What should organisations do when employees use unmanaged devices for web access?

They should assume browser telemetry and host enforcement will be incomplete and design for inconsistent coverage. That means prioritising browser-side prevention, tightening access assumptions for sensitive applications, and validating whether BYOD endpoints can be monitored well enough to detect malicious paste-driven execution.

Why This Matters for Security Teams

Unmanaged devices change the trust model at the browser edge. When employees reach web apps from BYOD or contractor endpoints, security teams lose consistency in host posture, telemetry depth, and endpoint enforcement. That does not mean access should be blocked outright, but it does mean policy should assume partial visibility and incomplete containment. The practical goal is to reduce what an attacker can do in-session, not to pretend the device is fully governed.

This is where browser-side controls, stronger application gatekeeping, and tighter session assumptions become more important than traditional endpoint enforcement. Current guidance from NIST Cybersecurity Framework 2.0 supports risk-based access decisions, while NHIMG research on Ultimate Guide to NHIs — Key Challenges and Risks shows how often organisations underestimate identity exposure when controls are uneven. For unmanaged devices, the same logic applies to browser sessions and web-based execution paths.

In practice, many security teams discover the problem only after a copy-paste workflow, token theft, or shadow browser session has already created a pathway into sensitive systems.

How It Works in Practice

Effective handling of unmanaged web access starts with assuming the endpoint cannot be trusted to the same degree as a managed laptop. That means shifting control points toward the browser, the identity layer, and the application itself. Where possible, organisations should use conditional access that checks device state, session risk, and application sensitivity before granting access. For high-value apps, step-up authentication and shorter session lifetimes reduce the impact of a stolen browser session.

Browser-side prevention is especially important because unmanaged devices often defeat host agents, posture checks, and DLP tooling. Policy should focus on limiting what can be copied, downloaded, uploaded, or pasted into sensitive applications. For example, paste-driven execution is a real risk in environments where attackers can inject commands, credentials, or tokens through a browser session. Organisations should validate whether the browser can provide enough telemetry to detect suspicious clipboard use, unusual navigation, and session anomalies before allowing broad access.

Practical controls usually include:

• per-app access policies instead of broad network trust
• short-lived sessions for sensitive business systems
• browser isolation or hardened browser modes for high-risk workflows
• explicit restrictions on download, upload, print, and paste actions
• identity signals and session risk scoring at request time

NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs highlights the value of lifecycle discipline, and the same operational discipline helps here: access should be granted only for the minimum necessary time and should be revoked cleanly when the session ends. For identity governance context, the OWASP Non-Human Identity Top 10 is useful because unmanaged browser access often exposes secrets, tokens, and session material in ways that resemble NHI misuse paths. These controls tend to break down when legacy web apps require persistent sessions, unrestricted clipboard use, or unsupported browser behaviours because enforcement cannot be applied consistently across the full workflow.

Common Variations and Edge Cases

Tighter browser control often increases user friction, requiring organisations to balance access convenience against the risk of exposing sensitive applications through weak endpoints. There is no universal standard for this yet, so the right answer depends on how much monitoring and containment the organisation can realistically apply on unmanaged devices.

For low-risk SaaS, a lighter policy may be acceptable if the app contains no sensitive data and the session can be quickly terminated. For regulated workflows, finance, or admin portals, best practice is evolving toward stronger browser isolation, restricted clipboard behaviour, and explicit session monitoring. Some organisations also allow unmanaged access only from devices that meet minimum web security checks, but this should not be confused with full endpoint assurance.

A useful test is whether the organisation can reliably answer three questions: what the user can do in the browser, what the browser can observe, and what happens when suspicious behaviour is detected. If those answers are unclear, unmanaged access should be limited to lower-risk applications until the control stack is stronger. NHIMG’s 52 NHI Breaches Analysis and Top 10 NHI Issues both reinforce the same operational lesson: when visibility is incomplete, organisations should narrow the blast radius rather than assume detection will save them.

Related resources from NHI Mgmt Group

• Should organisations build their own authorization control plane or use managed tooling?
• What breaks when teams use the same JIT model for all access?
• When should organisations prioritise Zero Standing Privilege for non-human identities?
• How should security teams decide whether JIT access is safe for non-human identities?