AI Tools Created a Security Gap Your Network Cannot See. Browser Controls Close it.

Oleh Sarang Warudkar - Manajer Proyek Teknis Senior

May 19, 2026 4 Minute Read

Generative AI adoption changed enterprise security in ways many organizations have yet to address. The risk did not come from sophisticated attacks. It came from a browser tab.

Employees spend much of their day in browsers, accessing CRM records, financial dashboards, shared documents, and AI tools such as ChatGPT, Microsoft 365 Copilot, and Gemini. The productivity gains are clear. So is the exposure.

AI applications introduced prompt fields that allow data to move directly from an employee’s clipboard to an external model. Messaging platforms such as Microsoft Teams Web and WhatsApp Web rely on persistent WebSocket connections that traditional network security tools cannot inspect. Modern SaaS applications also encrypt content before it reaches the proxy.

The result is a growing category of in session activity that existing network security controls cannot see or govern. Since this activity occurs inside the browser, protection must exist there as well.

Masalah Visibilitas Peramban

Pemeriksaan jaringan tradisional mengandalkan lalu lintas HTTP dan HTTPS yang mengalir melalui proxy. Model tersebut telah berjalan dengan baik selama bertahun-tahun, namun dua perubahan telah menambah kompleksitasnya.

Pertama, aplikasi SaaS modern semakin banyak menggunakan koneksi WebSocket. Aplikasi seperti Microsoft Teams, WhatsApp, dan Microsoft 365 Copilot menciptakan sesi browser yang terus-menerus, yang memungkinkan mereka melewati pemeriksaan proxy tradisional sehingga tim keamanan kehilangan visibilitas atas aktivitas sesi tersebut.

Kedua, aplikasi yang menggunakan enkripsi ujung ke ujung mengenkripsi konten sebelum lalu lintas data mencapai proxy. Alat keamanan jaringan dapat mendeteksi koneksi tersebut, tetapi tidak dapat memeriksa isi data yang dikirim.

Hal ini menyebabkan aktivitas peramban yang berada di luar jangkauan pengawasan sistem keamanan yang ada.

Risiko Tindakan Pengguna Sehari-hari

Most data exposure incidents do not come from advanced attackers; they come from routine employee actions inside the browser, for example: copy-paste, screenshots, uploads, and AI prompts that occur after access is granted.

The most common in-session data exposure events share a pattern. They are routine actions that employees take during normal work, and they are difficult to detect or govern with tools that operate at the network edge.

Contohnya antara lain:

• Kebocoran Prompt – Seorang karyawan bagian keuangan menyalin data gaji ke alat AI seperti ChatGPT untuk dirangkum. Tidak ada unduhan file yang terjadi dan tidak ada peringatan DLP yang terpicu.
• Tangkapan Layar/Cetak – Seorang kontraktor mengakses catatan pelanggan melalui sesi browser dan mengambil tangkapan layar di perangkat pribadinya atau mencoba mencetak salinan. Tidak ada jejak audit yang tersedia.
• Transfer Clipboard – Seorang karyawan menyalin data keuangan dari dasbor internal ke webmail pribadi. Data tersebut tidak pernah tersimpan di sistem file.

Tindakan-tindakan ini terjadi selama aktivitas kerja normal dan sulit dideteksi oleh sistem pengendalian konvensional.

AI Menimbulkan Rasa Mendesak

Generative AI amplified this problem by creating browser prompt fields that accept any pasted content. Employees can submit source code, customer PII, financial data, legal documents, or M&A plans into external AI systems within seconds. According to Keep Aware’s 2026 State of Browser Security Report, 41% of employees regularly interact with AI web tools that have no governance controls governing what they paste or upload. For most organizations, no technical control exists between an employee’s clipboard and an external AI model. 

Bagi banyak organisasi, tidak ada pengendalian teknis yang diterapkan antara papan klip karyawan dan kolom perintah AI eksternal.

Tekanan untuk Mematuhi Aturan Semakin Meningkat

Peraturan yang berlaku sudah mewajibkan penerapan langkah-langkah pengamanan teknis untuk data sensitif.

Pasal 32 Peraturan Perlindungan Data Umum (GDPR) mewajibkan perlindungan terhadap pemrosesan data pribadi. Undang-Undang Portabilitas dan Akuntabilitas Asuransi Kesehatan (HIPAA) mewajibkan penerapan langkah-langkah pengamanan untuk data kesehatan. Undang-Undang Perlindungan Data Pribadi Digital India mewajibkan penerapan langkah-langkah pengamanan teknis untuk data pribadi. Standar Keamanan Data Industri Kartu Pembayaran (PCI DSS) mewajibkan penerapan pengendalian terhadap data pemegang kartu.

Para auditor semakin sering menanyakan apa yang menghalangi karyawan untuk menyalin data sensitif ke dalam alat AI eksternal. Banyak organisasi yang tidak memiliki jawaban teknis yang jelas.

Agentless Browser Controls: A New Approach to Closing This Gap

The market has developed several approaches to in-session browser security. Secure enterprise browsers deliver deep in-session controls by replacing the browser employees use with a managed corporate alternative. That model works for tightly controlled environments but introduces significant adoption friction, deployment timelines of three to six months, and structural coverage gaps for BYOD and contractor devices.

Agentless secure browser controls take a different approach. They enforce data protection policies inside active browser sessions through existing SSE infrastructure, without replacing the browser, without installing endpoint agents, and without requiring employees to change how they work. Coverage extends to Chrome, Edge, Firefox, and Safari on managed devices, BYOD endpoints, and contractor devices equally. Activation takes minutes, not months.

The result is enterprise browser security benefits without the adoption and cost trade-offs of browser replacement. The browser stays. The governance arrives.

Bacaan Selanjutnya

If the in-session activity described above sounds familiar in your environment, the fastest next step is learning how agentless secure browser controls address it.

Visit the Skyhigh Secure Browser Controls product page to see how the capability works, how it deploys through your existing SSE platform, and what coverage looks like across managed devices, BYOD, and contractor endpoints.

You can also request a personalized demo of Skyhigh’s Secure Browser Controls.

Tentang Penulis

Sarang Warudkar

Manajer Pemasaran Teknis Senior

Sarang Warudkar adalah Manajer Pemasaran Produk berpengalaman dengan lebih dari 10 tahun di bidang keamanan siber, yang terampil dalam menyelaraskan inovasi teknis dengan kebutuhan pasar. Dia memiliki keahlian mendalam dalam solusi seperti CASB, DLP, dan deteksi ancaman berbasis AI, yang mendorong strategi masuk ke pasar dan keterlibatan pelanggan yang berdampak besar. Sarang memiliki gelar MBA dari IIM Bangalore dan gelar insinyur dari Universitas Pune, yang menggabungkan wawasan teknis dan strategis.