Analyst
Gartner: 25% of Organisations Will Deploy a Secure Enterprise Browser by 2028
Gartner predicts that by 2028, 25% of organisations will augment existing secure remote access and endpoint security tools by deploying at least one secure enterprise browser to close specific gaps. The category is now formally tracked in Gartner research.
Key Finding
Once Gartner publicly numbers an adoption curve, the procurement clock starts. Identity teams that do not have a position on where the secure enterprise browser sits in their architecture will get the position assigned to them by someone else.
On 29 April 2025, Gartner issued a public prediction that by 2028, 25% of organisations will augment their secure remote access and endpoint security stacks by deploying at least one secure enterprise browser (SEB). The prediction is the headline output of Gartner's "Innovation Insight: Secure Enterprise Browsers" research. The consumer browser is the most-used enterprise application and the one with the weakest enterprise controls.
The traditional response to that gap is a stack: a secure web gateway in front of the browser, a CASB watching SaaS traffic, a DLP engine inspecting payload, a VDI tier for high-risk roles, a ZTNA broker for remote access, plus endpoint agents to recover what the network tools miss. Each layer has its own management plane, its own policy model, and its own integration cost.
Gartner positions the SEB as a control that augments — not replaces — those stacks, targeted at specific gaps the existing stack does not cover well: contractor and unmanaged-device access, last-mile DLP on SaaS the gateway never sees, identity-aware policy enforcement inside the workflow rather than at the network edge. The 25% adoption number reflects an augmentation pattern, not a wholesale rip-and-replace.
For identity architects the interesting implication is that the browser becomes part of the identity control plane rather than a separate layer the IdP federates into. Identity assurance, conditional access, and posture flow into a runtime that already knows the application, the data, and the user — without breaking SSL, without backhauling traffic, and without depending on the device being managed.
Two architectural decisions to make early when adopting:
- Where does the browser sit in your identity decision flow? It should consume identity assurance, not duplicate it. The IdP is the source of authority; the browser is a downstream PEP with rich context. - What is the relationship between the browser policy and your existing CASB / DLP / SWG investments? Some of those can retire over time. Some need to keep running for non-browser traffic. The decision needs an architecture document, not a vendor demo.
Gartner's prediction is useful as a buying signal. The architectural work behind it is where the value lands.
Need help with your identity architecture?
Every incident on this page was preventable with the right architecture. Let's talk about yours.
Book a Conversation