Work Moved Into the Browser. Security Didn't. AI Is Exposing the Gap

The shift of enterprise work into web browsers over the past decade created an unprecedented security blind spot — and artificial intelligence is now making that gap dangerously visible, according to a new report from cybersecurity researchers at CrowdStrike and corroborated by data from multiple enterprise security vendors.

The core problem is architectural. When employees accessed corporate systems through desktop applications, security teams could control the endpoint, the network, and the application layer. But as work migrated to browsers — email in Gmail, documents in Google Docs, communication in Slack, CRM in Salesforce — the security perimeter dissolved. The browser became both the workspace and the attack surface.

AI is exacerbating this shift in two ways. First, generative AI tools like ChatGPT, Claude, and Copilot are themselves browser-based, creating new vectors for data exfiltration. Employees paste sensitive code, financial data, and strategic documents into AI chatbots that may retain, log, or train on that information. Second, AI-powered phishing and social engineering attacks have become dramatically more convincing, generating emails and messages that are virtually indistinguishable from legitimate corporate communications.

The numbers are striking. CrowdStrike's report shows that 79% of cyberattacks in 2025 involved browser-based vectors, up from 42% in 2020. The average time from initial browser compromise to data exfiltration dropped from 14 days to 6 hours — a reduction driven largely by AI-assisted attack automation.

Enterprise browser security tools have emerged to fill the gap, with companies like Island, Talon (acquired by Palo Alto Networks), and Sphere offering purpose-built browsers with zero-trust architecture, data loss prevention, and session isolation. Adoption is growing rapidly but remains under 15% of enterprise endpoints globally.

What This Means For You: If you use a browser for work — and you almost certainly do — you are operating in a security environment that was designed for reading websites, not handling corporate secrets. Three immediate steps: First, never paste sensitive data (code, financials, strategy documents) into public AI chatbots. Use enterprise-grade tools with data retention policies. Second, enable hardware security keys (YubiKey or similar) for all accounts that support them — they eliminate 99% of phishing attacks. Third, if your IT department offers a secure enterprise browser, use it. The convenience cost is minimal; the security benefit is enormous. If you're a business owner or IT manager, browser security is no longer optional — it's where your perimeter actually lives.