Browser visibility is becoming central to AI regulation compliance

At a glance

What this is: This is a Push Security commentary on AI regulation, browser visibility, and why current control layers miss critical AI tool activity.

Why it matters: It matters because IAM, NHI, and security teams need controls that can observe and govern browser-mediated access before compliance claims become theoretical.

👉 Read Push Security's analysis of browser visibility and AI regulation compliance

Context

AI regulation is increasingly about proving how AI tools are used, not just stating that governance exists. In practice, that means the browser has become an enforcement point because many AI interactions, approvals, and data exchanges happen there before they ever reach traditional IAM or EDR visibility.

For identity teams, the question is whether existing governance models can account for browser-based AI usage across human sessions, delegated access, and emerging non-human workflows. If the control plane cannot see the interaction point, it cannot reliably evidence compliance, reduce shadow AI risk, or enforce least privilege where the work actually occurs.

Key questions

Q: How should security teams govern AI use that happens in the browser?

A: Security teams should treat browser-based AI use as a governed session, not a side channel. That means tying browser telemetry to identity, access policy, and data controls so they can see who used which tool, what data moved, and whether the activity was sanctioned. Without that linkage, compliance evidence remains incomplete.

Q: Why do EDR and IAM leave gaps in AI compliance coverage?

A: EDR and IAM solve different problems, and neither fully describes what happens inside a browser session. EDR sees endpoint behaviour, while IAM sees authentication and authorisation, but browser-mediated AI use can sit between them. The result is a blind spot where policy may exist, yet the evidence needed to prove enforcement is missing.

Q: What do organisations get wrong about shadow AI risk?

A: They often treat shadow AI as a discovery problem when it is also an access governance problem. Most unsanctioned AI use begins with ordinary users, ordinary credentials, and ordinary browser sessions. If those sessions are not inventoried and controlled, the organisation will discover the problem only after data has already moved.

Q: What should organisations do before auditing AI regulation readiness?

A: They should establish where AI usage is actually observable and which browser events can serve as evidence. If access happens in the browser, then audit readiness depends on retaining the right session data, linking it to identity records, and proving policy enforcement at the point of use.

Background and context

Browser visibility as an identity control plane

Browser visibility shifts enforcement closer to the session where prompts, data access, and SaaS interactions occur. This matters because many AI workflows are not separate applications with neat authentication boundaries. They are embedded in the browser, where users paste data into AI tools, approve extensions, or move between business apps and model interfaces. Traditional EDR can see endpoints, but it often misses the identity context of what is being accessed, by whom, and under what policy. That creates a control gap between authentication and actual use.

Practical implication: map browser activity into your identity and access controls so AI usage can be governed as a session-level access event.

Why EDR and IAM leave a visibility gap

EDR is designed to detect suspicious endpoint behaviour, while IAM is designed to authenticate and authorise identities. Neither is built to fully interpret the browser as the place where AI access, data exposure, and policy breaches often happen. That gap becomes material when users interact with AI tools through SaaS tabs, browser extensions, or copied session tokens. The result is a partial picture: identity exists, endpoint exists, but the actual AI interaction remains under-observed. Compliance becomes hard to evidence when the core activity lives between those layers.

Practical implication: treat browser activity telemetry as a missing input to both identity governance and compliance reporting.

Browser-based AI control and shadow AI risk

Browser-based AI control is increasingly about finding unmanaged usage that never enters a sanctioned workflow. Shadow AI often appears as employees using public AI tools, browser plugins, or unapproved copilots with corporate data. Because these interactions are low-friction and session-based, they can expand faster than review cycles or software inventories. The governance problem is not only usage detection, but proving which identities, data sets, and tools were involved at the moment of access. That is where policy enforcement and telemetry have to converge.

Practical implication: inventory browser-level AI access paths before you try to certify compliance or retire shadow AI.

NHI Mgmt Group analysis

Browser visibility is becoming an identity requirement, not just a security enhancement. Once AI use moves into the browser, the organisation loses the clean separation between access, action, and evidence that classic IAM assumes. The control question is no longer whether users are authenticated, but whether the organisation can observe the identity action at the point of use. Practitioners should treat browser telemetry as part of the identity evidence chain.

AI regulation exposes a compliance gap that endpoint tooling alone cannot close. Regulatory language increasingly expects organisations to show how AI is used, governed, and monitored in practice. If that usage is mediated through browsers and SaaS sessions, endpoint-centric controls will not provide enough context to prove policy enforcement or data handling. Practitioners need to re-evaluate where evidence is collected and whether that evidence is usable in an audit.

Shadow AI is an access governance problem before it is a model governance problem. Unapproved AI usage usually starts with ordinary identities, ordinary sessions, and ordinary browser interactions. The issue is the absence of visibility and control over those interactions, not the sophistication of the AI system itself. That means governance teams should classify browser-mediated AI use as access sprawl first, and only then as a model-risk concern.

Browser-based control validates the convergence of IAM, NHI, and human session governance. Human users, delegated credentials, and non-human workflows now meet in the browser layer, which makes it a shared governance surface rather than a separate tooling domain. That convergence is the practical signal: identity programmes that still separate human and machine controls too sharply will miss the interaction layer where AI policy failures occur. Practitioners should design for one session view across all three identity types.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Partial visibility is the norm too, with 47% of organisations reporting only partial visibility into those connected vendors, according to the same research.
• For a broader view of how identity blind spots create governance debt, see Ultimate Guide to NHIs , Key Challenges and Risks.

What this signals

Browser control will increasingly sit alongside identity governance as a mandatory evidence source. When AI activity is mediated through the browser, governance teams need telemetry that can be tied back to identities, policies, and data handling. That makes browser visibility a compliance input, not a niche technical feature.

The practical signal for practitioners is that shadow AI discovery and browser telemetry should be planned together. If you cannot see the session where AI use occurs, you cannot reliably classify the identity, the data exposure, or the policy outcome.

With 1 in 4 organisations already investing in dedicated NHI security capabilities, according to The State of Non-Human Identity Security, the next wave of programme maturity will be about connecting those controls to browser-level evidence and audit workflows.

For practitioners

• Map AI usage at the browser layer Identify which approved and unapproved AI tools are reached through browsers, extensions, and embedded SaaS sessions. Capture session context, identity context, and data movement together so you can evidence who accessed what and when.
• Extend governance to browser-mediated sessions Treat browser events as governance signals, not just endpoint telemetry. Link them to access policy, acceptable use rules, and compliance evidence so reviews can show how AI interactions were controlled in practice.
• Close the shadow AI inventory gap Build an inventory of AI access paths that includes consumer tools, browser plugins, and browser-based copilots. Reconcile it against sanctioned applications and identity records so unsanctioned use can be identified before it becomes normalised.
• Align identity evidence with compliance requirements Define which browser events satisfy audit, legal, or regulatory evidence for AI usage. If the browser is where policy decisions are executed, your identity programme should be able to retain and report those events on demand.

Key takeaways

• AI regulation is pushing security teams toward browser-level evidence because that is where many AI interactions now occur.
• Endpoint and IAM tooling each see part of the picture, but neither fully captures the control path for browser-mediated AI use.
• Identity programmes need to treat browser sessions as part of governance if they want to detect shadow AI and prove compliance.

Key terms

• Browser-mediated AI use: AI activity that happens through a web browser rather than a dedicated, centrally governed application. It matters because the browser often becomes the place where data, identity, and policy intersect, leaving security teams needing session evidence as well as endpoint or IAM records.
• Shadow AI: AI tools or agents used without formal approval, inventory, or oversight. In practice, shadow AI is often invisible because it appears as ordinary browser activity or SaaS use, which makes discovery and governance part of the same problem.
• Identity evidence chain: The set of records that proves who accessed a system, what they did, and under what policy. For browser-based AI use, the evidence chain must include session context, access decisions, and data movement so compliance can be demonstrated later.

Deepen your knowledge

Browser visibility and AI session governance are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to connect access control, compliance evidence, and browser-based AI use, it is a strong place to start.

This post draws on content published by Push Security: AI regulation is here: how browser visibility and control can achieve compliance. Read the original.