According to the new Browser Security Report 2025, security leaders are discovering that most identity, SaaS, and AI-related risks converge in a single place, the user’s browser. Yet traditional controls like DLP, EDR, and SSE still operate one layer too low.
What’s emerging isn’t just a blindspot. It’s a parallel threat surface: unmanaged extensions acting like supply chain implants, GenAI tools accessed through personal accounts, sensitive data copy/pasted directly into prompt fields, and sessions that bypass SSO altogether.
This article unpacks the key findings from the report and what they reveal about the shifting locus of control in enterprise security.
GenAI Is Now the Top Data Exfiltration Channel
The rise of GenAI in enterprise workflows has created a massive governance gap. Nearly half of employees use GenAI tools, but most do so through unmanaged accounts, outside of IT visibility.
Key stats from the report:
- 77% of employees paste data into GenAI prompts
- 82% of those pastes come from personal accounts
- 40% of uploaded files contain PII or PCI
- GenAI accounts for 32% of all corporate-to-personal data movement
Legacy DLP tools weren’t designed for this. The browser has become the dominant channel for copy/paste exfiltration, unmonitored and policy-free.
AI Browsers Are An Emerging Threat Surface
Another emerging browser-based threat surface is ‘agentic’ AI browsers, which blend the traditional security risks of browsers with the new concerns over AI usage.
AI browsers like OpenAI’s Atlas, Arc Search, and Perplexity Browser are redefining how users interact with the web, merging search, chat, and browsing into a single intelligent experience. These browsers integrate large language models directly into the browsing layer, enabling them to read, summarize, and reason over any page or tab in real time. For users, this means seamless productivity and contextual assistance. But for enterprises, it represents a new and largely unmonitored attack surface: an “always-on co-pilot” that quietly sees and processes everything an employee can, without policy enforcement or visibility into what’s being shared with the cloud.
The risks are significant and multifaceted: session memory leakage exposes sensitive data through AI-powered personalization; invisible “auto-prompting” sends page content to third-party models; and shared cookies blur identity boundaries, enabling potential hijacks. With no enterprise-grade guardrails, these AI browsers effectively bypass traditional DLP, SSE, and browser security tools, creating a file-less, invisible path for data exfiltration. As organizations embrace GenAI and SaaS-driven workflows, understanding and addressing this emerging blind spot is critical to preventing the next generation of data leaks and identity compromises.
Browser Extensions: The Most Widespread and Least Governed Supply Chain
99% of enterprise users have at least one extension installed. Over half grant high or critical permissions….
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
