TL;DR: AI regulations in the US, EU, and UK are converging on obligations that many organisations cannot meet without browser visibility into AI tool use, according to Push Security. The hard part is not the regulation itself, but the fact that existing controls often miss what happens inside the browser.
At a glance
What this is: This is a Push Security editorial on why browser visibility is becoming a control point for AI governance and compliance.
Why it matters: It matters because IAM, NHI, and human access teams need visibility into where AI tools are actually used before they can govern data, sessions, and authorisation consistently.
👉 Read Push Security's analysis of AI regulation, browser visibility, and compliance
Context
Browser activity is where many AI tool interactions now happen, but most governance programmes still treat the browser as a blind spot rather than an identity and control boundary. That gap matters because compliance obligations increasingly depend on proving what users and tools did in-session, not just who signed in.
For IAM and NHI teams, the issue is not only authentication. It is the control gap between identity proof, browser-based action, and downstream data access, especially when employees use AI tools through unmanaged web sessions. That makes browser visibility a governance problem as much as a security one.
Key questions
Q: How should security teams govern AI tool use in the browser?
A: Security teams should govern AI tool use at the browser layer by tying session activity to identity, policy, and audit evidence. That means monitoring what happens after sign-in, identifying data exposure paths, and enforcing rules where the user actually interacts with AI services. IAM remains necessary, but it is no longer sufficient on its own.
Q: Why do traditional IAM controls miss browser-based AI risk?
A: Traditional IAM controls miss browser-based AI risk because they are strongest at authentication and access grant, not at observing in-session behaviour. A user can log in legitimately and still expose data, use an unsanctioned AI service, or create compliance exposure inside the browser without generating a meaningful IAM violation.
Q: What breaks when AI governance stops at sign-in?
A: When AI governance stops at sign-in, organisations lose visibility into the actions that actually create risk. That breaks auditability, weakens policy enforcement, and makes it hard to prove whether sensitive data was handled appropriately. The result is a control gap between identity proof and behavioural control.
Q: How can teams tell whether browser visibility is actually working?
A: Teams can tell browser visibility is working if it produces usable evidence about AI sessions, data handling, and policy enforcement decisions. The signal is not volume of telemetry, but whether security and compliance teams can reconstruct what happened in the browser and link it back to a responsible identity.
Background and context
Why browser visibility matters for AI tool use
The browser has become the execution layer for many SaaS and AI interactions, which means the security boundary is no longer limited to login events. Authentication tells you who entered, but it does not explain what happened inside the session, which page was loaded, what data was copied, or which AI service received the input. Browser visibility closes part of that gap by observing in-session behaviour, including web apps and AI tool usage that traditional endpoint or network controls may miss.
Practical implication: teams should treat browser telemetry as part of identity governance, not just security monitoring.
Compliance obligations now depend on session-level evidence
When AI regulation and internal policy require accountability, teams need evidence of how AI tools are used, not only whether access was granted. That shifts the problem from coarse authentication to detailed session observation, policy enforcement, and auditability. In practice, browser control can help establish whether sensitive data was exposed to an AI application, whether a user action bypassed policy, and whether the activity can be tied back to an accountable identity.
Practical implication: compliance teams should define what browser-level evidence is needed before auditors ask for it.
Browser controls expose the gap between identity and application risk
Identity systems often assume control ends at successful sign-in, but modern AI use cases break that assumption. Users can authenticate legitimately and still create risk by pasting sensitive material into unsanctioned tools, chaining browser sessions across applications, or using AI features that are invisible to central policy engines. Browser-based controls do not replace IAM, but they reveal where IAM stops and application behaviour begins.
Practical implication: security architects should map which AI use cases require browser enforcement because IAM alone will not cover them.
NHI Mgmt Group analysis
Browser visibility is becoming the missing control plane for AI governance. Authentication and SaaS policy were designed for access decisions, not for observing what users and tools do after the session begins. That gap becomes more obvious as AI use moves into the browser, where sensitive data can be entered, transformed, and exfiltrated without ever creating a clean identity event. Practitioners should treat browser telemetry as a governance signal, not an optional extra.
Compliance pressure is forcing security teams to prove behaviour, not just permission. The article reflects a broader shift in control design: regulators and auditors increasingly care about observable usage, data handling, and accountability inside the session. That changes the burden on IAM, because sign-in alone no longer demonstrates controlled use of AI services. Practitioners should expect browser evidence to become part of identity assurance.
Identity programmes that stop at the login boundary will misread AI risk. Many organisations still equate access control with the authentication checkpoint, but browser-mediated AI use shows how quickly sanctioned access can become unsafe behaviour. That is true across human identity, NHI-assisted workflows, and emerging agentic use cases where the browser becomes the place where decisions are executed. Practitioners should align controls to the point of action, not just the point of entry.
Browser visibility creates a useful named concept: session-bound AI control. The practical problem is that AI policy must follow the session, because the risk is created by what happens after authentication and before data leaves the browser. This is not only an endpoint issue or a DLP issue. Practitioners should design controls around session-bound AI control when the browser is the real execution environment.
From our research:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
- The governance shift is wider than browser controls alone, so practitioners should also review Top 10 NHI Issues to map where visibility gaps intersect with identity sprawl.
What this signals
Session-bound AI control: browser visibility will matter most where governance depends on proving what happened after authentication, not just whether access was granted. That makes browser telemetry a bridge between IAM, compliance, and data protection when AI use is embedded in everyday work.
With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, per The State of Non-Human Identity Security, the same visibility problem is now appearing in AI-adjacent browser workflows.
Practitioners should expect policy questions to move closer to the point of use. The organisations that can correlate identity, browser behaviour, and data handling will have a clearer path to control than those relying on sign-in records alone.
For practitioners
- Map AI use cases to the browser boundary Inventory where employees actually interact with AI tools, including unsanctioned browser sessions, and document which workflows never pass through existing IAM checkpoints.
- Define session evidence requirements for audits Specify what must be logged at the browser layer, including data entry, page context, and AI tool usage, so compliance teams can answer regulator questions with evidence rather than inference.
- Align policy enforcement to in-session behaviour Apply controls where the risky action occurs, not only at authentication, and route sensitive browser activity into review workflows when policy cannot be enforced automatically.
- Separate sanctioned AI access from uncontrolled web use Distinguish approved AI services from general-purpose browser access, then decide which identities need browser enforcement because IAM, by itself, cannot observe downstream data handling.
Key takeaways
- Browser-based AI use changes the control boundary, because the most important security events now happen after authentication.
- The scale of the visibility problem is already material, and governance teams need evidence they can defend in audits and investigations.
- Browser telemetry will increasingly sit alongside IAM and NHI controls as practitioners try to prove accountability for AI-driven workflows.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Session-level access control is central to browser-based AI governance. |
| NIST AI RMF | AI governance needs accountability for how tools are used in practice. | |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification beyond initial authentication. |
Extend access control beyond sign-in and capture in-session browser activity for sensitive AI use.
Key terms
- Browser visibility: Browser visibility is the ability to observe and govern what happens inside the web session, not just who authenticated. It includes page context, data entry, service usage, and policy-relevant actions that traditional IAM checkpoints often miss.
- Session-bound AI control: Session-bound AI control is governance that follows the user or tool through the active browser session. It matters when the risk is created by in-session behaviour, such as pasting sensitive data into an AI service or using an unsanctioned web app.
- Identity control boundary: The identity control boundary is the point at which identity evidence stops being enough to explain risk. In modern browser-based workflows, that boundary often sits after authentication, where application behaviour, data handling, and downstream sharing become the real security concerns.
Deepen your knowledge
Browser visibility, session evidence, and identity-linked AI governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to govern AI use where it actually happens, the course is a practical place to start.
This post draws on content published by Push Security: AI regulation is here: how browser visibility and control can achieve compliance. Read the original.
Published by the NHIMG editorial team on 2026-06-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
