The way organizations access and use enterprise data has fundamentally changed. Knowledge workers now operate in browser-based environments, relying heavily on SaaS applications and increasingly experimenting with AI-powered tools to boost productivity.

In the Security Strategist podcast, Chris Steffen, Vice President of Research at Enterprise Management Associates (EMA), spoke with Michael Leland, Field Chief Technology Officer at Island, about the growing cybersecurity challenges associated with browsers, SaaS platforms and AI tools and how organizations can adapt their enterprise security strategies.

While this shift has accelerated innovation, it has also introduced new cybersecurity risks. Sensitive information now flows through consumer browsers, AI assistants, browser extensions and cloud platforms; often outside the visibility of traditional security controls. As a result, enterprise security teams must rethink how they approach data protection, governance and access control in a browser-driven workplace.

Why Browser-Based Workflows Are Creating New Enterprise Security Risks

Enterprise security models were historically built around network perimeters, firewalls and on-premise infrastructure. Today, however, most work happens inside web browsers, where employees interact with SaaS platforms, cloud storage systems and AI tools.

According to Leland, this shift has significantly expanded the attack surface.

“The majority of knowledge workers are accessing business applications primarily via the web, whether it’s a SaaS application or a web front end to a legacy application. But they’ve been doing so in a consumer browser,” he explains. 

Consumer-grade browsers were designed for convenience and personal use, not enterprise security. As a result, they often introduce vulnerabilities that can expose sensitive corporate data.

Traditional enterprise controls such as VPNs, secure web gateways and zero trust architectures attempt to mitigate these risks. However, these tools frequently operate outside the browser itself, leaving gaps in visibility and control.

The challenge becomes even more complex when browser extensions are added to the mix. Many extensions request extensive permissions and can access sensitive information inside SaaS applications.

“In the last 18 months, almost 40 per cent of browser extensions published have something to do with AI. Some offer real productivity gains, but the provenance of many of these tools is questionable,” Leland notes. 

This growing ecosystem of extensions and cloud tools has created a new security frontier where enterprise data protection must operate directly at the user interaction layer.

How AI Sprawl Is Complicating Data Governance

Alongside browser-driven workflows, organizations are also dealing with a rapid surge in AI adoption. From tools like ChatGPT and Copilot to embedded AI features inside SaaS platforms, AI is becoming a standard part of the modern workplace.

However, this rapid adoption is also creating a phenomenon known as AI sprawl. Knowledge workers increasingly select their own AI tools based on preference or convenience, leading to a patchwork of unsanctioned platforms operating across the enterprise.

“Each knowledge worker may have their own AI tool of choice. So the whole BYO AI—bring your own AI—trend is becoming very real,” says Leland. 

While these tools can deliver productivity gains, they also create serious data governance risks. Many AI platforms process prompts and inputs in external cloud environments, meaning that sensitive information could be inadvertently shared or stored outside company-controlled systems. Even seemingly harmless productivity tools may capture user data.

Why Visibility and Data Boundaries Are Critical for Protecting Enterprise Data

With browser usage and AI adoption accelerating, many cybersecurity teams are shifting their focus toward controlling data at the point of interaction rather than relying solely on network-based controls.

One emerging concept is the use of data boundaries—defined environments where organizations can control how sensitive information moves between applications.

A data boundary acts as a secure enclave that determines which applications are trusted and what data can flow between them.

“If you trust application A and application B, you might allow data to move freely between them,” Leland explains. “But you still enforce guardrails that prevent data from leaving that boundary.”

This approach allows organizations to balance security and productivity, an increasingly important consideration as knowledge workers rely on multiple SaaS platforms and AI assistants to complete daily tasks.

Another critical component of modern enterprise security is visibility. Security leaders cannot govern AI tools or protect sensitive data if they do not understand how employees are using them. As enterprises continue to embrace cloud applications and AI tools, protecting sensitive data will require a shift in cybersecurity thinking.

If you would like to find out more, visit island.io

Takeaways:

  • Establish a secure data boundary to control data flow between trusted applications.
  • Utilize AI to automate data protection and enhance real-time monitoring.
  • Foster a culture of security awareness among employees to strengthen your organization’s security posture.