Browser vault drift is the steady accumulation of business credentials inside consumer browsers faster than the identity team can inventory or revoke them. It creates a false sense of control because passwords look managed to the user while remaining poorly governed to the organisation.
Expanded Definition
Browser vault drift describes the gap between where browser-saved credentials appear to live and where they are actually governed. In practice, consumer browsers can retain passwords, passkeys, session material, and auto-filled credentials outside the identity team’s normal inventory, review, and revocation workflows. That makes the term adjacent to secret sprawl, but narrower because the drift is tied to browser vault behaviour rather than any storage location. In NHI operations, browser vault drift often signals that employees are using personal convenience features to access business systems, creating unmanaged credential persistence that outlives job changes, device resets, and policy enforcement. Guidance varies across vendors on whether browser-saved secrets should be treated as endpoint risk, identity risk, or secrets-management risk, so organisations should classify the issue consistently rather than rely on browser defaults. NIST’s NIST Cybersecurity Framework 2.0 is useful here because it frames the operational need to identify, protect, and manage credentials regardless of where users store them. The most common misapplication is assuming a browser password manager is a controlled vault, which occurs when the identity team cannot enumerate, monitor, or revoke those credentials centrally.
Examples and Use Cases
Implementing controls against browser vault drift rigorously often introduces user-friction and inventory overhead, requiring organisations to weigh convenience against revocation certainty.
- A contractor signs into multiple SaaS applications from Chrome, and saved passwords remain available after the contract ends, even though the organisation has removed the account in its IAM system.
- An employee copies production API credentials into a browser profile on a shared workstation, turning a local convenience feature into an uncontrolled secret store. The Guide to the Secret Sprawl Challenge covers why this pattern scales faster than manual cleanup.
- A support team uses browser sync across personal and corporate devices, causing credentials to replicate beyond managed endpoints and complicating offboarding.
- A security team finds that OAuth tokens are being retained in browser sessions after reauthentication, echoing patterns described in the Salesloft OAuth token breach.
- An organisation replaces static passwords with dynamic secrets, but users still export or cache credentials in browsers, undermining the intended reduction in standing exposure. The Ultimate Guide to NHIs — Static vs Dynamic Secrets explains why lifecycle control matters.
Why It Matters in NHI Security
Browser vault drift matters because it breaks the basic NHI assumption that credentials can be discovered, governed, and revoked through policy rather than memory or local convenience. Once browser-stored secrets proliferate, offboarding becomes incomplete, credential rotation loses effectiveness, and incident response has to account for places the identity team never approved. NHIMG research on the 2025 State of NHIs and Secrets in Cybersecurity reports that 62% of all secrets are duplicated and stored in multiple locations, which helps explain why browser vault drift is so hard to contain. The same research shows 91% of former employee tokens remain active after offboarding, underscoring how quickly local convenience can become persistent access risk. This is not just a hygiene issue; it can undermine zero standing privilege, invalidate access reviews, and create hidden paths for lateral movement. Organisations typically encounter the consequence only after a leaked credential, failed offboarding, or account takeover, at which point browser vault drift becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Browser-stored credentials are unmanaged secrets and fit secret sprawl controls. |
| NIST CSF 2.0 | PR.AC-1 | Credential persistence affects access management and revocation governance. |
| NIST Zero Trust (SP 800-207) | ID | Zero Trust requires identity-aware control even when credentials sit in browsers. |
Treat browser vaults as untrusted credential stores and enforce continuous verification.
