TL;DR: Browser-based work now concentrates SaaS access, internal apps, AI tools, and sensitive data in one session, while browser phishing rose 140% year-over-year to 752,000 incidents in 2025, according to Surf Security. The control question is no longer whether browsers need protection, but whether identity, data, and session governance can move into the browser itself.
At a glance
What this is: This is an analysis of why the browser is becoming an enterprise control point, with the key finding that browser-native security is needed to govern sessions, data movement, and risky user actions.
Why it matters: It matters because IAM, PAM, and NHI programmes increasingly fail at the browser layer where people, contractors, and AI tools authenticate, interact with data, and trigger exfiltration.
By the numbers:
- In 2025, browser-based phishing attacks surged by 140% year-over-year, with 752,000 incidents identified.
- According to Gartner, by 2028, 25% of organizations will augment existing secure remote access and endpoint security tools by deploying at least one secure enterprise browser technology to address specific gaps.
👉 Read Surf Security's analysis of why secure browsers matter for enterprise security in 2026
Context
The browser has become the de facto access layer for enterprise work, which makes browser security a governance problem as much as a technical one. When SaaS, internal apps, partner portals, developer tools, and generative AI platforms all live in the same session, identity policy has to follow the session rather than stop at the network edge.
Traditional controls such as VPNs, proxies, VDI, and endpoint tools can still be useful, but they do not reliably govern what users do inside the browser. That leaves a gap for IAM, PAM, and NHI programmes, because the highest-risk actions now happen where credentials are entered, data is copied, and external tools are invoked.
For organisations with BYOD, hybrid work, contractors, and shadow AI, the browser is increasingly the only place where policy can be enforced consistently without over-controlling the device. That makes browser-level governance a practical extension of zero trust rather than a niche access product category.
Key questions
Q: How should security teams govern browser sessions in a zero-trust model?
A: Security teams should treat the browser session as the control point for identity, data handling, and risky actions. That means enforcing policy on access, downloads, uploads, copy and paste, extension use, and sharing activity inside the session, rather than relying only on network controls or endpoint posture.
Q: Why do browser controls matter for SaaS and AI usage?
A: Because most sensitive SaaS and AI interactions now happen inside the browser, where users paste data, upload files, and establish trusted sessions. If governance stops at login, organisations miss the highest-risk actions that occur after authentication and before data leaves the session.
Q: What breaks when organisations rely only on VPNs and endpoint tools for browser risk?
A: They lose direct visibility into session behaviour, so policy cannot reliably stop copy, paste, print, upload, or extension-driven abuse in real time. That creates a gap between access approval and actual data handling, which attackers and careless users can exploit.
Q: Who should own secure browser governance in an enterprise?
A: Ownership should sit across IAM, security architecture, endpoint, and compliance, with IAM leading the policy model because the browser is now an identity enforcement layer. The key is to assign clear accountability for session controls, extension governance, and data movement rules.
Technical breakdown
Why the browser has become the new policy enforcement point
A secure browser moves control into the web session itself. Instead of depending on perimeter tools to observe traffic after the fact, it can enforce policy at the moment a user opens an app, downloads a file, copies content, or launches a web-based AI tool. That matters because browser activity is now where identity, data handling, and application access converge. The architectural shift is from indirect inspection to direct session governance, which is much closer to zero trust in practice.
Practical implication: Treat the browser session as an enforcement layer, not just an access channel.
How data loss prevention changes when it sits inside the browser
Browser-native data protection is different from classic DLP because it can act on user behaviour inside the session. That includes blocking uploads, limiting copy and paste, controlling print actions, watermarking sessions, and constraining screen capture or sharing. The value is not only stopping malware or exfiltration, but controlling normal user actions that become security incidents when sensitive data crosses from a managed app into an unsanctioned destination.
Practical implication: Align browser DLP rules to the actual data handling paths users take, not only to file transfer events.
Why extension governance is an identity risk, not just a browser hygiene issue
Browser extensions can read page content, capture credentials, and interfere with session context, which makes them a governance issue for identity teams as well as endpoint teams. In an enterprise setting, an overprivileged or unsanctioned extension can effectively become a delegated actor inside the browser session. That is why extension discovery, allowlisting, risk scoring, and continuous monitoring matter: the browser is not just where identity is presented, it is where identity can be silently extended.
Practical implication: Classify browser extensions as part of your access surface and govern them with the same discipline as other delegated tooling.
NHI Mgmt Group analysis
Secure browser governance is now part of identity governance, not a separate security niche. The browser is where authentication, authorisation, and data handling increasingly converge for people, contractors, and AI-assisted workflows. That means IAM teams cannot stop at SSO or endpoint posture, because the decisive controls now sit inside the session. Practitioners should treat browser policy as an identity enforcement problem with direct governance impact.
Browser-based phishing is a session problem, not just a user-training problem. The article’s threat picture shows that attackers are exploiting the exact place where trust is established and maintained, which is the browser session. That shifts the defensive question from how to harden logins alone to how to constrain session behaviour after login. Security teams should therefore measure whether browser controls reduce the attacker’s usable session, not just whether they block initial sign-in.
Shadow AI makes the browser a data governance choke point. Users can paste sensitive information into external AI tools, upload regulated files, or move data between sanctioned and unsanctioned apps without ever touching a network perimeter control. The new governance concept here is session-level data movement control: the organisation must decide what data can be handled inside a browser session at all. Practitioners need to recognise that the browser is now where AI usage becomes an identity and data exposure issue.
Secure browser adoption will pressure legacy remote access architecture. If a browser can enforce app-level access, DLP, extension governance, and session logging, then parts of VPN, VDI, and proxy-based control stacks become harder to justify for many workflows. That does not mean immediate replacement, but it does mean architecture reviews should be based on user workflow and control gaps rather than inherited tool boundaries. Teams should re-evaluate which access scenarios still require heavier infrastructure.
Third-party access is where browser-centric control delivers the clearest governance value. Contractors and partners often need access to a narrow set of apps without receiving broad network exposure or unmanaged device trust. Browser-based controls support that narrower trust model better than legacy remote access patterns. For identity leaders, the practical conclusion is that browser governance should be part of the contractor access strategy, not an afterthought in endpoint policy.
From our research:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Browser-centric policy should be read alongside The 52 NHI breaches Report, which shows how quickly exposed credentials and delegated access can turn into real compromise pathways.
What this signals
Session-level control is becoming the practical boundary for modern identity programmes. When work, AI tools, and third-party access all converge in the browser, identity teams need a policy model that can decide what users may do after authentication, not only whether they can log in. The organisations that standardise browser controls now will have a cleaner path to govern contractors, BYOD, and web-based AI without expanding perimeter complexity.
The browser also changes how security leaders should think about risk measurement. If browser-based phishing, extension abuse, and unmanaged data movement are the main exposure paths, then success should be measured by whether the organisation can narrow session blast radius, not by the number of login events blocked. That is a materially different governance outcome and one that aligns with zero trust in a way legacy access tooling often does not.
The strategic implication is that browser control will increasingly sit alongside IAM, PAM, and endpoint policy as a core part of access governance. Programmes that ignore the browser will keep finding the same problem in different forms, especially in SaaS-heavy environments where the session is the environment.
For practitioners
- Map browser session controls to identity policy Inventory which login, upload, download, copy, paste, print, and sharing actions are currently governed outside the browser. Then decide which of those controls should be enforced at the session layer for SaaS, internal apps, and generative AI tools.
- Govern browser extensions as delegated access Create an allowlist and review process for browser extensions that can access page content, credentials, or session state. Tie approval to risk scoring, business need, and ongoing monitoring so extensions do not become unmanaged identity amplifiers.
- Redesign contractor access around browser-native trust Replace broad remote access patterns with controlled browser access for partners, vendors, and developers wherever possible. Limit the session to required apps and data paths, and avoid exposing the broader environment when a narrower browser workflow will do.
- Measure data handling inside SaaS and AI sessions Track where sensitive data is copied, uploaded, printed, or shared in the browser, especially in unsanctioned AI tools. Use those signals to prioritise policies that reduce data movement rather than only reducing login risk.
Key takeaways
- The browser is no longer just a workspace, it is the primary enforcement point where identity, data, and application access intersect.
- Browser-based phishing, extension misuse, and shadow AI make session governance a control requirement, not an optional enhancement.
- Identity teams should decide now which browser actions must be policy-controlled, because legacy perimeter tools cannot reliably manage them.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-07 | Browser sessions now govern delegated access and data handling for non-human and human identities. |
| NIST CSF 2.0 | PR.AC-4 | Browser policy enforces least-privilege access and session-level authorisation. |
| NIST Zero Trust (SP 800-207) | The article frames browser-centric zero trust as the enforcement point for continuous verification. | |
| NIST SP 800-53 Rev 5 | AC-6 | Browser policy limits what users can do after access is granted, which is least privilege in practice. |
| CIS Controls v8 | CIS-6 , Access Control Management | Browser governance is a direct extension of access control management across web sessions. |
Extend access control management to browser sessions and standardise controls for unmanaged devices and third-party access.
Key terms
- Secure Browser: A secure browser is an enterprise-controlled browser or browser layer that enforces policy directly in the web session. It governs access, data movement, extension use, and logging at the point where work happens, rather than depending only on perimeter or endpoint controls.
- Session-Level Data Movement Control: Session-level data movement control is the practice of constraining how information can be copied, uploaded, printed, shared, or exported during an active browser session. It matters because many breaches begin with ordinary user actions, not malware or exploit chains.
- Browser Extension Governance: Browser extension governance is the process of discovering, approving, restricting, and monitoring extensions that can influence page content and user sessions. In practice, it treats extensions as delegated access inside the browser, with risk controls similar to other identity-linked tooling.
- Browser-Centric Zero Trust: Browser-centric zero trust applies continuous verification and least-privilege enforcement inside the browser session instead of assuming trust at the network or device boundary. For modern work, it is a practical way to govern SaaS, contractor access, and AI-assisted workflows.
What's in the full article
Surf Security's full blog post covers the operational detail this post intentionally leaves for the source:
- A feature-by-feature breakdown of secure browser capabilities for SaaS, BYOD, and contractor access scenarios.
- Implementation examples for extension auditing, session logging, and data loss prevention inside the browser.
- Practical guidance on evaluating browser-based zero-trust controls against VDI, VPN, and proxy-heavy access stacks.
- The article's own positioning on where secure browsers fit into a broader enterprise security architecture.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-20.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org