Browser security is now the enterprise attack surface teams must govern

At a glance

What this is: Omdia’s research shows the browser has become the enterprise attack surface where most modern identity and data attacks now land.

Why it matters: IAM teams need to treat browser sessions as governance territory because phishing, credential theft, AI tool misuse, and session hijacking now overlap there across human, NHI, and emerging autonomous workflows.

By the numbers:

• 49% of organizations suffered a successful browser-based attack in the last 12 months.
• 88% of respondents rank browser security as at least a top-five security priority.
• 85% of respondents expect to increase that spend over the next 12-24 months.
• 58% rely on secure web gateways to secure GenAI usage.

👉 Read Push Security's analysis of Omdia's browser security market research

Context

The browser has moved from a simple access layer to the place where identity, applications, and data all meet. That matters for browser-based attacks because the security event often happens inside the live session, not at the perimeter or after the fact.

For identity programmes, the real gap is governance at session level. Human users, service accounts operating through web interfaces, and agentic workflows that initiate browser actions all create decisions that traditional network, endpoint, and IAM controls only partially see.

The article’s central point is straightforward: security teams are funding browser controls because attack methods have migrated into the browser session itself, and that makes browser-layer telemetry a governance issue rather than just a product category question.

Key questions

Q: How should security teams handle browser-based attacks that happen inside the session?

A: They should move detection closer to the interaction layer and treat the browser session as a control point. That means correlating page activity, credential entry, token exchange, and data movement with identity logs. Without that, phishing, AiTM, cookie theft, and malicious extensions remain hard to distinguish from ordinary browsing or legitimate SaaS use.

Q: Why do traditional network and endpoint controls miss so many browser attacks?

A: Because they observe traffic and device state, not the user’s actual actions inside the rendered page. A network stack can see that traffic went to a site, but it cannot tell whether a user pasted credentials, copied source code into GenAI, or completed an AiTM-assisted login. Session-level visibility is the missing layer.

Q: When should organisations prioritise secure browser controls over broader web controls?

A: When the main risk is what happens after a user has already reached a trusted site or SaaS app. If phishing, credential theft, extension abuse, or AI prompt leakage are your dominant concerns, the browser is the enforcement point. That is where the decision to allow, block, or investigate should be made.

Q: What is the difference between browser security and secure web gateway controls?

A: Secure web gateways primarily inspect and filter traffic, while browser security can observe and govern what happens inside the session itself. That difference matters for GenAI, credential theft, and session hijacking because the relevant action often occurs after the page loads. Browser-layer controls provide the contextual evidence SWGs cannot.

Technical breakdown

Why browser session attacks evade perimeter controls

Browser-based attacks succeed because the decisive events happen after a user reaches a legitimate-looking page or session. Credential entry, token exchange, cookie theft, malicious extension behavior, and data paste into unsanctioned apps all occur inside the rendered browser context. Network inspection sees traffic, endpoint tools see device state, and email security may catch the lure, but none of them fully observe the in-session action that turns access into compromise. That is why attacks such as AiTM phishing and session hijacking remain difficult to reconstruct without browser-layer telemetry.

Practical implication: teams need controls that observe browser sessions directly, not just perimeter traffic and endpoint state.

Browser controls for GenAI access and data loss

GenAI use creates a distinct browser governance problem because policy enforcement depends on seeing what users actually do inside the session. A secure web gateway can tell you that a user visited an AI app, but not whether they pasted source code, customer data, or regulated content into a prompt. Browser-layer controls close that gap by monitoring the interaction itself, which makes policy enforcement, data loss prevention, and audit evidence materially stronger. This is as much an identity problem as a data problem because the user session is the control point.

Practical implication: align GenAI policy with session visibility so sanctioned use can be enforced and unsanctioned data sharing can be detected.

Secure enterprise browser deployment without browser migration

The market signal in the report is that organizations want security in their existing browser estate, not a forced migration. That is technically important because adoption speed, user friction, and telemetry coverage all depend on whether the control plane can sit on top of current browsers. In practice, browser security is being treated as an integration layer that connects identity, SaaS, DLP, and threat detection rather than as a replacement browser strategy. The architecture chosen will determine whether controls become widely deployed or remain a niche addition.

Practical implication: favour deployments that instrument the current browser estate and integrate with existing security tooling.

Threat narrative

Attacker objective: The attacker aims to turn a trusted browser session into authenticated access, data exposure, or downstream account compromise without triggering traditional perimeter detection.

1. Entry begins in the browser session when a user opens a phishing page, uses an unsanctioned AI app, or installs a malicious extension.
2. Credential access or abuse occurs through credential theft, cookie theft, AiTM interception, or session token misuse inside the live tab.
3. Impact follows when the attacker reuses the session to access applications, leak data, or move laterally through authenticated SaaS access.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Browser-layer visibility is now an identity governance requirement, not a convenience feature. The report shows that the decisive security event increasingly occurs inside the session where authentication, data handling, and application use converge. That breaks the old assumption that network logs, endpoint data, and IAM logs together provide enough context to understand abuse. Practitioners should treat browser telemetry as part of the identity control plane.

Session-level attack paths expose a browser visibility gap that existing controls were not designed to close. Phishing, cookie theft, AiTM, malicious extensions, and AI prompt leakage all operate in the same interaction layer, but many security stacks still split those signals across separate tools. The result is delayed detection and weak forensic reconstruction. Security architecture needs to be evaluated by whether it can explain what happened inside the browser, not just whether it blocked traffic.

Browser security is becoming the control plane where human IAM, NHI access, and autonomous workflow risk meet. The browser now mediates SaaS login, GenAI usage, admin portals, and embedded automation. That means identity governance can no longer stop at provisioning and authentication events. If the browser session is where access is consumed, then it is also where abuse, leakage, and misuse must be governed.

GenAI usage control is the named concept emerging from this market shift. The browser has become the enforcement layer for sanctioned and unsanctioned AI use because policy alone does not reveal what users enter into prompts or what data they move through web apps. Without session visibility, organisations can claim policy coverage while remaining unable to prove enforcement. Practitioners should measure whether their AI governance can see the action, not just the destination.

Dedicated browser instrumentation is validating a broader shift toward in-session security enforcement. The market preference for protection inside existing browsers shows that organizations are moving away from controls that rely on migration or indirect telemetry. That validates a governance approach built around observing the live interaction surface. The practical implication is that identity and data controls will increasingly be judged by whether they can operate where the work actually happens.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• Browser-layer governance matters because the same blind-spot pattern shows up across identity programmes, as explored in Ultimate Guide to NHIs , Key Challenges and Risks.

What this signals

Browser security is becoming a governance layer for identity-heavy workflows, especially where users interact with GenAI, SaaS, and privileged portals in the same session. The organisations that will struggle most are those still separating identity, data, and web controls into silos that do not share session context. Browser-level instrumentation is likely to become a prerequisite for proving policy enforcement, not just detecting attacks.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, per The State of Non-Human Identity Security, the browser visibility gap is part of a wider identity blind spot. The practical signal is that session telemetry, OAuth governance, and SaaS access review are converging into one operating problem. Teams should prepare for browser controls to feed both security operations and identity governance workflows.

Enterprises that can correlate browser activity with identity events will have a faster path to detection, investigation, and containment than teams relying on perimeter-only telemetry. That is especially true where AI usage, delegated access, and authenticated web sessions overlap.

For practitioners

• Instrument browser sessions directly Prioritise controls that can observe credential entry, token creation, page interactions, and data movement inside the browser session rather than relying only on perimeter logs.
• Align GenAI policy with enforcement Make sure sanctioned and unsanctioned AI use is enforceable at the session layer, especially where employees can paste source code, customer records, or regulated data into web prompts.
• Review extension risk as an identity issue Treat malicious and vulnerable browser extensions as in-session supply chain risk because they can read page content, alter requests, and harvest sessions without traditional network alerts.
• Map browser telemetry to identity workflows Correlate browser activity with login, SaaS, and privileged access events so analysts can distinguish normal user behaviour from credential theft, AiTM, or session reuse.

Key takeaways

• Browser-based attacks now land inside the session, which makes browser-layer visibility a core identity and security control.
• Omdia’s survey shows the market has already moved, with most organisations increasing investment and many treating browser security as a top-five priority.
• Practitioners should govern the browser as the place where identity, GenAI, and data handling intersect, because perimeter controls alone cannot explain what happens there.

Key terms

• Browser Session Telemetry: Browser session telemetry is the set of signals captured from what a user or workflow actually does inside the browser, including page actions, credential entry, token use, and data movement. It is more useful than traffic-only visibility when attacks or misuse happen after a page loads.
• Secure Enterprise Browser: A secure enterprise browser is a browser control model that applies security policy, monitoring, and enforcement inside the browser experience. It aims to observe and govern session behaviour directly, which makes it relevant for phishing resistance, data loss prevention, and AI use oversight.
• AiTM Phishing: AiTM phishing is an adversary-in-the-middle technique that intercepts a user’s authentication flow and session material in real time. The attacker sits between the user and the target service, which can let them steal cookies or tokens even when the login appears legitimate.
• GenAI Usage Control: GenAI usage control is the governance of how employees use public or corporate AI applications, including what data they can enter and what actions they can perform. In practice, it requires session-level visibility because policy alone does not show what was pasted, prompted, or exfiltrated.

Deepen your knowledge

Browser-based attack detection and session visibility are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your identity programme already has to account for browser-mediated access, it is worth exploring.

This post draws on content published by Push Security: analysis of Omdia's browser management and security research. Read the original.