TL;DR: Browser-based work now concentrates SaaS access, internal apps, AI tools, and sensitive data in one session, while browser phishing rose 140% year-over-year to 752,000 incidents in 2025, according to Surf Security. The control question is no longer whether browsers need protection, but whether identity, data, and session governance can move into the browser itself.
NHIMG editorial — based on content published by Surf Security: Secure Browser: Why Enterprises Need It in 2026
By the numbers:
- In 2025, browser-based phishing attacks surged by 140% year-over-year, with 752,000 incidents identified.
- According to Gartner, by 2028, 25% of organizations will augment existing secure remote access and endpoint security tools by deploying at least one secure enterprise browser technology to address specific gaps.
Questions worth separating out
Q: How should security teams govern browser sessions in a zero-trust model?
A: Security teams should treat the browser session as the control point for identity, data handling, and risky actions.
Q: Why do browser controls matter for SaaS and AI usage?
A: Because most sensitive SaaS and AI interactions now happen inside the browser, where users paste data, upload files, and establish trusted sessions.
Q: What breaks when organisations rely only on VPNs and endpoint tools for browser risk?
A: They lose direct visibility into session behaviour, so policy cannot reliably stop copy, paste, print, upload, or extension-driven abuse in real time.
Practitioner guidance
- Map browser session controls to identity policy Inventory which login, upload, download, copy, paste, print, and sharing actions are currently governed outside the browser.
- Govern browser extensions as delegated access Create an allowlist and review process for browser extensions that can access page content, credentials, or session state.
- Redesign contractor access around browser-native trust Replace broad remote access patterns with controlled browser access for partners, vendors, and developers wherever possible.
What's in the full article
Surf Security's full blog post covers the operational detail this post intentionally leaves for the source:
- A feature-by-feature breakdown of secure browser capabilities for SaaS, BYOD, and contractor access scenarios.
- Implementation examples for extension auditing, session logging, and data loss prevention inside the browser.
- Practical guidance on evaluating browser-based zero-trust controls against VDI, VPN, and proxy-heavy access stacks.
- The article's own positioning on where secure browsers fit into a broader enterprise security architecture.
👉 Read Surf Security's analysis of why secure browsers matter for enterprise security in 2026 →
Secure browsers in 2026: are your identity controls keeping up?
Explore further
Secure browser governance is now part of identity governance, not a separate security niche. The browser is where authentication, authorisation, and data handling increasingly converge for people, contractors, and AI-assisted workflows. That means IAM teams cannot stop at SSO or endpoint posture, because the decisive controls now sit inside the session. Practitioners should treat browser policy as an identity enforcement problem with direct governance impact.
A few things that frame the scale:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Who should own secure browser governance in an enterprise?
A: Ownership should sit across IAM, security architecture, endpoint, and compliance, with IAM leading the policy model because the browser is now an identity enforcement layer. The key is to assign clear accountability for session controls, extension governance, and data movement rules.
👉 Read our full editorial: Secure browser governance in 2026 is becoming an identity control