The gap between identity access that exists in practice and the subset security teams can actually see in traditional IAM reports. It includes OAuth grants, in-browser session behaviour, extension activity, and delegated app access that may never appear in a central access review.
Expanded Definition
Browser-visible identity exposure is the portion of delegated identity activity that can be observed in the browser and adjacent client context, while the broader authorization state remains spread across OAuth grants, extensions, embedded app sessions, and third-party delegates. In NHI security, it sits between user-centric IAM and application-level trust decisions, so the operational question is not only who signed in, but what the browser can still do on behalf of that identity.
Definitions vary across vendors because some tools treat this as session visibility, while others include consented app scopes, extension telemetry, and token use. NHI Management Group treats it as a visibility problem first and a governance problem second, because hidden delegation often survives long after the original login event. The most relevant external baseline is CISA’s Zero Trust Maturity Model, which reinforces continuous verification rather than one-time trust.
The most common misapplication is assuming a clean IAM report means the browser has no active delegated access, which occurs when OAuth consent, cached sessions, and extensions are not inspected together.
Examples and Use Cases
Implementing browser-visible identity exposure rigorously often introduces investigation overhead, requiring organisations to weigh faster user access against the cost of tracing every delegated action back to a session, scope, or extension.
- A finance analyst signs into a SaaS dashboard, then a browser extension silently reads page content and reuses the session to export records beyond the original review scope.
- An employee grants a third-party productivity app broad OAuth consent, and that grant remains active even after the app is removed from the central app catalog.
- A service account drives a browser automation workflow, but the browser session contains delegated tokens that never appear in a conventional access review.
- A security team correlates browser telemetry with identity logs to find that a consented app is acting under a user session that was assumed inactive.
- Ultimate Guide to NHIs describes why visibility into hidden NHI pathways matters when access is distributed across code, tools, and delegated workflows, and Anthropic’s cyber espionage report shows how tool-enabled sessions can be abused when authority is not tightly bounded.
Why It Matters in NHI Security
Browser-visible identity exposure matters because it reveals where authority outlives intent. A user may revoke one app, yet browser cookies, delegated permissions, and extension permissions can continue to operate with effective privilege. That gap weakens Zero Trust enforcement, complicates incident response, and creates blind spots for service accounts that use browser automation or embedded authentication flows.
NHIMG research shows that only 5.7% of organisations have full visibility into their service accounts, and the same visibility deficit often appears in browser-mediated delegation paths. When identities are exposed through the browser, attackers do not need to break the central IAM stack; they can abuse what the browser already trusts. The 52 NHI Breaches Analysis and the Guide to the Secret Sprawl Challenge both illustrate how hidden access pathways persist after teams believe the account surface has been contained.
Organisations typically encounter browser-visible identity exposure only after an account takeover, data export, or suspicious OAuth consent event, at which point the term becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Browser-hidden grants and sessions are an NHI visibility gap OWASP-NHI expects teams to inventory. |
| NIST CSF 2.0 | PR.AA | Identity assertion and access evidence must include browser-mediated delegation to support assurance. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification of sessions, devices, and app consent beyond initial login. |
Treat browser sessions as continuously revalidated trust relationships, not one-time authentication events.
