If you want total security, go to prison. There you’re fed, clothed, given medical care and so on. The only thing lacking… is freedom.
-Dwight D. Eisenhower
Browsers are a classic example of “can’t live without, can’t live with.” While we can’t live without browsers like Edge, Safari, and Firefox, they are something the SecOps personnel can live without. Traditional browsers mostly lack features like built-in mechanisms for granular policy enforcement, data isolation, or compliance logging. The same browser used for personal browsing is used to access sensitive SaaS apps, internal tools, and third-party services, creating unavoidable shadow IT and data leakage risks. There are strategies like Remote Browser Isolation (RBI). But it may be the case of cure worse than disease, as it may adversely affect user experience due to lags, rendering issues, and slower performance. Even as enterprises are pushing security “left” (applications) and “outward” (network, cloud edges), browsers remain a concern, but enforcing policies like RBI may turn the whole experience into the proverbial prison described by General Eisenhower. But the fault is not solely with the browsers.
You see, as technology advanced and trends like remote work, BYOD, and contractors took hold, perimeter dissolved, the network got abstracted, and identity emerged as the dominant control plane. These changes meant that modern enterprises are no longer secured by where users connect from or which network they use. They are secured by what users do after access is granted. That distinction matters because most security controls today are designed to decide whether access should occur, not to govern the behavior that follows. Considering that the browser is where a whole lot of critical activities, including rendering cloud applications, happen, and where sessions persist, where tokens are stored, where data is copied, downloaded, shared, and exfiltrated, it makes a very very very lucrative target for attackers. And why?
Well, Trust is not exercised once at login in modern architectures. It is exercised continuously. Yet most security architectures still treat the browser as a passive display layer, assuming meaningful control lives below it in the network or beside it on the endpoint, and attackers keep exploiting this mismatch. They can inherit a legitimate browser session, eliminating the need to defeat MFA or bypass hardened networks. Threats like token theft, session replay, browser-based phishing, and HTML smuggling all exploit the same assumption: that behavior is trusted once access is granted. Existing tools fail here because they are optimized for a world where sessions were short-lived and tightly coupled to devices and networks. In today’s environment, sessions persist, roam across devices, and outlive the security context that created them. Even architectures like ZTNA suffer from the same flaw. It allows access only after certain conditions are fulfilled and continuously scans for anomalous behavior. While it does monitor sessions, it cannot “see” actions like screenshotting and copy-pasting. Attackers simply sidestep ZTNA controls by operating entirely within already authorized sessions. Token thefts, session replays, browser-based phishing, and related techniques do not defeat ZTNA controls.
Secure enterprise browsers do help solve this issue. Instead of concentrating security decisions at authentication and relying on detection afterward, they shift enforcement at the moment the anomalous action occurs, not later when logs are analyzed. A user can view sensitive data but not export it. A contractor can access an application but not copy information out of it. A privileged session can continue while specific risky actions are suppressed. It doesn’t lock users down; it is delinking access from unrestricted capability. Of course, stronger browser control does not mean broader restrictions. And all it does is frustrate users and force them to look for workarounds. Clearly, prohibition is a bad strategy, so what is the alternative? It is risk. The question needs to be asked: which actions actually represent material risk? Most enterprise data exposure does not occur because users can view information. It occurs because they can move it. This can be avoided by a simple step: instead of blocking access to entire applications, restrict exfiltration paths such as downloads, copy-paste, printing, or uploads to unsanctioned destinations.
CISOs and CIOs should push for browser enforcement that adapts dynamically based on factors such as authentication strength, device posture, geolocation anomalies, or behavioral signals. This sounds very similar to risk-based auth, but this approach ensures that risk keeps getting checked even after authentication. When risk increases, the browser can narrow down what the user can do without forcing a logout or step-up challenge. The session remains intact, but its permissions contract dynamically. So, the question again, what to do?
Sofia Ali, Associate Director & Principal Analyst, QKS Group, has this advice: “”In modern enterprises, security is no longer about controlling access, it’s about controlling actions. The browser is where trust is exercised every second, and securing it as a policy choke point allows organizations to reduce real risk without taking away user freedom.”