "won." The same 2026 analysis is candid that machine-learning traffic analysis will get sharper in the years ahead.(Le VPN, 2026) This is a treadmill, not a finish line, and the censor's machine learning and the circumventer's are now training against each other directly.

That battle matters enormously if you live in, or travel to, a regime that fingerprints and blocks tunnels. The wider picture is not reassuring: Freedom House has recorded a fifteenth consecutive annual decline in global internet freedom.(Freedom House, 2025) It matters far less for the ordinary reader in a country that does not run national DPI against its own citizens. For most users the threat a VPN answers was never the Great Firewall. It is the duller, more universal exposure of your traffic to whatever network you happen to be sitting on, and AI has not changed that calculus at all.

3. The enterprise mirror: AI at machine speed

AI is pressing on the VPN a second way, and it shows up most clearly in the corporate version of the technology, which hints at where the whole category is heading.

Zscaler's ThreatLabz 2026 VPN Risk Report, drawn from a survey of 822 IT and security professionals, found that the single biggest fear among defenders is the speed AI hands attackers: 79% said AI now lets adversaries exploit vulnerabilities faster than patches can be deployed. The rest of the report fills in a widening gap. 61% of organisations reported encountering AI-enabled attacks in the previous twelve months. 70% admitted limited or no visibility into AI-driven threats crossing their VPN. Roughly one in three inspect none of their encrypted VPN traffic at all. And 54% still take a week or more to patch a critical VPN vulnerability.(Zscaler ThreatLabz, 2026) A week is unremarkable in traditional IT operations. It is dangerously long when an attacker can spot a target and weaponise an exploit at machine speed.

Read the report carefully, and do not let a vendor's framing do your thinking. This is a study of enterprise remote-access appliances: the corporate VPN gateways that expose a login portal to the public internet and, once breached, can hand an intruder broad reach across an internal network. The risk it describes is the speed of AI-assisted attacks against that gateway. It is not a claim that AI has cracked the encryption on your personal VPN connection. Headlines blur the two, and the blur flatters whoever is selling the alternative. A consumer VPN client on your laptop is not a corporate concentrator with an exposed admin surface, and the threat models do not transfer wholesale.

The report does point at a real direction of travel. AI compresses the time between a weakness appearing and its exploitation, and any security model that depends on humans reacting in days rather than minutes is under fresh pressure. That alone is reason to favour providers who patch fast and keep their own attack surface small.

4. The new endpoint problem: agentic AI and your whole identity

Now the front where the VPN does not fight at all, and the newest development of the year.

The shift is agentic AI: systems that do not merely answer questions but act, on their own, to get things done. The European Data Protection Supervisor's TechSonar briefing defines them by the capabilities that make them powerful and dangerous at once. They reason and plan. They call other software through APIs. They use tools and consult databases without step-by-step human instruction. And they hold persistent memory that spans tasks and outlives any single request.(European Data Protection Supervisor, 2026) The form that matters most for ordinary users is the agentic browser: a browser with an AI agent inside it that can read pages, click, fill forms, and run multi-step tasks on your behalf, inside sessions you are already logged into.

The category sits wholly outside a VPN's reach, for a structural reason. A VPN secures the path between your device and a destination. An agentic browser operates at the destination end of that path, inside your authenticated identity. It is already past the encryption, already logged into your accounts, already on your machine. When the agent acts, it acts with whatever access you granted it: your files, your cookies, your password manager, your email. The tunnel did its job and stepped aside long before the agent started work. There is no network layer left for a VPN to defend.

The year handed us a concrete illustration. On 3 March 2026, Zenity Labs disclosed a family of vulnerabilities it named PleaseFix, affecting agentic browsers including Perplexity's Comet. The disclosure laid out two exploit paths, both rooted in indirect prompt injection: malicious instructions hidden inside ordinary-looking content that the agent reads and obeys as though they came from the user. The first was zero-click. An attacker-controlled calendar invite was enough. When the user later asked the agent to do a routine task, the planted instructions made it reach into the local file system and exfiltrate the contents to an attacker, while still returning the innocent-looking result the user expected. In the second, the agent's authorised access was turned against a password manager, enabling credential theft or full account takeover without ever exploiting the password manager directly.(Zenity Labs, 2026)

The line from Zenity's CTO, Michael Bargury, is the one to keep:

"This is not a bug. It is an inherent vulnerability in agentic systems… Attackers can push untrusted data into AI browsers and hijack the agent itself, inheriting whatever access it has been granted."

That is the crux. The agent cannot reliably separate content it is meant to read from instructions it is meant to obey, and it carries the user's full privileges the whole time it cannot. To Perplexity's credit, it fixed the underlying browser-side execution issue before public disclosure. The structural point survives the fix: this is a property of the architecture, not a single defect.

Practitioners are not treating it as a fringe worry. A Dark Reading readership poll found 48% of cybersecurity professionals, nearly half, named agentic AI and autonomous systems as their single top emerging attack vector heading into 2026, ahead of deepfakes, board-level cyber-risk, and passwordless adoption. The same outlet found only about a third of enterprises have any AI-specific security controls in place.(Dark Reading, 2026)The concern is mainstream. The defences are not.

Against all of this a VPN does nothing. It cannot stop a prompt injection, because the injection is content arriving over a connection the VPN exists to protect. It cannot stop an agent reading your local files, because that happens on your device. It cannot stop an agent acting as you inside your accounts, because to the service those actions are you, arriving from a session you opened yourself. None of this is a failing of VPNs. It is a category boundary, better named plainly than left to blur.

5. Profiling, fingerprinting, and the limits of an IP address

The agentic-browser story is the sharp new edge. It sits on a slower, broader shift that explains why network-layer privacy has been losing ground for years.

Modern tracking does not need your IP address. Browser fingerprinting builds a near-unique identifier from what your browser broadcasts: fonts, screen and device properties, rendering quirks. Machine learning is well suited to matching those fingerprints across sessions even as individual attributes drift. Account-level profiling ties your behaviour to an identity you authenticated yourself, where the IP is beside the point because you have already said who you are by logging in. And a maturing body of work on traffic analysis and website fingerprinting shows that machine-learning models can infer which sites a user visits purely from metadata patterns, things like packet timing, sizes, and burst structure, that survive encryption. Work published in 2026, including a transformer-based approach in Scientific Reports, pushes those techniques further against the very obfuscation defences described above.(Alazzam, Abualganam & Almobaideen, 2026)

That last finding is the one most easily over-claimed. Traffic-analysis de-anonymisation is real, it is improving, and it is the place where AI does erode a privacy guarantee that VPNs and Tor were assumed to provide. But for now it remains largely the province of well-resourced adversaries with a privileged view of the network, research labs and state-level observers, rather than a turnkey capability aimed at ordinary users. It is reason for measured vigilance, and for caring about a provider's obfuscation and traffic-shaping. It is not reason to call the tunnel worthless. The overstatement and the dismissal both get it wrong.

The EDPS pulls the systemic worry together. Agentic systems that gather personal data from many sources, combine it in unforeseen ways, and hold it in persistent memory can build comprehensive profiles that reveal sensitive patterns of behaviour, assembled from what you do, continuously, rather than from a network address you can mask.(European Data Protection Supervisor, 2026) An IP is one attribute among dozens, and in an AI-mediated web no longer the most revealing one. A VPN hides that single attribute well. It was never designed to hide the rest, and pretending otherwise does readers a disservice.

6. What regulators are saying

The people paid to police this are converging on one diagnosis, and it cuts through the vendor noise in both directions.

In January 2026 the UK's Information Commissioner's Office published an early report on agentic AI as part of its Tech Futures series. It stops short of formal guidance, but the signposting is plain. The ICO warns that agentic AI both amplifies existing data-protection problems and introduces new ones. Human oversight gets harder as agents grow more autonomous. Opaque, multi-agent data flows make transparency and the honouring of data-subject rights hard to deliver. And the security risk climbs sharply when a tool is designed to concentrate large volumes of personal information, the personal-assistant-style agent "with access to communications, calendars, accounts, and credentials." It flags attack surfaces specific to these systems, among them the poisoning of an agent's memory and the manipulation of its reasoning. And it is firm that responsibility cannot be shrugged onto the end user. The burden sits with those who build and deploy these systems, to make them safe before they ship.(ICO / Inside Privacy, 2026)

The European Data Protection Supervisor, through its TechSonar work, reaches a parallel conclusion from the technical side. To be useful on a personal device, it notes, an agent may demand extensive access to the data on it, and that blanket access opens avenues for data leakage through prompt injection and jailbreaking, the same class of attack PleaseFix exploited in the wild. It warns that agents may slip past the APIs and controls meant to constrain them, and that aggregated profiles plus persistent memory carry a real risk of high-impact privacy breaches.(European Data Protection Supervisor, 2026)

Read side by side, the regulators are not describing a network problem. They are describing an endpoint, identity, and accountability problem, exactly the territory no VPN was ever built to cover.

7. AI on the defence

It would distort the picture to cast AI only as the threat. The same techniques sit inside the products defending users, and the account is incomplete without them.

Machine learning has become a useful component of threat detection. It is good at finding anomalies in large volumes of traffic and behaviour, at flagging malicious domains and phishing pages faster than a human-maintained blocklist, and at catching the statistical signature of malware in a flow. Several VPN and broader security products now bundle threat-protection features that lean on this kind of analysis, blocking trackers, known-bad domains, and phishing attempts, and they add real value. On the enterprise side, the same Zscaler survey that catalogued the threats also found defenders building more AI-driven monitoring into their response.(Zscaler ThreatLabz, 2026)

Two caveats keep it in proportion. Defensive AI augments network and endpoint security; it is not a new privacy guarantee, and a malicious-domain blocker does nothing about an agent already running with your credentials. And the defensive uses tend to lag the offensive ones, for the structural reason the Zscaler report names: the attacker needs one path to work, the defender must close them all, and AI widens that asymmetry in the attacker's favour. AI on defence is a real and welcome development. It does not cancel out the threats above, and any product marketing it as a counterweight deserves suspicion.

8. What a VPN actually protects you from in the AI era

Stripped of marketing in both directions, here is the boundary, drawn as honestly as we know how.

A VPN is load-bearing, not load-ending. It remains a sensible part of a privacy posture, and against the defining AI threats of 2026 it is one layer among several rather than the answer. Anyone telling you a VPN "protects you from AI" is selling the tunnel as something it has never been.

9. What to actually do

Five moves, none of them alarmist, ordered roughly by how much they buy you against the threats that actually changed this year.

1. Treat agentic browsers and AI assistants as privileged software, because they are. The biggest shift in your threat model this year is not your network. It is what you have authorised to act on your behalf. Grant agents the least access that lets them do the job. Be wary of any agent that can reach your files, your email, or your password manager, and assume that content an agent ingests from the web or your calendar may carry instructions it will follow. PleaseFix was a demonstration, not a one-off.
2. Harden the endpoint and the browser. Keep a tight rein on browser extensions, turn on anti-fingerprinting protections where your browser offers them, and keep devices patched. In an AI-mediated web, the endpoint is where most of the privacy you have left actually lives.
3. Reduce what is linkable to your identity. Compartmentalise accounts, log into less where you do not need to, and remember that an authenticated session tells a profiler far more than an IP address ever could. This is the front where AI has gained the most ground.
4. Keep using a VPN, for exactly what it is good at. Untrusted networks, ISP-level metadata, IP masking, and access under censorship are real, common exposures, and the VPN is the right tool for them. Choose one that obfuscates well if censorship is in your threat model, that patches quickly, and whose no-logs claim has been independently audited rather than merely asserted. A tunnel that keeps records you cannot see is worse than none.
5. Calibrate to your actual threat model. The reader in a censored country and the reader worried about an over-permissioned AI assistant face different problems and need different defences. Match the tool to the threat rather than buying one product as a talisman.

On that fourth point, a disclosed note. The provider that currently scores highest in our own evidence matrix on the two criteria that matter most here, an independently audited no-logs policy and a jurisdiction outside the worst data-retention regimes, is one we partner with: Proton VPN. Its no-logs policy passed a fourth consecutive independent audit by Securitum in August 2025, including a physical inspection of its live servers in Zurich, and it operates from Switzerland, which imposes no mandatory data-retention obligation on it.(Proton VPN, 2025) We disclose the partnership openly. Our rankings are formula-driven from graded evidence and never move for commission, and the working is public, so go and check it. And none of that, however well a provider scores, changes a word of the boundary above. Even the best-audited VPN protects the network path, not the agent running inside your session.

The state of VPNs and AI in 2026 is not a story about a tool defeated. It is the quieter story of a tool whose job has narrowed exactly as the threats around it have widened. The tunnel still works. The map it covers is smaller than the territory now at risk. Knowing the difference, knowing where the encryption stops and your authenticated, agent-augmented, fingerprintable self begins, is most of what staying realistic about privacy means this year.

We earn commission on some links. Rankings are formula-driven from graded evidence and are never influenced by commission. See our Methodology and Disclosure pages.

10. References