Every year, the Verizon Data Breach Investigations Report serves as a ground-truth benchmark for the industry. Its value comes not just from the headline numbers but from the convergence signals: when multiple independent data sources point to the same structural shift in how attackers operate, that convergence is worth paying attention to.
This year, as a contributor to the Verizon 2026 DBIR, the Keep Aware team had early visibility into that convergence.
This post breaks down the specific areas where the 2026 DBIR data and Keep Aware’s own browser telemetry align — and where browser-layer data reveals what network and endpoint tools miss entirely.
Shadow AI Has Become a Mainstream Enterprise Risk
Shadow AI was identified in the Verizon DBIR as the third most common non-malicious insider action observed in Data Loss Prevention (DLP) datasets, representing a fourfold increase from the previous year.
Employees are not typically trying to exfiltrate data; rather, they are using the fastest available tool for a task, which increasingly means pasting internal documents or source code into a personal ChatGPT session before their organization has had time to approve and provision a governed alternative.
The scale of unauthorized AI usage in enterprise environments is one of the report’s most significant findings: 67% of users are accessing AI services on corporate devices through personal, non-corporate accounts, and 45% of employees are now considered regular AI users.
Keep Aware’s browser telemetry further provides insight into how these AI services are being used. Over half of AI prompt inputs are sent to personal accounts, and 23% of sensitive prompt uploads involve data transiting through personal or unverified accounts (i.e., outside the reach of any corporate DLP policy or logging infrastructure), conveying the real risks of AI usage.
Employees are pasting and uploading confidential data into ChatGPT, Gemini, and dozens of other AI tools every day.
Keep Aware’s free AI audit shows you exactly what’s leaving, and from which apps, before it becomes a breach.
Get your free AI audit
Credential Abuse and the Browser’s Detection Gap
The 2026 DBIR found that 39% of breaches involved credential abuse. Keep Aware’s attack data from 2025 puts browser-based credential theft as the number one browser-based attack, accounting for approximately 41% of observed threat activity, implying that credential theft in the browser will later contribute to successful future breaches.
Compounding this attack vector is the fact that the vast majority of these attacks are invisible to traditional tooling, as our data illustrates.
In Keep Aware’s analysis, 63% of Microsoft-themed phishing sites were not flagged by any VirusTotal vendor at the time of employee exposure, showing a glaring detection gap in intelligence feeds and endpoint tools.
More pointedly, 100% of the credential theft attempts Keep Aware observed passed through existing non-browser security controls unblocked — network proxies, DNS filters, and endpoint agents alike.
None of them caught it. The only reliable detection point is inside the browser itself, where the page is rendered and the user interaction actually occurs.
Browser Extensions: Privileged, Ungoverned, and Expanding
Add-ons can read, modify, and interact with any page’s content, and exfiltrate data from within the browser context, enabling extensions to operate with a level of browser privilege that should dictate regular scrutiny—yet data tells a different story.
The 2026 DBIR flagged that the average enterprise had more than 15% of users with unauthorized AI extensions installed. However, the extension problem is broader than AI tooling alone.
Keep Aware’s extension telemetry additionally shows that 13% of unique browser extensions observed across our customer base were classified as high or critical risk.
The more operationally significant finding: 93% of poor-reputation extensions were labeled as “productivity” tools by browser marketplaces — the exact category most allowlisting policies treat as safe. For this threat class, that makes category-based allowlisting functionally useless.
ClickFix and Browser-Native Social Engineering
Both the 2026 DBIR and Keep Aware’s State of Browser Security Report call out ClickFix as an emerging technique worth tracking.
The Verizon DBIR found ClickFix accounted for 2.7% of browser-detected attacks—a small share that nonetheless signals an evolution in browser-based social engineering.
ClickFix is a deceptive social engineering tactic used to get a user to unknowingly execute malicious code from the browser and on the host machine.
This threat begins in the browser—often by encountering compromised websites and sometimes through LLM chat responses—but quickly continues on the endpoint, compromising the machine with info stealers and remote access to attackers.
The endpoint bears the impact, but the browser is the social engineering medium—and the first line of defense.
The Human Element Continues to be a (Browser) Problem
The 2026 DBIR found that 62% of breaches involved the human element, with phishing initiating 16% of incidents. Keep Aware’s browser-layer data shows phishing and social engineering accounted for 46% of browser attacks observed across 2025.
The human element finding is often framed as a training and awareness problem. But attackers are constantly evolving browser-based social engineering tactics—phishing links to benign intermediary sites, redirect chains, pages that render differently for automated scanners, hosting content on legitimate websites, and silent clipboard injections.
Browser-level visibility does not solve the human element problem, but it shifts the detection point to where the human interaction is actually occurring, rather than looking for downstream artifacts after the interaction has already been exploited.
What This Means for Security Teams.
Shadow AI, credential theft, malicious extensions, and browser-native social engineering techniques like ClickFix share a common characteristic: they all execute inside the browser, and they all produce artifacts that are most visible, if not only visible, at the browser layer.
Security programs that rely exclusively on network, endpoint, and identity telemetry will continue to have blind spots in exactly the places attackers have learned to operate.
The browser is no longer just an application. For most enterprise users, it is the work environment. Securing it is no longer optional.
If your security stack lacks visibility into what’s happening inside browser sessions, that gap is worth understanding before attackers exploit it. Request a demo of Keep Aware to see what your current tools are missing
Keep Aware contributed data to the Verizon 2026 Data Breach Investigations Report. Keep Aware’s 2026 State of Browser Security Report is available here.
Sponsored and written by Keep Aware.
