TL;DR: VDI is increasingly described as an expensive workaround for hybrid work because it adds server, license, and image-management overhead while still leaving shadow IT, browser-based AI tools, and unmanaged devices in play, according to Surf Security. The governance shift is toward session-level browser controls that can enforce policy on unmanaged endpoints without pretending the desktop boundary still works.
At a glance
What this is: This article argues that VDI no longer fits browser-centric work and that session-level secure browsers are the newer control model being positioned against it.
Why it matters: It matters because identity, access, and data controls now need to follow the browser session across managed and unmanaged devices, including contractor access and shadow AI use.
By the numbers:
- Up to 70% cost reduction by eliminating backend compute and license overhead
- 90% of work happens in the browser from CRM to cloud IDEs
👉 Read Surf Security's analysis of why VDI is giving way to secure browsers
Context
VDI was built for a desktop-centric access model, but modern work now happens through browsers, SaaS applications, and cloud IDEs. That shift creates a governance gap: controlling the remote desktop no longer guarantees control over the session, the data path, or the identity context behind the session.
For identity and access teams, the practical question is no longer whether a user can reach a virtual desktop, but whether policy follows the person, device, and session everywhere the browser is used. That is where browser-based controls intersect with IAM, PAM, NHI oversight, and data protection for unmanaged endpoints.
Key questions
Q: When is VDI the wrong control model for remote work?
A: VDI becomes the wrong control model when most work already happens in the browser through SaaS, cloud IDEs, and web apps. In that case, the desktop layer adds cost and complexity without fully controlling the real session where data is accessed, copied, or uploaded. Teams should prefer controls that govern the browser session directly when the browser is the true work surface.
Q: Why does browser-based work create new identity governance issues?
A: Browser-based work shifts control away from the desktop and toward the identity context behind each session. That matters because access, data handling, contractor use, and AI tool adoption can all occur from unmanaged devices. Identity teams need policy that follows the session, not just login, or they will miss where actual risk is introduced.
Q: How should security teams govern shadow AI in browser environments?
A: Security teams should treat shadow AI as an access and data governance issue, not just a monitoring problem. That means identifying which browser-based AI tools are in use, what data they can reach, and which identities are allowed to use them. The control objective is to make AI usage visible and policy-bound before it becomes unapproved workflow behaviour.
Q: What should organisations do before replacing VDI with a secure browser model?
A: Organisations should first classify which workflows truly need desktop virtualization and which can be governed at the browser session. Then they should test whether data protection, conditional access, and monitoring can be enforced consistently across managed and unmanaged endpoints. If not, the browser model needs more design work before VDI is retired.
Technical breakdown
Why VDI becomes a weak control plane for browser work
VDI centralises a desktop image, but it does not inherently centralise the browser behaviours that now dominate enterprise work. Users still interact with SaaS apps, browser extensions, local downloads, and AI tools that sit outside the virtual desktop boundary. That makes VDI expensive to run and only partially effective for controlling the actual workflow. The problem is architectural: the security boundary is placed around the desktop instead of the session where data is accessed, copied, pasted, uploaded, or shared.
Practical implication: assess whether your control boundary matches where sensitive work actually occurs, not where legacy infrastructure is easiest to manage.
How zero-trust browser controls change session governance
A secure browser model shifts enforcement to the session itself. In practice, that means applying access policies, data loss controls, phishing protections, and monitoring directly where the user executes the work, rather than relying on a streamed desktop. This is closer to zero-trust thinking because the device can be managed or unmanaged, but the session still receives policy based on identity, context, and risk. It also creates a clearer place to inspect browser-mediated interactions, including AI tools that may otherwise bypass traditional controls.
Practical implication: evaluate whether session-level policy can reduce the need for full desktop virtualization in BYOD and contractor scenarios.
Why shadow AI makes browser governance an identity problem
The article’s mention of shadow AI is the key identity signal. Browser-based AI tools are often adopted outside formal procurement or identity governance, which means access, data exposure, and usage patterns can drift beyond approved controls. If the browser is the work surface, then unmanaged AI use becomes an access governance issue as much as a security monitoring issue. The same applies to service access delivered through browser sessions, where identity assurance and policy enforcement need to persist throughout the interaction, not just at login.
Practical implication: bring browser AI usage, unmanaged sessions, and access policy into the same governance review cycle.
NHI Mgmt Group analysis
VDI is being displaced not just by cost pressure, but by a control mismatch. When work moves into SaaS and browser-native workflows, desktop virtualization can no longer guarantee that policy is applied where the data is actually handled. The broader lesson for IAM and security teams is that access governance must follow the session, not the workstation. That is a structural change in control design, not a tooling preference.
Session-bound policy enforcement is becoming the more relevant governance concept for browser-first enterprises. The article points to a model where access, data protection, and monitoring are enforced in the browser rather than in a virtual desktop layer. That aligns more naturally with least privilege, context-aware access, and remote work realities. For practitioners, the question is whether their current access model can enforce controls at the moment of use.
Shadow AI turns browser management into an identity and data governance problem. If employees can reach AI tools from unmanaged browsers or BYOD devices, then security teams need visibility into who is using what, with which data, and under which policy. That creates overlap between IAM, data security, and emerging NHI-style governance for software-mediated work patterns. Practitioners should treat browser AI usage as a governed access surface, not an informal productivity choice.
The move away from VDI signals a broader shift from infrastructure control to policy control. Enterprises are being pushed toward controls that are lighter to operate but more precise at enforcement time. That does not eliminate identity governance, it raises the bar for it because access decisions now need to be context-sensitive and session-aware. Teams that keep using infrastructure scale as their proxy for security maturity will miss where modern access risk has actually moved.
For identity programmes, browser-native work is becoming the new perimeter for governance decisions. The meaningful control point is no longer the remote desktop, but the identity-bound session that reaches SaaS, AI tools, and cloud apps. Practitioners should align browser governance, conditional access, and data handling policy around that reality.
What this signals
Session governance is becoming the practical middle layer between identity and browser security. For programmes that support BYOD, contractors, and SaaS-heavy workflows, the next control discussion is not whether a user can log in, but whether policy can persist throughout the browser session. That makes session context, device trust, and data handling enforcement the programme variables that matter most.
Shadow AI accelerates the need for browser-visible access policy. Once AI tools are used inside the browser, identity teams lose the comfort of clean application boundaries and gain a new obligation to understand where data and prompts are flowing. Programmes that already struggle with unmanaged access should expect the same pattern to reappear in browser-mediated AI usage.
Identity programmes that still equate control with infrastructure depth will overinvest in the wrong layer. The useful question now is whether the access model can enforce policy at the point of use across managed and unmanaged devices. That is where browser governance, conditional access, and data policy converge.
For practitioners
- Map your current control boundary to the actual work surface Inventory where users handle sensitive data, including SaaS apps, cloud IDEs, and browser-based AI tools, then compare that to where your existing VDI, endpoint, and access controls terminate. If the control boundary stops at the desktop but the work happens in the browser, you have a governance gap.
- Evaluate session-level enforcement for unmanaged devices Test whether access policy, DLP, phishing protection, and monitoring can be enforced in the browser for BYOD and contractor use without requiring a virtual desktop. Focus on whether the session can be governed consistently across managed and unmanaged endpoints.
- Bring shadow AI into access governance reviews Add browser-based AI usage to your access review and data handling process so informal adoption is visible before it becomes a policy exception. Treat AI tool access as part of the broader session governance model, not as a separate productivity issue.
- Reassess VDI as a default control for remote access Identify the workloads where VDI still adds value, then separate them from browser-native use cases where the infrastructure overhead is disproportionate to the control gained. That helps you reserve VDI for the narrow cases that truly require it.
Key takeaways
- VDI is losing relevance because it controls a desktop layer that no longer matches how most work is done.
- Browser-native work turns session governance, shadow AI visibility, and unmanaged-device policy into core identity concerns.
- Practitioners should test whether their controls can follow the session before committing to a broader move away from VDI.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | The article is about access policy enforcement across sessions and devices. |
| NIST SP 800-53 Rev 5 | AC-6 | Least-privilege access is central to session-level browser governance. |
| NIST Zero Trust (SP 800-207) | The piece argues for continuous policy enforcement over trusted desktop assumptions. | |
| ISO/IEC 27001:2022 | A.5.15 | Access control policy is directly relevant to browser-based session governance. |
Map browser-session access decisions to PR.AC-4 and verify policy still applies on unmanaged endpoints.
Key terms
- Session-level enforcement: Session-level enforcement is the application of security policy at the point where a user actively interacts with data and applications. Instead of relying only on device or network trust, the control follows the live browser session, which is increasingly where modern work and risk both happen.
- Shadow AI: Shadow AI refers to AI tools and services used inside an organisation without formal approval, visibility, or governance. In browser-first environments, it often appears as unsanctioned web-based AI usage that can expose data, create compliance issues, and bypass normal access review processes.
- Virtual Desktop Infrastructure: Virtual Desktop Infrastructure is a centralised desktop delivery model that streams or hosts user desktops from a server environment. It can simplify some management tasks, but it often adds cost and complexity when the real work takes place in browser-based applications rather than in the desktop itself.
- Zero-trust secure browser: A zero-trust secure browser is a browser control model that applies access and data policies directly within the browsing session. It is designed to govern work on managed and unmanaged devices without assuming the endpoint itself is fully trustworthy.
What's in the full article
Surf Security's full article covers the operational detail this post intentionally leaves for the source:
- A closer look at how the secure browser model is deployed across managed and unmanaged devices.
- The vendor's before-and-after comparison of VDI overhead versus browser-based access operation.
- More detail on built-in DLP, phishing protection, and Shadow AI monitoring in the browser.
- The cost and performance claims behind the replacement case, including rollout and onboarding claims.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management. It helps practitioners build the identity discipline needed for modern access governance across human and non-human systems.
Published by the NHIMG editorial team on 2025-10-15.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org