AI/ML , Generative AI , Governance, Risk and Compliance , Security Program Controls/Technologies Handling shadow AI at the source: Why the browser is the new control layer April 23, 2026 Share By Paul Wagenseil Created with SocialSight AI. Shadow AI is one of the most immediate and complex risks modern enterprises face today. Yet while it's a major security risk, you can't blame employees, who often have the best of intentions, for turning to public AI tools, authorized or not, to boost productivity. Is there a way to let employees use their shadow AI tools while minimizing the risks of data loss or exposure? Yes — by controlling the shadow AI interface. Interactions with online applications and services happen almost entirely through a web browser, which has become the primary gateway for innovation, and for risk. But most browsers weren't designed to mitigate risk. A secure enterprise browser transforms what had been a "dumb" portal into an active control layer that can enable visibility, enforce company policy , restrict dangerous prompts, and protect sensitive data from leaking out. "[The browser] is where the action is happening, and where the action is happening, that is where you want to have the controls," said Arunesh Chandra, Head of Product, Microsoft Edge for Business, in a recent CRA interview . Why employees use shadow AI It's obvious why employees would want to use generative AI . It creates faster workflows, increases output many times over, and, ultimately, confers competitive advantage both inside and outside the organization. "The enthusiasm that employees have is legitimate," said Chandra. "AI is providing value and productivity improvement. And they want to use that to be seen better by their managers and their leaders, that they are doing great work." According to Microsoft's 2024 Annual Work Trends Index , some 78% of employees who use AI across all industries use AI tools that weren't approved by their organizations. And if an employee accesses shadow AI through a web browser, the organization often can't monitor or manage it. The problem isn't malicious intent, but a lack of awareness. Employees often don't realize that when they paste sensitive data , upload internal documents, or make queries about intellectual property into a public AI system, that information becomes part of the AI's training and resource base and may end up being communicated to strangers. Many organizations can't even see whether users are sharing data with unauthorized AI tools. Without that oversight, security teams won't be able to spot misuse, enforce company policies, or respond to emerging threats involving shadow AI. "These non-approved AI tools, you do not know about their data-handling practices," said Chandra. "What are they doing with the data that is received from your enterprise? Are your employees pasting in sensitive content into that LLM that they brought in your browser?" Yet employees will continue to use shadow AI if no authorized alternative is offered. The result is a growing disconnect between how AI-assisted work is done and how it is secured. How secure enterprise browsers unmask and control shadow AI A secure enterprise browser can close this disconnect by putting security controls directly into the platform on which AI-assisted work happens. Enterprise browsers let security teams see user activity, let IT teams enforce policies, and can be integrated into broader security frameworks. For example, Microsoft Edge for Business works natively with identity , data protection, and endpoint security systems such as Microsoft Entra Conditional Access, Microsoft Purview, and Microsoft Defender. This integration lets organizations apply zero-trust principles , including real-time identity verification, device health checks, and conditional access policies, right in the browser itself. Enterprise browsers also allow discovery and monitoring of AI usage, authorized or otherwise. Security teams can see which AI tools employees use and what kind of data is being input. Built-in data loss prevention (DLP) capabilities let administrators track and block actions such as copying, pasting, uploading, or printing sensitive information to or from browsers. With a secure enterprise browser, the previously passive browser interface becomes a centralized enforcement point. Organizations no longer need to piece together data from fragmented tools or after-the-fact alerts. Instead, they gain continuous, real-time oversight of user behavior at the point of interaction. How granular browser controls permit shadow AI while preventing data loss Security managers may hate to hear it, but blocking unauthorized AI tools outright rarely works. It dampens productivity, angers employees, and drives shadow-AI usage further underground. Ideally, each organization would have its own in-house AI system, or at least a private instance of a cloud-based AI model. But until then, the practical approach is to strike a balance by permitting shadow AI usage while managing it. Secure enterprise browsers make this possible with granular, context-aware controls. Administrators can set policies that allow access to shadow AI tools but restrict sensitive actions. "The wholesale blocking continues to be an option for you if that's what you want to do," explained Chandra. "But we are also offering in the browser some nuanced control where you can still tolerate the browser, the AI for general-purpose use and the employee still gets to feel great." DLP policies can block or warn users when they attempt to paste or upload confidential data to a public AI model. A protected clipboard, image watermarking, and prompt monitoring also ensure that sensitive information stays within approved boundaries. Identity-driven access controls make certain that only verified users on authorized devices access enterprise resources. These controls don't need to be fixed in stone. They can adapt dynamically based on context. Factors such as user identity, device status, and data sensitivity can determine which actions are allowed, blocked, or audited, ensuring that every interaction is evaluated in real time. Shadow AI represents a structural shift in how work gets done. A secure enterprise browser provides the visibility, governance, and flexibility needed to manage it. By transforming the browser into a control layer, organizations can monitor shadow AI usage, prevent data loss, and enforce identity-based policies without disrupting productivity. "You can allow the unauthorized AI to still exist in your workplace but only block when sensitive content is being used in that," said Chandra. "The granularity and the flexibility of the controls that the browsers are able to provide, that's going to be the winning formula here." An In-Depth Guide to AI Get essential knowledge and practical strategies to use AI to better your security program. Learn More Paul Wagenseil Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com. Related AI/ML AI-assisted phishing attacks on the rise, report finds SC Staff April 23, 2026 Cisco's Talos threat intelligence report found that attackers are increasingly using AI tools to boost their phishing attacks, which is the most common initial access method by hackers in the first quarter of 2026, reports Cybersecurity Dive. AI/ML Anthropic probes alleged third-party breach of Claude Mythos SC Staff April 23, 2026 HackRead reports that Anthropic has launched an investigation into the reported compromise of its Claude Mythos AI model by a Discord-linked group that obtained unauthorized access through an external contractor. Data Security OpenAI’s Chronicle mirrors Microsoft Recall’s privacy concerns SC Staff April 23, 2026 Chronicle functions by taking screenshots of the user's screen and feeding them to OpenAI's Codex agent to augment its memory with contextual data. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Algorithm Business Impact Analysis (BIA) British Standard 7799 Chain of Custody Competitive Intelligence Data Custodian Due Care Due Diligence You can skip this ad in 5 seconds