AI browsers create identity mesh risk across authenticated sessions

At a glance

What this is: AI browsers are turning browsing into an active orchestration layer, with the key finding that shared session context can let a prompt in one app drive actions in another.

Why it matters: This matters because IAM teams now have to govern browser-mediated access paths, session inheritance, and cross-app privilege use for both human users and AI-driven agents.

👉 Read Lasso Security's analysis of AI browser identity mesh and cross-session risk

Context

AI browsers are no longer passive interfaces. They can read page context, retain memory, navigate across domains, and carry out actions across authenticated sessions, which means the browser is starting to behave like an identity-bearing execution layer rather than a simple client.

That changes the control problem for IAM and NHI programmes. Traditional browser security assumes deterministic inputs and clear user intent, but AI-driven browsing can combine user credentials, cached tokens, and multi-step reasoning in ways that blur session boundaries and make action authorisation harder to define.

Lasso Security’s article frames this as a browser-native attack surface, with the highest risk coming from prompt manipulation, cross-platform trust overlap, and the difficulty of distinguishing legitimate user activity from agent-driven execution. For many enterprises, that is an emerging rather than a mature control domain.

Key questions

Q: How should security teams govern AI browsers that can act across authenticated sessions?

A: Treat the browser agent as an identity-bearing runtime, not just a client. Limit session inheritance, constrain which applications it can reach, and require policy checks before cross-domain actions complete. The key is to control delegated authority at execution time, because once cookies and tokens are shared, the browser can carry privileged context beyond the original user intent.

Q: Why do AI browsers complicate least privilege?

A: They complicate least privilege because the agent often inherits the user’s authenticated reach inside the browser and can reuse that authority across multiple applications. Least privilege was designed for stable, clearly scoped identities. AI browsers blur those boundaries by combining session state, natural language instructions, and automated action selection in one execution path.

Q: What breaks when prompt injection reaches an AI browser agent?

A: What breaks is the assumption that only trusted inputs can drive trusted actions. Prompt injection can steer the agent through natural language, while the browser still appears to be performing ordinary user activity. That makes provenance and intent harder to verify, especially when the agent can submit forms or trigger API calls without obvious malicious code.

Q: Who is accountable when an AI browser agent makes an unauthorized action?

A: Accountability sits with the programme that allowed the agent to inherit user authority without sufficient action constraints and auditability. If the browser can execute multi-step workflows across authenticated systems, teams need clear ownership for policy, logging, and incident response. Without that, the action is treated as user behaviour even when the decision came from the agent.

Technical breakdown

Prompt injection in AI browsers

Prompt injection happens when web content or connected data sources contain instructions that steer an LLM-based browser agent away from the user’s intent. In an AI browser, the model may treat untrusted page text as operational input, then use its memory state and tool access to take actions. Indirect prompt injection is harder to spot because the malicious instruction can arrive through metadata, documents, or another SaaS application rather than visible page text. This is a control-plane problem, not a content-filter problem: the agent is interpreting text and then acting on it inside the same session boundary.

Practical implication: require explicit policy checks before any cross-domain action, not just after prompt filtering.

Identity mesh and shared session context

Identity mesh describes the trust overlap created when an AI agent operates across multiple authenticated systems in one browser session. The browser’s cookies, tokens, and cached context can give the agent the same effective reach as the logged-in user, even when the action originates from a different page or domain. That creates lateral movement opportunities inside the browser itself, because the agent can carry state from one application into another without re-authentication. The underlying issue is not malware execution. It is that session continuity becomes a privilege bridge between systems that were supposed to stay isolated.

Practical implication: separate agent credentials from user credentials and limit which authenticated sessions an agent can inherit.

Why traditional detection misses browser-native abuse

Traditional detection tools look for suspicious processes, known payloads, or network patterns that deviate from baseline. AI browser abuse often has none of those markers. The agent stays inside the browser process, the input looks like natural language, and the resulting HTTP requests can appear user-originated. That makes the attack path resemble legitimate work, especially when the browser is operating in a highly automated mode. The real failure mode is observability: security tools see valid web activity, but they do not see the decision provenance that produced it.

Practical implication: log prompt lineage, tool invocation, and cross-origin action history alongside standard browser telemetry.

Threat narrative

Attacker objective: The attacker wants the browser agent to carry trusted session authority from one application into another and complete unauthorized actions without triggering ordinary detection.

1. Entry occurs when malicious content is injected into one SaaS platform that the AI browser is already reading within a logged-in session.
2. Credential access follows because persistent cookies and tokens let the agent act with the user’s authenticated privileges across additional applications.
3. Impact lands when the agent executes a legitimate-looking multi-step workflow in another platform, making the malicious action hard to distinguish from normal user behaviour.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity mesh is the governance gap AI browsers expose. The browser is no longer just a rendering layer, because the agent can carry authenticated state across multiple applications in one session. That means the practical control boundary is no longer the tab or the app, but the trust relationship between prompt input, session context, and action execution. Practitioners should treat browser session continuity as an identity problem, not only an endpoint problem.

Shared session context is becoming a privilege bridge. Cookies, cached tokens, and authenticated page state let a browser agent operate with effective user authority even when the action was triggered elsewhere. This is why prompt injection becomes more dangerous in AI browsers than in static automation: the instruction can travel, but the privilege already exists. Security programmes need to re-evaluate where human intent ends and delegated action begins.

Runtime policy enforcement is now part of identity governance for browser agents. Traditional review and approval models assume action can be inspected before it lands. AI browser workflows can complete in milliseconds, which means governance has to move closer to execution time and focus on action constraints, not just access grants. The implication is that browser-mediated identity must be governed as a live control plane, not a static login event.

Least privilege stops at the browser if agent scope is undefined. The browser agent inherits the user’s authenticated reach unless the programme explicitly limits cross-domain access, session reuse, and tool invocation. That changes the meaning of privilege review for NHI and agentic workflows because the risky unit is no longer the account alone. Practitioners should rethink privilege as a session-scoped behaviour problem.

Prompt lineage is a named control concept practitioners should adopt. When an AI browser can take actions based on multiple upstream inputs, the important governance question is not only what it did, but where the instruction originated and how it traversed the session. Prompt lineage ties decision provenance to action history, which is the only way to make browser-native agent behaviour auditable enough for identity governance.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• That confidence gap is why AI browser governance should be treated as an identity control problem, with further guidance in Ultimate Guide to NHIs , 2025 Outlook and Predictions.

What this signals

Identity mesh: this is the point where browser state, delegated prompts, and authenticated sessions overlap into a single governance problem. For programme owners, the practical signal is that browser-based AI use cases cannot be monitored only at the endpoint layer; they need identity-aware policy, logging, and cross-domain control points that track what the agent is allowed to do, not just what the user is allowed to open.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, per The State of Non-Human Identity Security, the broader pattern is already familiar: delegated access expands faster than governance can observe it. AI browsers extend that pattern into the browsing layer, where session inheritance can turn a convenience feature into a privilege bridge.

The next control boundary will be decided by whether teams can make browser agents auditable as identities. That means aligning session isolation, runtime policy, and action lineage with existing identity programmes before the use case spreads from pilot into day-to-day enterprise work.

For practitioners

• Separate agent and user session authority Do not allow AI browser agents to inherit every authenticated session by default. Restrict which cookies, tokens, and page contexts the agent can reuse across domains, and require distinct identity boundaries for high-risk applications.
• Add runtime policy checks for cross-domain actions Block or challenge agent-driven form submission, API calls, and navigation when the target application differs from the source context. Policy should evaluate action type, destination domain, and trust level before execution completes.
• Log prompt lineage with browser telemetry Capture the input source, intermediate transformations, and tool invocation path for every agent action. Without prompt lineage, security teams can see the HTTP request but not the decision chain that produced it.
• Map AI browser use cases to NHI governance controls Classify browser agents as non-human identities where they operate independently across authenticated systems, then align access review, session control, and delegated privilege rules to that classification.

Key takeaways

• AI browsers turn session inheritance into a governance issue, because the agent can act with user authority across multiple authenticated applications.
• The evidence points to a visibility gap rather than a simple malware problem, since prompt-driven actions can look like normal user activity in standard telemetry.
• Teams need browser-specific identity controls now, including separate agent authority, cross-domain policy enforcement, and prompt lineage logging.

Key terms

• Identity Mesh: Identity mesh is the overlap of trust, session state, and delegated action that forms when an AI browser operates across multiple authenticated systems. It matters because the browser can carry effective authority from one application into another, making isolation, provenance, and accountability much harder to enforce.
• Prompt Injection: Prompt injection is the practice of embedding malicious instructions in content that an LLM-based system will read and act on. In AI browsers, it can steer agent decisions through web pages, documents, or metadata, turning ordinary text into an execution trigger inside a trusted session.
• Prompt Lineage: Prompt lineage is the trace of where an instruction came from, how it changed, and which action it caused. For AI browsers, it is the audit trail that connects input provenance to session activity, which is essential when a browser agent can act across domains in the background.
• Session Inheritance: Session inheritance is the reuse of authenticated browser context by an AI agent or automated workflow. It becomes risky when the inherited session carries broader authority than the task requires, because the agent can move across applications with privileges that were never explicitly granted for each step.

Deepen your knowledge

AI browser governance and identity mesh are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for delegated browser agents and cross-app session risk, it is worth exploring.

This post draws on content published by Lasso Security: The Rise of AI Browsers, Smarter, Faster, and Far More Dangerous. Read the original.