Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Enterprise browser security: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10158
Topic starter  

TL;DR: Browser-based work now concentrates SaaS access, admin activity, contractor sessions, and GenAI usage in one control point, while phishing, malicious extensions, session hijacking, and unsafe data movement increasingly target that layer, according to Surf Security. The browser is now where identity, policy, and data protection have to converge, or governance becomes fragmented and easy to bypass.

NHIMG editorial — based on content published by Surf Security: Enterprise Browser Security Guide for Modern Teams

By the numbers:

Questions worth separating out

Q: How should security teams govern browser-based SaaS access on unmanaged devices?

A: Security teams should govern browser-based SaaS access by combining identity-aware policy, action-level controls, and session logging.

Q: Why do browser-layer controls matter more as work shifts into SaaS and GenAI apps?

A: Browser-layer controls matter because the browser is now the place where authentication, data entry, content transfer, and AI interaction all happen in one session.

Q: What do organisations get wrong about browser security and zero trust?

A: Many organisations still think zero trust is only about verifying access before entry.

Practitioner guidance

  • Map browser-controlled actions to high-risk data flows Inventory where copy, paste, upload, download, print, screenshot, and clipboard actions occur in SaaS, admin, contractor, and GenAI workflows.
  • Use the browser as the enforcement point for third-party access Apply identity-aware policy for contractors and vendors who work from unmanaged devices, with restrictions tied to application sensitivity and data classification rather than only network location.
  • Separate GenAI policy from general web policy Create browser rules for public AI tools, browser-based copilots, and agent-assisted workflows so sensitive prompts and outputs are governed explicitly, not left to user judgment.

What's in the full article

Surf Security's full article covers the operational detail this post intentionally leaves for the source:

  • Browser security capability breakdowns across identity-aware access, DLP, extension control, and session enforcement.
  • Implementation discussion for SaaS-heavy, BYOD, contractor, and regulated environments.
  • Coverage of GenAI and browser-based AI workflow controls that this post only summarises at a strategic level.
  • The vendor's comparative framing of browser security against VPN, VDI, RBI, proxy, and SWG models.

👉 Read Surf Security's guide to enterprise browser security for modern teams →

Enterprise browser security: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9713
 

Browser security is becoming an identity control plane, not a niche endpoint feature. The article is right to frame the browser as the place where modern work actually happens, because that is also where identity, session, and data controls collide. From an NHI and IAM perspective, the browser now hosts human sessions, service interactions, and AI-assisted workflows in a way that legacy perimeter tools cannot model cleanly. Practitioners should stop treating browser security as a bolt-on and start treating it as part of access governance.

A few things that frame the scale:

  • Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

A question worth separating out:

Q: Who should be accountable for browser session governance in regulated environments?

A: Accountability should sit across IAM, security architecture, compliance, and endpoint governance, with clear ownership for browser policy design and audit evidence. Regulated environments need session records, data handling rules, and access policy that line up with internal controls and external obligations such as privacy and industry requirements.

👉 Read our full editorial: Enterprise browser security is becoming the control plane for work



   
ReplyQuote
Share: