AI browser extensions and enterprise IAM: what teams are missing

TL;DR: Browser extensions are installed on 99% of enterprise users, nearly 75% request high or critical permissions, and AI extensions are 60% more likely to carry known vulnerabilities, 3x more likely to access cookies, and nearly 6x more likely to expand permissions after installation, according to LayerX Security. That makes browser-based identity exposure a governance problem, not just an endpoint hygiene issue.

NHIMG editorial — based on content published by LayerX Security: The AI Tool in Your Browser Is Probably the Biggest Security Risk You’re Not Thinking About

By the numbers:

• 99% of enterprise users have at least one browser extension installed.
• 1 in 6 enterprise users already has at least one AI extension installed.

Questions worth separating out

Q: What breaks when browser extensions are not governed in enterprise environments?

A: The main failure is that the browser becomes an unmanaged privilege zone.

Q: Why do AI browser extensions create more governance risk than ordinary extensions?

A: AI extensions often request broader browser permissions to summarize, rewrite, or automate work, so they are more likely to touch cookies, scripts, and tab state.

Q: How can security teams detect browser extension privilege drift?

A: Teams should baseline extension permissions at approval time and then compare those permissions after each update.

Practitioner guidance

• Build a browser extension inventory Discover all extensions across managed browsers, map them to users and devices, and classify each by permission scope, update cadence, and data access.
• Create a higher-risk review tier for AI extensions Place AI assistants, summarizers, and auto-complete tools into a separate approval path because they are more likely to access cookies and page content.
• Monitor permission drift after installation Compare current extension permissions against the original approval baseline and trigger review when an update adds browser-history, scripting, or session-related access.

What's in the full article

LayerX Security's full report covers the operational detail this post intentionally leaves for the source:

• Permission breakdowns by extension category, including the specific rights most often requested by AI tools
• Organisation-size comparisons showing how extension sprawl changes across enterprise environments
• Detailed recommendations for building a browser inventory and policy baseline across managed devices
• Full data set on permission changes after installation, useful for operational risk review

👉 Read LayerX Security's full report on enterprise browser extension risk →

AI browser extensions and enterprise IAM: what teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →