Browser identity risk and exfiltration gaps: are controls keeping up?

TL;DR: Nearly half of employees now use generative AI tools, 77% paste data into prompts, and GenAI accounts for 32% of corporate-to-personal data movement, making the browser the dominant exfiltration channel in modern work, according to LayerX Security’s Browser Security Report 2025. The governance gap is that identity, data, and session controls still stop at the IdP while risk now accumulates inside the browser.

NHIMG editorial — based on content published by LayerX Security: Why The Browser Has Become the Enterprise’s Most Overlooked Endpoint

By the numbers:

• 77% users paste data into prompts, 82% use personal accounts, and 40% of uploaded files contain PII/PCI.
• GenAI now accounting for 32% of all corporate to personal data movement.
• 99% of enterprise users have at least one extension installed, with more than half having high or critical permissions.

Questions worth separating out

Q: How should security teams govern browser sessions that outlive authentication?

A: Security teams should treat the authenticated session as the control point, not the login event.

Q: Why do browser extensions create identity and data risk for enterprises?

A: Browser extensions can read pages, inspect cookies, and interact with SaaS content, so they often operate with more effective privilege than teams expect.

Q: What breaks when GenAI prompts become the main exfiltration channel?

A: File-centric DLP loses coverage when users move data through prompts, copy/paste, and browser-based AI tools instead of attachments or uploads.

Practitioner guidance

• Treat the browser as a primary control plane Extend visibility into copy/paste, prompts, uploads, tab context, and account type so security teams can see what happens after login.
• Apply session-level identity controls Continuously validate active browser sessions, detect token replay, and flag account crossover between corporate and personal identities.
• Govern extensions as software supply chain assets Score publisher reputation, update cadence, sideload sources, and permission changes, then remove extensions with broad access to cookies or SaaS tabs.

What's in the full article

LayerX Security's full blog covers the operational detail this post intentionally leaves for the source:

• Telemetry breakdowns showing which browser behaviours most often drive corporate-to-personal data movement
• Incident examples and attack paths tied to browser extensions, AI browsers, and session abuse
• Practical guidance on browser-native visibility and how the report maps risk across DLP, EDR, SSE, and CASB

👉 Read LayerX Security's analysis of browser-based identity and data risk →

Browser identity risk and exfiltration gaps: are controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →