For about fifteen years, the security industry told a clean story about where work happens: it happens on the endpoint, and you protect the endpoint with an agent. Then work moved to SaaS, the perimeter dissolved, and we spent a decade talking about identity and zero trust as the new control plane. RSAC 2026, held March 23-26 at Moscone Center under the theme "Power of Community," quietly rewrote that story again. The thing every major vendor was selling was the same thing: the browser is where work actually happens now, and with agentic AI in the mix, the browser is the new endpoint.
That is not marketing fluff. It is a reasonable read of where the risk has migrated. But "reasonable read" and "solved problem" are very different claims, and the gap between them is where security teams are going to get hurt over the next year.
Why the Browser Suddenly Matters Again
The browser was always the most-used application on the endpoint. What changed is what runs inside it. Two trends collided.
First, real work moved fully into the tab. The average knowledge worker spends their day in SaaS apps, internal web tools, and document editors that never touch a local install. The browser is the runtime.
Second, AI agents moved into that same tab. Browsers now ship with agentic modes that can read across tabs, fill forms, click buttons, move data between apps, and take multi-step actions on a user's behalf. At RSAC 2026, Microsoft positioned Edge for Business as a secure enterprise AI browser with an Agent Mode and multi-tab reasoning, and said existing data-loss-prevention policies would extend to those agentic experiences. Palo Alto Networks pitched Prisma Browser as a workspace built specifically to govern autonomous workflows, including pausing an agent and demanding step-up MFA before a sensitive data move. Whatever you think of the marketing, the underlying observation is correct: an agent operating inside a browser session inherits the user's authenticated access to everything in that session.
That last point is the whole game. An agent in the browser is not a sandboxed assistant. It is acting with your logged-in identity, your cookies, your OAuth tokens, and your SaaS permissions. The blast radius of a misbehaving or hijacked agent is the union of everything you can reach in a tab.
Shadow AI Is the Browser's Shadow IT
The browser is also where shadow AI lives, and shadow AI is the more honest framing of the actual exposure. Employees paste source code, customer records, and unreleased strategy into consumer AI tools because those tools are one tab away and genuinely useful. The data leaves through a text box, not a malware payload.
The numbers vendors are citing are large enough to take seriously even if you discount them. CrowdStrike, which used RSAC 2026 to declare the endpoint "the epicenter for AI security," said its sensors detect more than 1,800 distinct AI applications running on enterprise devices across its customer base. Google's Chrome Enterprise leaned into the same problem with shadow-AI reporting to flag employee use of unsanctioned web-based AI, plus extension threat detection aimed at malicious or over-permissioned browser extensions.
That extension angle deserves more attention than it got on the show floor. A browser extension with broad permissions can read page content, intercept form fields, and exfiltrate data, and an "AI" extension is a perfectly normal cover story for exactly that behavior. The browser has quietly become a software supply chain of its own — every installed extension is a third-party dependency running with access to your authenticated sessions. Most organizations have no inventory of what is installed, let alone any provenance for it.
What Actually Shipped Versus What Was Promised
Here is where a little skepticism is healthy. The browser-as-endpoint pitch broadly splits into three approaches, and they are not equally mature.
Secure enterprise browsers and managed forks. A purpose-built or managed browser gives you policy enforcement at the rendering layer: DLP on copy-paste and uploads, controls over which sites agents may act on, and logging of in-browser activity. This is the strongest of the three because the control sits where the action happens. The catch is adoption. A secure browser only protects the sessions that run inside it, and getting an entire workforce to switch browsers — or to do sensitive work only in the managed one — is an organizational problem, not a technical one.
Browser isolation. Remote and local isolation render risky content away from the endpoint. It is mature technology and genuinely useful against drive-by web threats, but it was designed for a world where the danger was malicious content rendering. It does much less about a sanctioned agent doing the wrong thing with legitimate access, which is the new failure mode.
Endpoint and SASE platforms reaching up into the browser. CrowdStrike's route was acquiring Seraphic to extend runtime protection into the browser, and several SASE vendors are routing browser traffic through their inspection layer. This gives you reach across browsers you do not control, but inspection at the network layer struggles with encrypted, in-app agent actions that never look like a classic exfiltration event.
None of these is wrong. The honest takeaway is that no single one of them covers the agentic case cleanly today. The visibility into in-browser agent activity that everyone is advertising is real but early, and a lot of it amounts to discovery and logging rather than enforcement. Knowing an agent touched a record is not the same as having stopped it from doing so.
The Real Problem Is Verification, Not Visibility
Strip away the product names and the browser-as-endpoint trend is really a verification problem. An agent in a browser takes an action. Before that action commits, someone or something has to decide: is this action consistent with policy, with this user's intent, with what this agent is supposed to do? Step-up MFA on a sensitive move, as Prisma Browser does, is one crude form of that check. It does not scale to thousands of agent actions a day, and it pushes the judgment onto a user who will click "approve" reflexively.
The deeper issue is that prompt injection and tool poisoning make the agent itself an untrusted input source. A page the agent reads can contain instructions that redirect it. An MCP tool or extension the agent calls can be poisoned. So the controls cannot live only inside the agent or the model — a compromised agent will happily report that everything is fine. They have to live in an independent layer that can evaluate what the agent is about to do and block it before it commits, with a record of why.
That is the same architectural lesson the rest of AI security keeps relearning: reliability lives in the verification and orchestration layer above the model, not in the model itself.
How Safeguard Helps
Safeguard treats in-browser agents, extensions, and AI tools as what they are — third-party components in your software supply chain that need provenance, policy, and continuous verification. Our Multi-Agent TAOR Deep Think AI Engine and Griffin AI evaluate agent and tool activity against policy gates and a vendor policy registry, so an agent action or a newly installed AI extension is checked against your rules rather than trusted by default, with multi-agent verification to cut the false positives that bury security teams. We are model-agnostic by design: bring your own model, and the judgment stays in the orchestration layer above it. If the browser is becoming your new endpoint, we can help you inventory what is running there and gate what it is allowed to do — reach out and we will walk your environment with you.