Agentic browser security changes how identity is governed

At a glance

What this is: This is a product announcement about browser-based controls for agentic AI workflows, with the key finding that identity, data protection, and attack containment are now being pushed into the browser layer.

Why it matters: It matters because IAM, PAM, and NHI teams will increasingly need to govern autonomous activity where work actually happens, while separating human intent from non-human execution and limiting prompt-injection and shadow AI risk.

By the numbers:

• Users now spend 85% of their workday in the browser.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

👉 Read Palo Alto Networks' announcement on Prisma Browser for agentic AI

Context

The browser is no longer just a user interface. In agentic AI environments, it becomes an execution layer where human users, AI agents, and corporate data collide, which means control points that once belonged to endpoint or network security now affect identity governance directly.

The governance gap is that traditional browser security assumes a person is acting through the session. Once an agent can browse, decide, and trigger actions on behalf of a user, IAM teams have to separate intent, scope, and accountability across both human and non-human activity.

Key questions

Q: How should security teams govern AI agents that act through the browser?

A: Security teams should treat browser-based agent sessions as governed non-human activity, with explicit policy, logging, and scope boundaries. The key is to separate human initiation from machine execution, then enforce content-aware controls so untrusted web content cannot redirect the agent into unauthorized actions.

Q: Why do AI agents increase browser security risk for IAM teams?

A: AI agents increase risk because the browser becomes both the interface and the execution layer for autonomous work. That collapses older assumptions that a browser session equals a human user session, making intent, accountability, and approved scope much harder to verify.

Q: What breaks when prompt injection is not controlled in agentic workflows?

A: When prompt injection is not controlled, the agent can follow malicious instructions hidden in web content and perform actions the user never intended. That creates a direct path from ordinary page content to unauthorized execution, which bypasses normal access-control thinking.

Q: How do organisations distinguish human actions from automated AI tasks?

A: Organisations need telemetry that records which actions were initiated by a person and which were executed by an AI agent. Without that separation, audit trails become ambiguous, policy enforcement weakens, and accountability for sensitive actions is difficult to prove.

How it works in practice

Browser-based agentic AI control points

A browser can become the policy enforcement point for AI-driven work because it sits between the user, the model, and the data source. In this model, the browser observes prompts, website content, downloads, and tool-like actions, then applies content-aware boundaries before data leaves the session. That matters for shadow AI and agent hijacking because the attack surface is no longer just the model endpoint. The browser becomes the place where access, data movement, and instruction processing intersect.

Practical implication: classify browser-mediated AI workflows as governed execution paths, not ordinary web sessions.

Prompt injection and agent hijacking in the browser

Prompt injection is a manipulation technique where malicious instructions are embedded in content the agent reads, such as a web page or document. Agent hijacking occurs when those instructions cause the agent to deviate from the user’s intended task and perform unauthorized actions. In browser-mediated agentic work, the attacker does not need direct model access if they can influence the content the agent consumes. This is why instruction isolation and scope enforcement matter more than simple content filtering.

Practical implication: evaluate whether the browser can separate untrusted page content from agent instructions before deployment.

Human actions versus non-human identity activity

Agentic browser controls depend on being able to tell whether a session action came from a person or an automated workflow. That distinction is an identity problem, not just an audit problem, because it determines which policy applies, which logs are authoritative, and where accountability sits. If the system cannot reliably distinguish human input from agent execution, governance becomes ambiguous and response decisions slow down. The same session may contain both human direction and machine execution, but they are not the same identity event.

Practical implication: require audit telemetry that tags human initiation and agent execution separately.

NHI Mgmt Group analysis

Browser security is becoming identity governance for agentic work. Once autonomous workflows execute through the browser, the policy boundary shifts from network access to session behaviour. That means the browser is no longer a passive container for identity, it is part of the control plane for non-human action. IAM and NHI teams should treat browser-mediated agent sessions as governed identities with explicit scope and accountability.

Content-aware boundaries are a response to a specific failure mode: instruction contamination. Agentic systems fail when untrusted content can influence execution, because the model cannot always distinguish the task from the surrounding page. This is not a traditional access-control problem. It is a trust-boundary problem where the input stream becomes the attack surface, and practitioners need to understand that before they can define policy.

Real-time distinction between human and automated tasks is a named governance requirement, not a convenience feature. The article points to compliance and accountability needs that span human IAM, NHI governance, and autonomous execution. When the same browser session can include both user direction and agent action, the identity record must preserve that difference or auditing collapses into ambiguity. Practitioners should reframe browser telemetry as identity evidence.

Shadow AI exposure extends the NHI problem into the user workspace. AI activity that bypasses managed channels creates an unmanaged identity path, even when the user believes they are acting safely. The failure is not only secret leakage, but also the absence of policy, visibility, and lifecycle control over the AI interaction itself. That is a governance problem, not just a data protection one.

Agentic AI browsers validate the move toward runtime governance over static trust. The field is moving away from assuming that a permitted session is a safe session. Browser-level controls that inspect intent, data movement, and execution context reflect the broader shift from one-time authorisation to continuous contextual enforcement. Practitioners should expect identity controls to follow work into the browser, not stay behind in the IAM stack.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• For the broader lifecycle view, 52 NHI Breaches Analysis shows how visibility gaps become incident patterns across service accounts and keys.

What this signals

Browser-native agentic controls are likely to become a control-plane question for IAM and NHI teams, not just a security product feature. As autonomous work moves into the browser, organisations will need policy, telemetry, and audit models that can distinguish user intent from machine execution in the same session.

Identity boundary drift: this is the operational risk that appears when the browser, the model, and the user session all begin sharing control of the same action path. Teams that do not model this drift will struggle to explain who authorised what, when, and on whose behalf. For policy design, that means browser logs need to be treated as identity evidence, not merely web telemetry.

Palo Alto Networks frames the browser as a secure workspace for agentic AI, but the deeper signal is that governance is moving toward runtime enforcement at the point of interaction. Teams that already struggle with unmanaged service accounts and secrets sprawl should expect the same visibility problem to reappear in browser-mediated AI activity, just with faster execution and weaker human oversight.

For practitioners

• Define browser-mediated AI sessions as governed identities Map every workflow where an employee uses an AI tool through the browser and assign explicit policy ownership for the session, the data involved, and the acceptable actions. Treat those sessions as separate from ordinary browsing and from standard SaaS access.
• Separate human intent from agent execution in logs Require telemetry that records when a human initiated the task, when an AI agent acted, and which action was machine-executed. This gives IAM, SOC, and audit teams a defensible chain of accountability when browser-based automation is involved.
• Review prompt-injection exposure in web workflows Test whether web pages, documents, and pasted content can influence an AI agent’s decisions inside the browser. Prioritise controls that isolate untrusted content from agent instructions and block unauthorized downstream actions.
• Extend shadow AI discovery to browser activity Add browser telemetry to your AI discovery process so unmanaged models, extensions, and agentic work patterns are visible before they leak sensitive data. Use the browser as a detection point for unsanctioned AI behaviour, not just as a delivery channel.

Key takeaways

• Browser-based agentic AI controls are really identity controls because they decide what an autonomous workflow may see, read, and do inside the session.
• Prompt injection and agent hijacking show that untrusted content can redirect machine behaviour, so session trust must be enforced at runtime rather than assumed upfront.
• IAM and NHI programmes need separate evidence for human initiation and AI execution if they want auditability, accountability, and usable policy enforcement.

Key terms

• Agentic Browser Session: A browser session in which an AI agent performs actions, reads content, or triggers workflow steps on behalf of a user. The session behaves like a governed non-human identity because it can move, decide, and interact inside policy boundaries that should be explicit, logged, and reviewable.
• Prompt Injection: A manipulation technique where instructions hidden in content are designed to influence an AI system’s behaviour. In browser-mediated workflows, the browser may expose the agent to untrusted text, so prompt injection becomes a policy and identity problem as much as a model security problem.
• Shadow AI: Unmanaged or undiscovered AI activity inside an organisation, including agents, extensions, or model use that bypasses approved controls. The governance issue is not only loss of visibility. It is the absence of lifecycle ownership, policy enforcement, and audit evidence for the interaction path.
• Execution Scope: The set of actions, data sources, and side effects an AI agent is allowed to reach during a session. For autonomous work, scope must be defined in ways that the system can enforce at runtime, because post-hoc review alone cannot reconstruct intent or prevent misuse.

Deepen your knowledge

Browser-mediated agentic AI governance is covered in the NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is starting to see autonomous work move into the browser, the course gives you a practical baseline for policy and lifecycle control.

This post draws on content published by Palo Alto Networks: Introducing Idira and Prisma Browser for the agentic AI era. Read the original.