Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI regulation and browser visibility: what IAM teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: AI regulations across the US, EU, and UK are converging on browser-level visibility into AI tool use, but most organisations still lack the control plane to prove it, according to Push Security. Browser mediation is becoming a governance issue for identity teams, not just a security telemetry problem.

NHIMG editorial — here’s why we think this discussion matters

By the numbers:

  • When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should security teams govern AI use in the browser?

A: Security teams should govern browser-based AI use by tying session visibility to identity policy.

Q: Why do existing IAM controls struggle with browser-mediated AI activity?

A: Existing IAM controls struggle because they usually govern application access and authentication events, not the user actions that happen after login inside the browser.

Practitioner guidance

  • Map AI use cases to browser-controlled access paths Identify which approved and shadow AI tools are reachable only through browser sessions and which of those paths bypass existing application or network controls.
  • Separate EDR telemetry from browser-session evidence Document where host telemetry ends and browser interaction evidence begins.
  • Define AI acceptable-use controls at the session layer Write controls that express where prompts, uploads, copy operations, and tool handoffs are allowed inside browser-mediated AI workflows.

What to expect at the briefing

Push Security's full post covers the operational detail this post intentionally leaves for the source:

  • Concrete examples of browser-visible AI activity that EDR may not capture in time for enforcement
  • Guidance on how browser control can support compliance obligations across US, EU, and UK AI regulation
  • Operational distinctions between visibility, policy enforcement, and investigation evidence in browser sessions
  • Decision points for teams choosing where browser security fits alongside IAM and endpoint tooling

👉 Read Push Security's analysis of AI regulation, browser visibility, and compliance →

AI regulation and browser visibility: what IAM teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Browser visibility is becoming an identity control point, not a niche security add-on. Once AI tool use happens inside the browser, the control problem moves closer to the session than to the application. That shifts ownership toward identity and access teams, because attribution, policy enforcement, and auditability now depend on whether the browser activity can be tied to a governed identity. Practitioners should treat browser-mediated AI use as part of access governance, not as an adjacent tooling issue.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and a further 47% only partial visibility, according to The State of Non-Human Identity Security.
  • That visibility gap helps explain why only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: Who is accountable when AI tool use happens through unmanaged browser sessions?

A: Accountability sits with the organisation that allowed the session path to exist without control, because the browser becomes the place where policy, identity, and data handling intersect. If no team owns that layer, neither IAM nor security can demonstrate who approved the interaction or who is responsible for the exposure.

👉 Read our full editorial: AI regulation and browser visibility: the compliance gap in IAM



   
ReplyQuote
Share: