AI regulation and browser visibility: what IAM teams are missing

TL;DR: AI regulations across the US, EU, and UK are converging on browser-level visibility into AI tool use, but most organisations still lack the control plane to prove it, according to Push Security. Browser mediation is becoming a governance issue for identity teams, not just a security telemetry problem.

NHIMG editorial — here’s why we think this discussion matters

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should security teams govern AI use in the browser?

A: Security teams should govern browser-based AI use by tying session visibility to identity policy.

Q: Why do existing IAM controls struggle with browser-mediated AI activity?

A: Existing IAM controls struggle because they usually govern application access and authentication events, not the user actions that happen after login inside the browser.

Practitioner guidance

• Map AI use cases to browser-controlled access paths Identify which approved and shadow AI tools are reachable only through browser sessions and which of those paths bypass existing application or network controls.
• Separate EDR telemetry from browser-session evidence Document where host telemetry ends and browser interaction evidence begins.
• Define AI acceptable-use controls at the session layer Write controls that express where prompts, uploads, copy operations, and tool handoffs are allowed inside browser-mediated AI workflows.

What to expect at the briefing

Push Security's full post covers the operational detail this post intentionally leaves for the source:

• Concrete examples of browser-visible AI activity that EDR may not capture in time for enforcement
• Guidance on how browser control can support compliance obligations across US, EU, and UK AI regulation
• Operational distinctions between visibility, policy enforcement, and investigation evidence in browser sessions
• Decision points for teams choosing where browser security fits alongside IAM and endpoint tooling

👉 Read Push Security's analysis of AI regulation, browser visibility, and compliance →

AI regulation and browser visibility: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →