The browser became the endpoint, and no one is governing it
The perimeter is hardened, the laptops run EDR, the email is filtered. Meanwhile the application where employees now spend the entire day, the browser, sits in the blind spot between all of it, largely ungoverned.
Ask a security team to draw their controls and you get a familiar picture. A hardened perimeter. Endpoint detection on every laptop. Email filtered and phishing-tested. A SIEM correlating it all. It is a serious stack, built over years, and it is mostly pointed at where the work used to be.
The work moved. An employee today spends most of the day inside a browser: the CRM, the cloud console, the internal dashboards, the document suite, the support tool, the bank portal. The browser is no longer an accessory to enterprise software. It is the front door to it, and increasingly the software itself. The endpoint that matters most is now a tab.
What the stack misses
Each layer of the traditional stack stops at the edge of the browser.
The perimeter firewall sees encrypted traffic to sanctioned services and waves it through, because that is its job. Endpoint detection watches the operating system for malicious processes, but a sensitive document pasted into a personal webmail tab is not a malicious process. It is an ordinary one doing an ordinary thing. The SIEM gets logs from the infrastructure, not from inside the rendered page. Email filtering never sees the link a user pastes from a chat app. The browser sits in the blind spot between all of these, handling the most sensitive work of the day with the least governance.
Why the browser is where data leaves
Almost every path data takes out of an organization now runs through the browser. A download. An upload to an unsanctioned service. A copy-paste into a chat or a personal email. A screenshot. A file dragged into a generative-AI tool. None of these are exotic attacks. They are the normal motions of a normal workday, and they are exactly the motions that move regulated data past the boundary, with no enforcement at the point where it happens and no trustworthy record that it did.
It is also where compromise arrives. A malicious page, a poisoned extension, a session token lifted from browser storage. The browser is both the primary channel data leaves through and a primary path intrusion comes in through, and it is the one surface the rest of the stack was not built to govern.
The Indian enterprise angle
For an Indian organization this gap is no longer only an operational risk. The DPDP Act places obligations on how personal data is handled and an expectation that you can show your work. "We have a firewall and EDR" does not speak to the surface where most personal data is actually touched, which is the browser, on an endpoint, often outside the office network. A regulator asking how you control and account for access to personal data is asking about exactly the layer the traditional stack skips.
What governing it actually takes
The instinct is to add another watcher: a browser extension, an agent, a managed Chromium that inspects what happens inside the page. It is software inside the browser's trust domain. It can govern the ordinary motions, the paste and the upload, and for the common case it works. But it shares the browser's fate: a compromise that takes the browser takes the watcher with it. It holds precisely until the moment you most need it to.
Governing the browser properly means treating it as what it has become: an untrusted execution environment handling trusted data. So you contain it. Run the session inside a hardware-isolated boundary, force its egress through a single inspecting chokepoint where policy is enforced, and record what crossed in a tamper-evident, value-free audit. The controls live at the boundary, not inside the browser, so they hold even when the browser does not, and they apply whether the payload is your standard browser, a different one, or something that is not a browser at all.
The perimeter, the endpoint agent, and the mail filter were the right answers to where the work used to be. The browser is where it is now, and the desktop around it. It deserves the same seriousness, and a stronger assurance than watching can give.