Notifications
Clear all
Topic starter
09/06/2026 11:19 pm
TL;DR: AI regulation in the US, EU, and UK is converging on obligations that most organisations cannot meet without browser-level visibility into AI tool use, according to Push Security. The real issue is not just detection coverage but whether identity, access, and control models can see what happens where users and AI systems actually operate.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams govern AI use that happens in the browser?
A: Security teams should treat browser-based AI use as a governed session, not a side channel.
Q: Why do EDR and IAM leave gaps in AI compliance coverage?
A: EDR and IAM solve different problems, and neither fully describes what happens inside a browser session.
Practitioner guidance
- Map AI usage at the browser layer Identify which approved and unapproved AI tools are reached through browsers, extensions, and embedded SaaS sessions.
- Extend governance to browser-mediated sessions Treat browser events as governance signals, not just endpoint telemetry.
- Close the shadow AI inventory gap Build an inventory of AI access paths that includes consumer tools, browser plugins, and browser-based copilots.
What to expect at the briefing
Push Security's full article covers the operational detail this post intentionally leaves for the source:
- How the browser visibility model maps to real AI usage paths across SaaS, extensions, and embedded tools
- The compliance framing behind AI regulation in the US, EU, and UK and how the article interprets it
- Why the vendor argues separate AI visibility and control purchases may be unnecessary in some environments
- The specific reasoning behind treating browser security as the enforcement point for AI governance
👉 Read Push Security's analysis of browser visibility and AI regulation compliance →
AI regulation and browser visibility: are controls keeping up?
Explore further
10/06/2026 1:35 am
Browser visibility is becoming an identity requirement, not just a security enhancement. Once AI use moves into the browser, the organisation loses the clean separation between access, action, and evidence that classic IAM assumes. The control question is no longer whether users are authenticated, but whether the organisation can observe the identity action at the point of use. Practitioners should treat browser telemetry as part of the identity evidence chain.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Partial visibility is the norm too, with 47% of organisations reporting only partial visibility into those connected vendors, according to the same research.
A question worth separating out:
Q: What should organisations do before auditing AI regulation readiness?
A: They should establish where AI usage is actually observable and which browser events can serve as evidence. If access happens in the browser, then audit readiness depends on retaining the right session data, linking it to identity records, and proving policy enforcement at the point of use.
👉 Read our full editorial: Browser visibility is becoming central to AI regulation compliance
