Browser telemetry is changing how teams quantify identity risk

At a glance

What this is: This analysis argues that browser telemetry makes identity risk materially more measurable by exposing credential abuse, shadow AI, OAuth sprawl, and login weakness in real time.

Why it matters: It matters because IAM and security teams cannot model or reduce identity risk accurately if they only measure IdP controls and ignore browser-level attack paths across NHI, autonomous, and human identity surfaces.

By the numbers:

• 1 in 3 phishing payloads intercepted by Push are delivered outside of email.
• 4 in 5 ClickFix payloads intercepted by Push arrive via search engines, not email.
• 17 unique AI app integrations per organization in Microsoft and Google alone.
• 46.76% have the permission combinations required for account takeover without user interaction.

👉 Read Push Security's analysis of browser telemetry and identity risk quantification

Context

Identity risk is increasingly a browser problem, not just an IdP problem. Credential phishing, device code phishing, OAuth consent abuse, session hijacking, and malicious extensions all leave observable traces in the browser, which is why traditional risk models built only on network, endpoint, or cloud telemetry miss part of the attack surface.

The central issue is measurement. Security teams can estimate account compromise risk with FAIR or a risk matrix, but those models are only as good as the inputs they receive, and the article argues that browser telemetry supplies higher-fidelity data for threat event frequency and control failure rates.

For IAM and NHI programmes, that changes the governance conversation. Controls such as MFA, SSO, secrets handling, OAuth app approval, and extension monitoring need to be evaluated against what actually happens in the browser, because many modern identity attacks bypass the assumptions those controls were built around.

Key questions

Q: How should security teams use browser telemetry in identity risk modelling?

A: Use browser telemetry to measure real attacker exposure instead of relying only on inherited benchmarks. Login behaviour, OAuth grants, extension activity, and session traces reveal threat event frequency and control failure patterns that central IdPs often miss. That makes the model more defensible to leadership and more useful for prioritising identity controls.

Q: Why do MFA and SSO not fully cover browser-based identity attacks?

A: MFA and SSO reduce risk at authentication, but many attacks succeed after authentication has already occurred. OAuth consent abuse, device code phishing, session hijacking, and malicious extensions can all bypass login-centric assumptions. Teams need to measure in-session and delegated-access behaviour, not just login compliance.

Q: How do organisations know if shadow AI is becoming a governance problem?

A: Shadow AI becomes a governance problem when users self-provision AI SaaS apps that retain tokenised access to company data without approval or review. A rising count of unapproved integrations, unknown owners, or broad OAuth scopes is the clearest signal that delegated access has escaped control.

Q: What should teams do when browser telemetry shows frequent non-email phishing?

A: They should expand threat models beyond email and align detection with the channels attackers actually use. Search ads, messaging apps, social platforms, and clipboard-based lures can all drive identity compromise, so email-only controls understate exposure and misdirect investment.

Technical breakdown

Browser telemetry as an identity risk signal

Browser telemetry is the collection of login events, OAuth activity, extension behaviour, and in-session identity interactions as they happen. That makes it materially different from endpoint logs or IdP reports, because many identity attacks are decided and executed in the browser before central controls see them. For quantitative risk work, this matters because threat event frequency and control failure rates can be derived from observed behaviour rather than industry averages. The result is not perfect certainty, but a much more defensible baseline for account takeover and credential abuse modelling.

Practical implication: teams should treat browser telemetry as a primary input to identity risk models, not as a nice-to-have detection layer.

Shadow AI and OAuth sprawl

Shadow AI in this context means unmanaged AI SaaS connections that users self-provision, often through OAuth. Once a user authorises a third-party app, the security boundary shifts from authentication to delegated access, where stored tokens can outlive user intent and bypass IdP controls. The article’s point is that these app connections often sit outside conventional governance because they are not visible in standard access reviews or risk matrices. That makes OAuth sprawl a governance problem as much as an access problem, especially when browser telemetry shows how many integrations actually exist.

Practical implication: organisations need a discovered inventory of OAuth-connected apps before they can claim meaningful control over delegated identity risk.

Why identity attacks escape traditional control assumptions

Many modern identity attacks succeed after the login flow, which means password strength, MFA coverage, and SSO adoption do not address every failure mode. Device code phishing, consent abuse, and session theft operate inside authorised browser sessions or on the edges of them, where the real issue is not authentication failure but misuse of authorised access. That changes the shape of risk modelling. The control question becomes whether the organisation can observe, score, and constrain browser-mediated identity behaviour, not merely whether the initial login was compliant.

Practical implication: identity governance should expand beyond authentication posture to include in-session behaviour and delegated access pathways.

Threat narrative

Attacker objective: The attacker’s objective is to convert browser-mediated identity trust into durable access that reaches downstream applications, secrets, and data.

1. Entry begins in the browser through non-email channels such as search, social media, malvertising, or clipboard-based ClickFix lures that deliver the user to a malicious page.
2. Credential access or abuse occurs when the victim authorises a malicious OAuth app, enters credentials into a phishing flow, or completes a device code prompt that hands control to the attacker.
3. Escalation follows when the attacker reuses the session, token, or delegated access to reach downstream SaaS dashboards, API keys, source code, or internal applications.
4. Impact is achieved when identity-controlled browser access becomes a bridge into broader enterprise systems, allowing account takeover, data access, or operational compromise.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• 230M AWS environment compromise — 230M AWS environments compromised via exposed .env files with cloud credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Browser telemetry creates a different category of risk evidence: Identity risk has usually been measured with inferred probabilities, not directly observed attacker behaviour. When the browser becomes the execution environment, frequency, control weakness, and user interaction are all visible in-session. That makes browser telemetry one of the few places where quantitative security teams can replace broad assumption with environment-specific evidence.

Shadow AI is now an identity governance issue, not just an application inventory issue: The article’s 17 AI app integrations per organisation show how quickly delegated access can accumulate outside approval workflows. Those connections create a governance blind spot because OAuth grants are often treated as a convenience layer instead of as standing identity relationships. Practitioners should read that as evidence that discovered app sprawl is itself a control signal.

Identity risk matrices fail when they model only the controls they can already see: The article exposes a named concept we should call browser-visible identity exposure, meaning the measurable gap between actual browser-mediated attack paths and the narrower set of risks captured in IdP-centric assessments. That gap is why many programmes undercount credential phishing delivered outside email, extension abuse, and post-login token misuse.

Authentication hygiene is only one dimension of vulnerability: The article shows that MFA, SSO, and password quality can all be bypassed by attacks that operate after authentication has succeeded. That means risk programmes built around login compliance alone are structurally incomplete. The implication is not that those controls are irrelevant, but that they do not describe the full loss event frequency for identity attacks.

Quantitative IAM will increasingly depend on browser-layer observation: The most defensible models will use observed identity behaviour to estimate threat event frequency and vulnerability instead of imported benchmarks. That aligns browser telemetry with NIST CSF and Zero Trust thinking, but the deeper point is that the measurement problem is now an identity instrumentation problem. Practitioners should expect boards to ask for actual exposure data, not just control attestations.

From our research:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• Browser-level visibility changes the governance question from whether an identity exists to whether its access can be observed, constrained, and revoked before misuse spreads.

What this signals

Browser telemetry will increasingly become the evidence layer for identity governance because it captures the behaviour that IdP-only reporting misses. With 92% of organisations exposing NHIs to third parties, the governance boundary is already wider than most access reviews assume.

Browser-visible identity exposure: this is the gap between what security teams think they control at the identity layer and what users can actually authorize in the browser. As organisations add AI apps, extensions, and delegated SaaS connections, that exposure becomes a measurable programme risk rather than a theoretical blind spot.

Teams that still model identity risk from email phishing alone will undercount real exposure. The article’s broader signal is that browser-derived telemetry should feed quantitative models, access policy, and review scope at the same time, especially where delegated access can persist beyond the original login event.

For practitioners

• Instrument browser-layer identity telemetry Collect login, OAuth, extension, and session events so identity risk models are based on observed behaviour rather than boardroom estimates.
• Inventory shadow AI and delegated apps Build a discovered list of unapproved AI SaaS connections, with token scope, owner, and business justification, then compare it to approved app policy.
• Measure post-login control gaps Track the share of logins that are password-only, lack MFA, or occur outside central IdP visibility to understand where authentication assumptions break down.
• Watch for browser-based delivery channels Include search, social, messaging, and clipboard-triggered lures in threat event frequency calculations instead of relying on email-only phishing metrics.

Key takeaways

• Browser telemetry gives security teams a stronger basis for quantifying identity risk because it captures attacks that happen after or around the login flow.
• Identity programmes that ignore shadow AI, OAuth sprawl, and browser-based delivery channels will systematically understate their actual exposure.
• The practical shift is from measuring only authentication posture to measuring in-session behaviour, delegated access, and browser-mediated control failure.

Key terms

• Browser-visible identity exposure: The gap between identity access that exists in practice and the subset security teams can actually see in traditional IAM reports. It includes OAuth grants, in-browser session behaviour, extension activity, and delegated app access that may never appear in a central access review.
• Shadow AI: Unapproved AI applications or integrations that users connect to enterprise data without formal security oversight. In practice, it often appears as OAuth-authorised SaaS access that can persist beyond the original user action and create hidden identity, data, and governance risk.
• Ghost login: A login or account session that occurs outside the visibility of the central identity provider, often in downstream applications or federated services. These sessions can be difficult to govern because they are real access events, but they may not show up in the primary IAM control plane.

Deepen your knowledge

Browser telemetry for identity risk quantification is covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governance model that needs better evidence than estimates, it is worth exploring.

This post draws on content published by Push Security: Browser telemetry is changing how teams quantify identity risk. Read the original.