Subscribe to the Non-Human & AI Identity Journal
Home FAQ Why does browser-based work create new identity governance…

Why does browser-based work create new identity governance issues?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 9, 2026

Browser-based work shifts control away from the desktop and toward the identity context behind each session. That matters because access, data handling, contractor use, and AI tool adoption can all occur from unmanaged devices. Identity teams need policy that follows the session, not just login, or they will miss where actual risk is introduced.

Why This Matters for Security Teams

Browser-based work changes the governance boundary from managed endpoint control to session-level identity control. That matters because the browser now carries SaaS access, contractor collaboration, embedded AI tools, and data movement, often from devices the organisation does not own. Current guidance from NIST Cybersecurity Framework 2.0 and NHIMG research on Ultimate Guide to NHIs both point to the same problem: identity controls must persist after login.

The governance gap is usually not authentication itself. It is what happens after the session starts: unmanaged extensions, shadow SaaS, copied secrets, and AI assistants consuming privileged context. NHIMG’s Top 10 NHI Issues highlights how easily machine and human identities converge in the browser, especially when service credentials, tokens, and automation tools are handled in the same workflow. In practice, many security teams encounter browser risk only after data has already left the approved boundary, rather than through intentional session governance.

How It Works in Practice

Browser-based work creates a chain of identity decisions that extends well beyond SSO. The browser becomes the enforcement point for device posture, session duration, data access, copy and paste behaviour, download controls, and sometimes even AI prompt governance. That means identity teams, security operations, and GRC functions need to coordinate policy at the session layer, not treat access as a one-time event.

Practically, mature programmes usually combine conditional access, single sign-on, just-in-time privilege, and session controls with logging that can be correlated in SIEM. The goal is to reduce standing access, limit exposure when a browser session is hijacked, and ensure sensitive actions are attributable. This lines up with NIST Cybersecurity Framework 2.0 and the lifecycle guidance in Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs.

  • Bind access to user, device, and session context rather than to the login event alone.
  • Separate human sessions from NHI sessions where browser automation or API delegation is involved.
  • Restrict high-risk actions such as token creation, secrets export, and admin changes in unmanaged browser sessions.
  • Log browser-originated activity in a form that can be investigated later by security and audit teams.

This becomes especially important when browser work overlaps with AI assistants or third-party extensions, because those controls may receive access to content without the same governance applied to the original user. Browser-based governance also needs strong review of OAuth grants and delegated access, since a session can be legitimate while the downstream authorisation is excessive. These controls tend to break down when contractors and employees use personal devices with no consistent posture telemetry, because the session becomes visible but the endpoint trust signal does not.

Common Variations and Edge Cases

Tighter browser governance often increases user friction and administrative overhead, so organisations must balance risk reduction against workflow continuity. That tradeoff is real, especially in hybrid work, regulated environments, and fast-moving engineering teams where browser isolation or strict session limits can slow delivery.

There is no universal standard for this yet. Current guidance suggests different patterns for different risk levels: short-lived sessions and re-authentication for sensitive systems, stronger controls for contractor access, and tighter review when browser-based workflows can create or expose NHIs. The operational issue is not only identity verification, but also how browser activity intersects with secrets, automation, and delegated access. NHIMG’s research on 52 NHI Breaches Analysis is useful here because browser-originated compromise often ends up affecting machine credentials downstream, not just the human session itself.

Edge cases commonly include shared workstations, bring-your-own-device access, browser extensions with excessive permissions, and AI tools embedded directly in collaboration platforms. These scenarios require separate policy decisions, because the browser may be the control plane for both human productivity and machine identity abuse. The practical test is simple: if a browser can mint, copy, or delegate access, it must be governed like an identity endpoint, not treated as a neutral application shell.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Browser-based work shifts access enforcement into session context and identity governance.
OWASP Non-Human Identity Top 10NHI-03Browser workflows often expose tokens and secrets that should be rotated and tightly scoped.
OWASP Agentic AI Top 10Browser AI assistants can act with delegated authority and create identity governance risk.

Apply identity-aware access controls that verify users, devices, and session conditions continuously.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org