TL;DR: A zero-trust enterprise browser is being positioned as a way to centralise contractor access, BYOD controls, M&A onboarding, and compliance enforcement across SaaS and on-premises applications, with identity-first authentication and device checks used to reduce VDI dependency and shadow IT, according to Surf Security. The governance issue is not browser performance, but whether identity, device trust, and policy enforcement can be made consistent across external users and acquired environments without creating new blind spots.
NHIMG editorial — based on content published by Surf Security: Identity-driven Protection and zero-trust browser controls for contractors, BYOD, M&A, and compliance
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should security teams govern contractor access delivered through a browser?
A: Security teams should govern browser-delivered contractor access with the same lifecycle discipline used for other external identities.
Q: Why do BYOD and contractor programmes create identity governance friction?
A: BYOD and contractor programmes create friction because access is needed quickly, but trust signals are less stable than in managed employee environments.
Q: What do teams get wrong about compliance in zero-trust browser models?
A: Teams often assume that centralising enforcement automatically centralises assurance.
Practitioner guidance
- Define the browser as a control extension Map browser-enforced rules to existing IAM, PAM, and device posture controls so the session layer does not become a separate policy island.
- Apply joiner-mover-leaver controls to contractors Create explicit onboarding, review, and revocation workflows for external users whose access is delivered through the browser.
- Test M&A entitlement cleanup before broad rollout Use post-merger access reviews to identify inherited accounts, duplicated access paths, and policy exceptions before standardising browser access across acquired entities.
What's in the full article
Surf Security's full article covers the operational detail this post intentionally leaves for the source:
- Browser-level workflow examples for contractors, BYOD, and M&A onboarding
- Session control details for malware scanning, DLP, and authentication enforcement
- The vendor's positioning on replacing VDI and consolidating access delivery
- Compliance-oriented messaging for GDPR, PCI-DSS, SOC2, and ISO scenarios
👉 Read Surf Security's analysis of identity-driven browser controls for contractors and M&A →
Contractor access in a zero-trust browser: what changes for IAM teams?
Explore further
Browser-based identity control is really a governance consolidation problem. The appeal is not the browser itself, but the attempt to place access enforcement, device posture, and policy control into one session boundary. That can reduce friction, yet it also concentrates policy errors if identity, endpoint, and application governance are not aligned. The implication is that teams must decide whether the browser is an access surface or a control plane.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: How should organisations approach browser controls during mergers and acquisitions?
A: Organisations should use browser controls to standardise initial access while separately cleaning up inherited identities, duplicate entitlements, and policy exceptions. The merger creates urgency, but speed without entitlement rationalisation simply preserves old access patterns in a new shell. Browser enforcement should follow identity cleanup, not replace it.
👉 Read our full editorial: Identity-driven browser controls are shifting contractor access governance