What are AI student agents? Addressing the latest exam integrity challenge

What are AI agents in online exams?

AI student agents are autonomous programs that undermine every stage of the learning process – from posing as the student within your LMS to completing quizzes and discussions, to infiltrating ‘secure’ online exam platforms. They are a growing threat to academic integrity and assessment security.

Since AI agents operate via the internet, any exam using an active internet connection is compromised. AI agents are particularly insidious in exams because they operate virtually undetected, outside of the browser, and leave little behavioral trace.

It isn’t as simple as ‘Stop students opening ChatGPT’. Within an online exam platform, AI agents can prepare question answers and put them somewhere the student can access – such as in the clipboard or in visual overlays – so they can use them without visibly opening an AI tool.

With generative AI already threatening the authenticity of student work in assignments, agentic AI now directly risks the validation of learning in summative assessment. When every stage of the learning and assessment process is exposed to AI, graduate quality, professional competence, and public trust are at stake.

Protecting exam integrity without sacrificing efficiency

While digital platforms have enabled institutions to scale, improve access, and reduce grading workload, they have undeniably introduced risk – with AI a growing threat to integrity and institutional reputation.

Institutions now face the challenge of securing digital exam integrity without sacrificing the benefits of digital assessment platforms. Should educators:

• Maintain online assessments that deliver operational efficiencies and increase access, but raise exposure to AI risk?
• Or revert to analog examination methods that safeguard exam integrity but reduce efficiency, accessibility, and scalability?

Fortunately, the choice isn’t actually this binary. It isn’t the digital element of online exams that creates the vulnerability. It is the online element of digital exams.

That means institutions don’t need to abandon digital exams or the efficiency they afford. They just need to take their digital exams offline and apply appropriate security measures to protect against the growing AI threat.

Three tips for protecting digital exam integrity against AI agents

1. Take summative assessments offline

The best defense against AI student agents is to take your digital summative exams offline. AI agents need three things to operate:

• Computation: The ability to ‘think’ for the student
• Content: Access to the exam questions
• Connection: Internet access to send and receive information

Offline digital exam platforms do not need an internet connection to deliver digital examinations. This means that AI agents don’t have any way to receive questions or send answers back to the student. This makes them a secure solution for preserving integrity in high-stakes assessments.

What does this look like?

Start by auditing your current exam portfolio and identify which assessments require internet connectivity. Then prioritise moving high-stakes, credential-defining exams to an offline delivery model first. For online-dependent exams, strengthen your technical defences to protect against the AI threat, such as advanced AI proctoring.

2. Lock down devices, not just browsers

A secure browser no longer means a secure exam. It isn’t just AI agents that are the issue, either. AI is now embedded directly in device operating systems, like Microsoft Copilot.

To combat this, institutions don’t just need a way to lock down the browser a student is using, they need to lock down the full device. This disables internet access, prevents external network communication, blocks unauthorized applications, and prevents system features – like screenshots – from being misused.

What does this look like?

Review whether your exam platform controls the entire device or only the browser. If system-level features and background apps remain accessible, your exam environment is exposed to OS-level AI abuse.

3. Encrypt exam content in transit and storage

Securing the exam environment is a strong defense against AI student agents. However, these tools are so sophisticated that even in an offline exam environment, they may be able to intercept, inspect, and analyze exam data if it is transmitted or stored in a readable format.

To prevent this, institutions need to use strong encryption that ensures exam questions and student answers are only readable within the exam application, when appropriate credentials are entered. This means that even if exam files are intercepted or downloaded in advance of the exam, they cannot be used to cheat.

What does this look like?

Use exam platforms that encrypt exam data end-to-end, from the delivery of the exam questions to receipt of completed student responses. This prevents both interception of questions before an assessment, and tampering with answers after it.

Your toolkit for protecting digital exam integrity: ExamSoft by Turnitin

ExamSoft by Turnitin is designed to support exam integrity with a full suite of AI-secure tools.

Offline security

With ExamSoft by Turnitin, students:

• Download secure exam content to their device before the exam
• Complete their offline with no internet access required or available
• Upload their answers once the exam is finished

This means institutions can deliver high-stakes digital exams with no network access as a potential backdoor for external tools or services – particularly AI agents that rely on connectivity.

It also eliminates dependency on internet connection to complete the exam, reducing potential sources of disruption for students.

Full device control

Turnitin ExamSoft locks down the full student device while an exam is active. This goes beyond simply blocking browsers to prevent students from accessing other webpages.

It controls the entire system to block unauthorized applications, background processes, or OS-level AI. This minimizes the risk of students being able to hijack innocuous processes, such as the clipboard or accessibility features, to use AI.

256-bit encryption

To protect exam data in storage and transit, Turnitin ExamSoft uses 256-bit encryption. This industry-standard security ensures exam content cannot be accessed or exploited during download, storage, and upload

Questions and responses can only be accessed within an authorised exam session, making it impossible for AI agents to intercept or tamper with data. This closes another critical attack surface commonly exploited by AI tools.

Do all assessments need to be offline?

Not all assessments need to be offline. But for high-stakes assessments that determine professional credentials and competencies, absolutely.

It’s crucial to differentiate between the goals of the everyday learning process and a high-stakes exam – and institutions should classify their assessments by purpose and risk.

For formative work—like drafting essays—the goal is pedagogical. Educators need visibility into the writing process to guide students toward responsible AI use. The incentive and reward for using AI student agents here is lower.

However, for a summative, high-stakes exam, the goal is verification. The security standard is absolute. In this specific context, any tool requiring an internet connection creates a fundamental flaw.

Your next steps to protect exam integrity

If you are concerned about the integrity of your digital assessments – particularly high-stakes summative exams – ask your team:

• Can the exam be completed without an internet connection?
• Does our platform lock down the device or just the browser?
• Does our platform allow background apps to run?
• Is exam data encrypted in storage and transit?

Download Turnitin’s online exam security checklist now to assess your exposure to AI agents and other exam threats.