Notifications
Clear all
Topic starter
04/06/2026 3:00 pm
TL;DR: Employees are already using hundreds of AI tools in browser sessions, and Cyera argues that the real risk comes from unsanctioned apps, mixed personal and corporate accounts, and even approved tools used without oversight, where sensitive data can leak into public models or be misused. Browser-level visibility is now a governance control, not a convenience feature.
NHIMG editorial — based on content published by Cyera: 4 Risky Ways Your Employees Use AI in their Browser
Questions worth separating out
Q: How should security teams control AI use in browsers without blocking productivity?
A: Security teams should focus on identity context, account separation, and data-sensitive enforcement rather than blanket blocking.
Q: Why do approved AI tools still create data leakage risk?
A: Approved tools still create risk when users rely on personal accounts, bypass governance with unmanaged sign-ins, or process data that should never enter an LLM.
Q: What breaks when employees use personal and corporate AI accounts interchangeably?
A: Interchangeable account use breaks attribution, policy enforcement, and data handling assumptions.
Practitioner guidance
- Separate personal and corporate AI usage at the identity layer Block work-data prompts from personal accounts and require clear attribution for sanctioned tools so users cannot blend identities inside the browser session.
- Enforce contextual browser policies for sensitive data Use browser controls that distinguish public summarisation from uploads containing confidential material, customer records, or M&A data.
- Review approved AI tools as data-handling environments Check whether enterprise contracts, account controls, and logging actually cover the way employees use the tool in practice, not just the procurement decision.
What's in the full article
Cyera's full article covers the operational detail this post intentionally leaves for the source:
- How Cyera Browser Shield distinguishes personal from enterprise accounts inside live browser sessions
- What real-time enforcement looks like when a prompt contains confidential material
- How contextual intelligence is used to separate benign summarisation from risky uploads
- Why the vendor's examples map to insider misuse, trading abuse, and shadow HR scenarios
👉 Read Cyera's analysis of four risky ways employees use AI in the browser →
AI in the browser: what this means for identity and data control?
Explore further
04/06/2026 3:13 pm
Browser-based AI use has turned the user session into an identity-governance boundary. The article shows that employees are not waiting for sanctioned AI rollout, which means governance now begins at the browser rather than at procurement. That shifts the control question from whether AI is approved to whether the enterprise can attribute usage, separate account types, and stop sensitive data from leaving trusted identity boundaries. Practitioners should treat browser sessions as governed identity events, not just endpoint activity.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the same research.
A question worth separating out:
Q: Who is accountable when sensitive data is sent to an AI model from the browser?
A: Accountability sits with the organisation that allowed the identity, session, and data flow to remain uncontrolled. IAM teams own attribution, security teams own policy enforcement, and business leaders own acceptable use boundaries. If the browser session is invisible, accountability becomes fragmented and hard to prove.
👉 Read our full editorial: Employees using AI in the browser are creating hidden data leaks
