The Department of Energy (DOE) released a new roadmap for the US to realize the decades-long dream of harnessing fusion energy.

It’s a commitment to support research and development efforts and pursue public-private partnerships to finally build the first generation of fusion power plants. And of course, the plan hypes up AI as both a tool that can lead to new breakthroughs and as the motivation to create a new energy source that can satiate data centers’ growing electricity demands.

The DOE is eyeing an extremely ambitious timeline, although the details on how to accomplish that are vague considering success still relies on achieving scientific breakthroughs that have evaded scientists for the better part of a century. Moreover, the burgeoning ecosystem of startups and researchers committed to this task is clamoring for more cash — funds the DOE admits it doesn’t yet have to give. 

Of course, the plan hypes up AI

A press release from the DOE yesterday boasts that its new strategy aims to deploy commercial-scale fusion power to electricity grids by the mid-2030s. The actual roadmap, however, paints a fuzzier picture. The document says in bold that its goal “is to deliver the public infrastructure that supports the fusion private sector scale up in the 2030s.” Regardless, there are still a lot of hurdles and uncertainties to face, which could realistically make powering our homes and businesses with fusion energy decades away, if ever. 

Why is this such a large task? Today’s nuclear fission plants split atoms apart to release energy. Nuclear fusion plants, in contrast, would fuse atoms together to generate energy in a controlled way. (You get a hydrogen bomb when this is done in an uncontrolled way.) The upside to achieving fusion would be that it doesn’t produce the same radioactive waste as fission, nor does the process rely on polluting fossil fuels. 

Fusion essentially mimics the way stars produce their own light and heat. While this could be an abundant carbon-free energy source, it also takes a tremendous amount of heat and pressure to fuse atoms together. As a result, it’s been extraordinarily difficult to achieve a fusion reaction that results in a net energy gain (something called “ignition” in industry-speak). Scientists accomplished this for the first time in 2022 using lasers. Researchers developing fusion technologies are working to re-create that feat and figure out how to sustain the reaction longer. 

There have been some other significant changes in recent years that have fed into all the current buzz around fusion. The generative AI boom has left big tech companies scrambling to get enough electricity to power more data centers. Sam Altman, Bill Gates, and Jeff Bezos have all backed fusion startups developing their own plant designs. Both Google and Microsoft have announced plans to purchase electricity from forthcoming fusion power plants that are supposed to be online by the late 2020s or 2030s. More than $9 billion in private investments have flowed into fusion demonstrations and prototype reactors, the DOE says.

There are other big gaps to fill, which is where the DOE says it can step in. The roadmap emphasizes bringing together the public and private sectors to build out the “critical infrastructure” needed to make fusion commercially viable, such as producing and recycling fusion fuels (typically hydrogen isotopes called tritium and deuterium). Another “core challenge area” the document highlights is the need to develop structural materials strong enough to withstand the extreme conditions at a fusion plant. (Remember, you’re sort of replicating the environment within a star.)  

It also mentions the development of regional hubs for fusion innovation, where DOE laboratories might work with universities, local and state governments, and private companies to build up a workforce for these new technologies. One hub would be a collaboration between Nvidia, IBM, and the Princeton Plasma Physics Laboratory, and the DOE to “establish an AI-optimized fusion-centric supercomputing cluster” called Stellar-AI.

The DOE dedicates an entire section of the roadmap to AI, which it calls a “transformative tool for fusion energy.” Researchers can use AI models to construct “digital twins” to more quickly study how experimental facilities would perform, the roadmap says as an example. 

The document also comes with a big disclaimer. Written at the top, above the executive summary, it says: “This Roadmap is not committing the Department of Energy to specific funding levels, and future funding will be subject to Congressional appropriations.” In other words, the DOE isn’t ready to throw any money at this plan just yet. 

And while the Trump administration has folded fossil fuels, nuclear fission, and fusion into its ambitions for so-called “energy dominance,” the president has clawed back funding for solar and wind energy projects that are already much faster and typically cheaper to deploy to meet America’s growing electricity demand. 

The browser has quietly become the universal workspace. What started as a simple tool for accessing the internet has transformed into the central hub for enterprise productivity, collaboration, and now—AI-powered workflows. From cloud applications and SaaS platforms to GenAI copilots running inside browser tabs, the browser is where work is increasingly happening. 

As the browser’s role has expanded, so has its exposure to risk. Attackers target browsers as the path of least resistance into critical systems, while many organizations continue to treat browser security as an afterthought and the browser often remains a blind spot—exposed to phishing, malicious extensions, data leakage, and sophisticated AI-driven attacks. 

This three-part series, Securing the Browser Era: From Cloud to AI, explores the evolution of the browser in enterprise environments, the security risks it introduces, and the strategies organizations need to adopt to stay ahead: 

• Part 1 - The Browser Boom: From Cloud to AI examines the rise of browser as a mission-critical workspace driven by cloud, SaaS, and AI adoption – and an attractive target for attackers.

• Part 2 - From Neglected to Necessary: Building Defense in Depth for Browsers provides a security playbook, exploring risks and how defense in depth and Zero Trust can address them. 

• Part 3 - Securing AI-Driven Browsers: Balancing Innovation with Risk dives into the emerging AI-enabled browsers productivity gains along with the new risks and the defenses. 

Part 1 - The Browser Boom: From Cloud to AI

Browsers have evolved significantly since their inception in the 1990s.  What started as a simple window to navigate static webpages has changed over the next two decades with JavaScript, richer APIs, tabbed browsing, and extensions enabling web apps. Browser transformation has accelerated with cloud computing allowing applications and data to be accessible from anywhere making the browser the client interface. The proliferation of Software-as-a-Service (SaaS) applications, with an average company using 106 SaaS applications and every single one accessed through the browser is evidence of the transformation to browser-based work. With cloud and SaaS, the modern workspace has become increasingly borderless and device-agnostic, browsers have become the control plane for identity, access, and data.

 The latest catalyst for the browser boom is Artificial Intelligence.  AI is no longer a futuristic concept; it's integrated into countless web applications, browser-integrated agents to embed automation and conversational agents directly into web workflows. With universal accessibility, zero installation friction, built-in collaboration integrated into browser experience, and AI as invisible layer it is not surprising that users spend an average of 6 hours and 37 minutes per day, primarily within a browser. 

As browsers evolved in capabilities and the widely adopted the attack surface has expanded and shifted from the network perimeter to the user's browser runtime. Over the years, browsers have adopted web standards and developed robust security architectures to counter threats - sandboxing to stop memory corruption and process exploits, site isolation for cross origin script attacks, certificate validation to deal with network impersonation, anti-phishing filters for known malicious domains and extension permissions to limit API access control.   

Attackers have shifted to using browsers not necessarily to directly exploit them, but as vectors for identity/session compromise, stealthy payload delivery, supply-chain and extension attacks, highly evasive phishing, leveraging new API surfaces and AI-specific attacks. Here are some of the browser native threats and other attack vectors that organizations must protect against:

• Phishing & Social Engineering 2.0 - Phishing remains the dominant initial access vector for cyberattacks. Attackers are evading detection by convincing websites or browser pop-ups mimicking legitimate sites, highly evasive links, image-based phishing, social engineering and MFA bypass, QR codes, generative AI CAPTAHAs and deep fakes, and zero-day phishing kits to trick users directly inside the browser.

• Malicious OAuth and Consent Phishing - Malicious OAuth apps are one of the most underestimated browser-native threats as they exploit legitimate authentication flows and bypass endpoint security. Attackers abuse the OAuth authorization framework to trick users into granting permissions to attacker-controlled apps that appear legitimate.  

• Session Hijacking, Token Theft - Attackers impersonate users without needing credentials by exploiting weaker links - reused passwords, weak MFA, ignoring warnings, weak cookies/session token management, session hijacking, and social engineering.

• Zero-day, Sandbox Escape, Engine Bugs - Modern browsers heavily sandbox web content to contain browser engine exploits, however a sandbox escape vulnerability could let an attacker break out of the browser’s confinement can compromise a system.

• Malicious Extensions. Plugins, and Add-ons - A malicious or compromised extension can bypass many protections because it already has elevated privileges inside the browser. The browser sandbox generally isolates webpages, but extensions often have broader access - cookies, tabs, network requests, file-system access via API, permissions. Extensions\add-ons can modify browser behavior or access data on pages, so a malicious or compromised extension can leak data or execute privileged actions.   

• Evasion, Smuggling, Last-mile Reassembly - Network-level, traffic-inspection, URL-filtering vs what the browser sees remains a gap. Attackers exploit encoding fragmentation, chunking, content-decoding differences, obfuscation, ephemeral domains, interpretation mismatches and other mechanisms which let malicious payloads slip by filters and be executed by the browser.

• Persistent Client-side Compromises, “Man-in-the-Browser” - An attacker may use keyloggers, credential stealers, session hijackers, cookie theft, form-grabbers that bypass if the device/browser profile is compromised. Emerging malware or injected scripts that intercept browser actions often via extensions.

• Clickjacking and UI Redress Attacks - Hidden frames or overlays trick users into clicking harmful button, hidden or overlaid elements — e.g., a disguised “Allow” button that authorizes a malicious action.

• Supply-chain, Trusted-component Compromise - Dependencies such as compromised third-party libraries, web pages, browser extension stores, certificate authorities / mis-issued certs running inside the browser can leak sensitive information. Certificate validation helps if you trust the CA ecosystem, but mis-issuance, rogue CAs, or compromised device/trust store still matter. Plus, attackers may attach themselves inside encrypted traffic via malicious root cert or browser profile tampering.

• New and Expanded API Surfaces & User Data - Modern browsers offer APIs for more powerful features: hardware access, WebUSB/WebBluetooth, File System Access API, service workers, web workers, WebAssembly threads, and others that adds to attack surface.

• AI Integrated Browsers - While AI-integrated browsers bring productivity gains, they also enlarge the attack surface in unprecedented ways. AI-powered browsers threat surface spans both cybersecurity and AI safety with new threats such as prompt injection attacks, context leakage and data exposure.

The future is browser-native and even though browser usage has increased significantly, there is often lack of layered security controls implemented for networks, endpoints, or applications.  Ignoring browser security leaves a gaping hole in an organization’s defenses, especially when it is the gateway to all Cloud, SaaS and AI.  

In Part 2 (Stay tuned!), we’ll dive into how defense in depth and Zero Trust principles can transform the browser from a weak link into a resilient first line of defense.

Join our next community call on October 24, 2025, to learn more about how to collaborate within Microsoft Teams channels using Loop Pages.

Our community calls are in the Teams webinar format, which means you must register to ensure you will be able to join the call when it starts. An on-demand recording will still be available on our Driving Adoption > Events pages, as well as on our Microsoft Community Learning YouTube channel.

The calls will still start at 5 minutes past the hour for both sessions (at 8:05 AM and 5:05 PM PT), and it will still end at the top of the hour (9:00 AM and 6:00 PM PT, respectively).

The registration links for both sessions are below. Once you register, you will receive an email confirmation and calendar invite with the webinar join link.

• https://aka.ms/M365ChampionCallAM
• https://aka.ms/M365ChampionCallPM

Since our calls are open to everyone, you must be a member of the Microsoft 365 Champion Program in order to access the presentation materials - the access link is in the initial welcome email and the monthly newsletter emails sent the week before the community calls.

If you have not yet joined our Champion community, sign up here to get access to the monthly newsletters, calendar invites, and program assets (e.g., the presentations).

Instructions and prompts It is no secret that I am using GitHub Copilot as my personal coding assistant. To optimize the quality of Copilot’s answers (and code), I recently started to use custom instructions and reusable prompts. What are instructions? Instructions are a set of customization commands we can give Copilot to specify our preferences. There are two main kinds of instructions: Rep...

Instructions and prompts It is no secret that I am using GitHub Copilot as my personal coding assistant. To optimize the quality of Copilot’s answers (and code), I recently started to use custom instructions and reusable prompts. What are instructions? Instructions are a set of customization commands we can give Copilot to specify our preferences. There are two main kinds of instructions: Rep...