Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI browser extensions and enterprise IAM: what teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: Browser extensions are installed on 99% of enterprise users, nearly 75% request high or critical permissions, and AI extensions are 60% more likely to carry known vulnerabilities, 3x more likely to access cookies, and nearly 6x more likely to expand permissions after installation, according to LayerX Security. That makes browser-based identity exposure a governance problem, not just an endpoint hygiene issue.

NHIMG editorial — based on content published by LayerX Security: The AI Tool in Your Browser Is Probably the Biggest Security Risk You’re Not Thinking About

By the numbers:

Questions worth separating out

Q: What breaks when browser extensions are not governed in enterprise environments?

A: The main failure is that the browser becomes an unmanaged privilege zone.

Q: Why do AI browser extensions create more governance risk than ordinary extensions?

A: AI extensions often request broader browser permissions to summarize, rewrite, or automate work, so they are more likely to touch cookies, scripts, and tab state.

Q: How can security teams detect browser extension privilege drift?

A: Teams should baseline extension permissions at approval time and then compare those permissions after each update.

Practitioner guidance

  • Build a browser extension inventory Discover all extensions across managed browsers, map them to users and devices, and classify each by permission scope, update cadence, and data access.
  • Create a higher-risk review tier for AI extensions Place AI assistants, summarizers, and auto-complete tools into a separate approval path because they are more likely to access cookies and page content.
  • Monitor permission drift after installation Compare current extension permissions against the original approval baseline and trigger review when an update adds browser-history, scripting, or session-related access.

What's in the full article

LayerX Security's full report covers the operational detail this post intentionally leaves for the source:

  • Permission breakdowns by extension category, including the specific rights most often requested by AI tools
  • Organisation-size comparisons showing how extension sprawl changes across enterprise environments
  • Detailed recommendations for building a browser inventory and policy baseline across managed devices
  • Full data set on permission changes after installation, useful for operational risk review

👉 Read LayerX Security's full report on enterprise browser extension risk →

AI browser extensions and enterprise IAM: what teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Browser extensions have become a shadow identity layer inside enterprise sessions. They operate with delegated access to the same browser state that users rely on for authentication and application activity. That means traditional IAM visibility ends at the browser boundary, while meaningful privilege continues inside it. Security teams should treat extensions as governed access subjects, not just convenience add-ons.

A few things that frame the scale:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
  • The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured.

A question worth separating out:

Q: Should organisations treat browser extensions as part of identity governance?

A: Yes. Extensions operate with delegated access to browser sessions, which makes them a form of shadow identity inside the user environment. If they can reach authentication state or manipulate web content, they belong in the same governance conversation as privileged access and non-human identity controls.

👉 Read our full editorial: AI browser extensions create a hidden identity risk in enterprises



   
ReplyQuote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

Browser extensions have become a shadow identity layer inside enterprise sessions. They operate with delegated access to the same browser state that users rely on for authentication and application activity. That means traditional IAM visibility ends at the browser boundary, while meaningful privilege continues inside it. Security teams should treat extensions as governed access subjects, not just convenience add-ons.

A few things that frame the scale:

  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
  • The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured.

A question worth separating out:

Q: Should organisations treat browser extensions as part of identity governance?

A: Yes. Extensions operate with delegated access to browser sessions, which makes them a form of shadow identity inside the user environment. If they can reach authentication state or manipulate web content, they belong in the same governance conversation as privileged access and non-human identity controls.

👉 Read our full editorial: AI browser extensions create a hidden identity risk in enterprises



   
ReplyQuote
Share: