Browser-layer controls: what IAM and security teams are missing

TL;DR: Browser-based attacks now account for 95% of incidents reported by organisations, while 85% of the modern workday happens in the browser and 65% of organisations say they have zero control over GenAI data feeding, according to LayerX Security. The browser has become the control gap where identity, data, and user actions converge, and existing stacks stop short of the point where exposure starts.

NHIMG editorial — based on content published by LayerX Security: Francis Odum on the one layer your security stack still misses

By the numbers:

• 95% of organizations report browser-based attacks.
• 85% of the modern workday now takes place inside a browser.
• 65% of organizations have zero control over what data is being fed into GenAI tools.

Questions worth separating out

Q: How should security teams control browser-based data leakage?

A: Security teams should control browser-based data leakage by enforcing policy at the point of action, not only at the network or endpoint layer.

Q: Why do traditional DLP and CASB tools miss browser risk?

A: Traditional DLP and CASB tools miss browser risk because they observe content and sanctioned cloud activity around the browser, not the browser itself.

Q: When should organisations treat the browser as a security control plane?

A: Organisations should treat the browser as a security control plane when sensitive work, GenAI usage, contractor access, or unmanaged devices are common in daily operations.

Practitioner guidance

• Map browser blind spots across your current stack Identify which browser actions your EDR, CASB, DLP, and SWG cannot see, including extensions, copy and paste, uploads, and prompt text.
• Classify high-risk browser actions by identity and destination Set policies for personal email, unmanaged SaaS, GenAI tools, and unknown extensions based on session identity, device posture, and data sensitivity.
• Build browser telemetry into identity governance workflows Feed browser activity into SIEM, IAM, and incident response so that risky sessions can be correlated with user identity, device state, and data movement.

What's in the full article

LayerX Security's full blog post covers the operational detail this post intentionally leaves for the source:

• The maturity-stage checklist for visibility, control, and integration in browser-layer security programmes
• Specific examples of browser-native enforcement such as extension control, copy and paste interception, and identity-aware session rules
• Rollout considerations for balancing user experience with browser policy enforcement across corporate and unmanaged devices

👉 Read LayerX Security's analysis of browser-layer security maturity and GenAI risk →

Browser-layer controls: what IAM and security teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →