Notifications
Clear all
Topic starter
09/06/2026 11:18 pm
TL;DR: AI regulations in the US, EU, and UK are converging on obligations that many organisations cannot meet without browser visibility into AI tool use, according to Push Security. The hard part is not the regulation itself, but the fact that existing controls often miss what happens inside the browser.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams govern AI tool use in the browser?
A: Security teams should govern AI tool use at the browser layer by tying session activity to identity, policy, and audit evidence.
Q: Why do traditional IAM controls miss browser-based AI risk?
A: Traditional IAM controls miss browser-based AI risk because they are strongest at authentication and access grant, not at observing in-session behaviour.
Practitioner guidance
- Map AI use cases to the browser boundary Inventory where employees actually interact with AI tools, including unsanctioned browser sessions, and document which workflows never pass through existing IAM checkpoints.
- Define session evidence requirements for audits Specify what must be logged at the browser layer, including data entry, page context, and AI tool usage, so compliance teams can answer regulator questions with evidence rather than inference.
- Align policy enforcement to in-session behaviour Apply controls where the risky action occurs, not only at authentication, and route sensitive browser activity into review workflows when policy cannot be enforced automatically.
What to expect at the briefing
Push Security's full article covers the operational detail this post intentionally leaves for the source:
- Browser visibility mechanics for detecting AI tool use across everyday workflows
- Why EDR and standard endpoint controls can miss what happens inside the browser
- How compliance obligations map to browser-level evidence and control decisions
- Decision criteria for deciding when a separate AI visibility purchase is unnecessary
👉 Read Push Security's analysis of AI regulation, browser visibility, and compliance →
Browser visibility for AI tool use: are your controls keeping up?
Explore further
10/06/2026 1:34 am
Browser visibility is becoming the missing control plane for AI governance. Authentication and SaaS policy were designed for access decisions, not for observing what users and tools do after the session begins. That gap becomes more obvious as AI use moves into the browser, where sensitive data can be entered, transformed, and exfiltrated without ever creating a clean identity event. Practitioners should treat browser telemetry as a governance signal, not an optional extra.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: How can teams tell whether browser visibility is actually working?
A: Teams can tell browser visibility is working if it produces usable evidence about AI sessions, data handling, and policy enforcement decisions. The signal is not volume of telemetry, but whether security and compliance teams can reconstruct what happened in the browser and link it back to a responsible identity.
👉 Read our full editorial: Browser visibility is becoming central to AI governance and compliance
