MFA’s limited scope post-login
Multi-factor authentication (MFA) is widely treated as the ultimate defense line. It isn’t. It verifies identity at a single moment, login, and then goes blind. Once users authenticate, session tokens grant uninterrupted access until they expire. Attackers know this. They don’t need to bypass MFA; they wait until it succeeds, then hijack valid tokens to move laterally between systems unnoticed.
The core problem sits in how trust is managed. A token is an unmonitored pass that carries the same authority as the user who earned it. That authentication event might be legitimate, but once compromised, it becomes an unchecked path for an attacker to expand their control. The result is a system performing exactly as designed while failing to protect what matters most, the infrastructure beyond login.
For C-suite leaders, this reveals a key truth: Identity verification isn’t a task completed at the door. It’s an ongoing process that must persist through the entire session lifecycle. Continuous validation, watching what happens after access is granted, is now critical. Organizations must evolve from protecting entry points to protecting the pathways that follow.
According to CrowdStrike’s 2026 Global Threat Report, the average e-crime breakout time dropped to 29 minutes in 2025, with the fastest attack executed in just 27 seconds. That speed leaves no room for reactive defense. Leaders should think in terms of continuous authentication, systems that reassess trust dynamically instead of assuming it remains valid. Security today is not about keeping attackers out. It’s about watching what happens once they get in.
Architectural flaw in session token management
A growing number of enterprises, even those with strong MFA, share the same weakness, session tokens that can’t be revoked instantly. Alex Philips, CIO at NOV, found this gap during system testing. He discovered that resetting a password doesn’t stop an attacker who already holds a valid token. The architecture itself wasn’t broken; it was incomplete. It allowed trust to persist indefinitely once established.
Philips’s team redefined their approach. They shortened token lifetimes, enforced conditional access policies, and built rapid revocation mechanisms into their identity stack. Every privileged session could now be terminated within minutes, cutting off lateral movement before attackers could escalate privileges. This wasn’t a luxury, it was a necessity driven by how modern threats evolve faster than traditional security cycles.
Executives should take note. Token management is not an IT concern; it’s a business continuity issue. A single compromised session can halt operations, expose proprietary data, and damage brand reputation. The ability to revoke trust quickly is now as important as granting it safely. Fast, automated response should be treated as a core function of identity governance, not a feature.
Alex Philips put it simply: “Resetting a password isn’t enough anymore. You have to revoke session tokens instantly to stop lateral movement.” He’s right. In modern enterprises, trust cannot be permanent; it must be dynamic, managed in real time, and backed by systems capable of adapting at machine speed. Business leaders who internalize this will be the ones whose companies stay ahead of the next wave of invisible intrusions.
A project in mind?
Schedule a 30-minute meeting with us.
Senior experts helping you move faster across product, engineering, cloud & AI.
Preference for credential theft over malware deployment
Attackers have adapted faster than most security systems. They no longer rely on malware when stolen credentials can achieve the same goal without detection. Modern endpoint protection is strong, expensive to bypass, and instantly alerts defenders when malware appears. Credential theft, by comparison, is quiet and cost‑effective, an attacker can operate with the same permissions as a trusted employee.
Adam Meyers, Senior Vice President of Counter Adversary Operations at CrowdStrike, pointed out that adversaries realized the simplest path into a network is through legitimate access. Stolen passwords and session tokens inherit every permission the true user holds and raise no immediate alarms. This tactic changed the threat landscape: security systems that once looked for malicious code now face attackers who play by the system’s own rules.
Executives should recognize that this shift makes human and identity layers the highest‑value targets. Traditional firewalls or antivirus tools no longer stop the majority of intrusions. Effective defenses focus on detecting abnormal user behavior and continuously validating session integrity. It’s not about stopping files; it’s about verifying actions that look legitimate but occur in the wrong context.
Data tells a clear story. CrowdStrike’s 2025 Global Threat Report recorded a 442% increase in voice‑phishing (vishing) attacks in just six months of 2024. AI‑generated phishing emails achieved a 54% click‑through rate, matching expert‑crafted human messages and far surpassing the 12% rate for bulk phishing. Pindrop’s 2025 Voice Intelligence & Security Report found a 1,300% rise in deepfake fraud attempts in 2024 and a 704% jump in face‑swap attacks in 2023. These numbers signal industrial‑scale identity theft powered by cheap and accessible AI tools.
For C‑suite leaders, the takeaway is straightforward. Security must evolve beyond detecting malicious files. It must now understand and verify intent. That means tighter access controls, smarter analytics, and real‑time monitoring of how identities behave once inside the system. The threat has shifted toward the invisible, and so must the defense.
Erosion of trust in traditional identity verification
The tools enterprises once trusted to confirm identity, fingerprints, voice recognition, facial scans, are losing reliability. Generative AI has blurred the boundaries between real and synthetic, producing accurate replicas that pass biometric checks with ease. Companies that depend solely on these methods risk false confidence.
Deepfakes and AI‑replicated voices can impersonate executives, employees, or customers long enough to approve transactions or authorize access. As these technologies improve, the cost of creating convincing forgeries approaches zero. It becomes nearly impossible to identify authenticity without multi‑layer validation.
According to Gartner’s 2024 forecast, 30% of enterprises will no longer trust face‑based or biometric identity verification alone by 2026. This projection reflects a critical shift across industries: reliance on any single method of authentication, no matter how sophisticated, is now high risk. The standard must move toward phishing‑resistant methods such as FIDO2 and passkey‑based authentication that rely on hardware‑bound cryptographic validation rather than observable traits that can be mimicked.
Executives should interpret this trend as a strategic warning. Identity trust must become conditional and continuously reassessed. Investing in systems that integrate behavioral analysis, device reputation, and token‑based authentication ensures resilience against the inevitable sophistication of AI‑driven deception. The era of static trust is ending; dynamic verification is the only sustainable path forward.
Silos between IAM and SecOps create vulnerabilities
Identity and Access Management (IAM) teams and Security Operations (SecOps) teams often work apart, which fragments control of identity and session governance. This separation creates unseen gaps where attackers thrive, gaps between authentication, monitoring, and response. IAM ensures the right users sign in, while SecOps focuses on monitoring active threats. The problem sits in the middle, where active sessions live without full visibility from either side.
Kayne McGladrey, IEEE Senior Member, points out that organizations often misclassify this problem as purely a cybersecurity risk rather than a direct business risk. That misunderstanding leads to limited budgets and delayed remediation. In reality, weak session governance can directly translate into operational downtime, data exposure, and financial loss. Without aligning IAM and SecOps, no single team is responsible for revoking compromised sessions or correlating activity across identity, endpoints, and the cloud.
The data supports this widening gap. Ivanti’s 2026 State of Cybersecurity Report found that the preparedness gap between evolving threats and defenses grew by an average of 10 points in only a year across 1,200 surveyed professionals. Mike Riemer, Ivanti’s Field CISO, has observed the same disconnect in his decades in the industry, each shift in technology adds complexity, but ownership of identity-layer security remains scattered.
For executives, this translates into an organizational issue rather than a technical one. Closing this gap requires shared accountability and unified telemetry. IAM and SecOps must work from an integrated platform capable of viewing, assessing, and terminating risky sessions instantly. Treating identity governance as a joint responsibility ensures that detection and response extend across every system where a user’s identity is active.
Necessity of continuous, AI‑Powered Post‑Authentication oversight
Authentication without ongoing trust evaluation is no longer sufficient. Attackers exploit valid credentials precisely because systems assume trust remains constant once verified. To counter that, organizations need continuous oversight, real‑time analysis that monitors behavior, context, and anomalies throughout the session. Artificial intelligence now plays a critical role in making this feasible at enterprise scale.
Mike Riemer, Field CISO at Ivanti, explained this principle clearly: “Until I know who is on the other side of the keyboard, I’m not going to communicate.” That statement captures the essence of continuous validation. AI can scrutinize access patterns, device changes, location shifts, privilege misuse, and trigger immediate reauthentication or session revocation when activities deviate from expected norms.
For senior leaders, this means viewing AI not as an optional enhancement but as a structural necessity. Continuous verification powered by AI dramatically reduces the time between compromise and containment. It right‑sizes the response, allowing the organization to act before attackers achieve lateral movement or data exfiltration.
AI oversight also introduces efficiency. Instead of overwhelming human teams with alerts, automated systems can prioritize the events that truly indicate risk. That reduces operational strain and ensures attention is directed where it matters most. In an environment where attackers can breach systems in under half an hour, automating trust management is no longer forward‑looking, it’s mandatory.
Enterprises that integrate AI into their identity lifecycle management gain more than security. They gain speed, precision, and confidence in how they control access. This approach turns authentication from a one‑time checkpoint into a continuous process of dynamic verification, ensuring that users remain who they claim to be for as long as their session exists.
NOV’s strategies as a blueprint for closing the Post‑MFA gap
NOV’s experience exposes a structural flaw common across large enterprises and demonstrates how disciplined execution can close it. After discovering that session tokens could not be revoked fast enough to stop lateral movement, Alex Philips, CIO at NOV, led a full redesign of their identity framework. His team implemented zero‑trust gateways that enforce conditional reauthentication for every significant action. Token lifetimes were shortened from days to hours. Conditional access now considers multiple data points, including device, location, and privilege level, before granting or maintaining access.
NOV also integrated AI into its Security Information and Event Management (SIEM) system to analyze identity events in near real time. This allowed early detection of anomalous behavior within active sessions. Their security architecture was built to kill any live session within minutes once a threat was detected. Philips’s team established separation of duties so that no single user or service account could reset credentials, override policies, or bypass multi‑factor checks. Changes of this scope required strong internal alignment but resulted in a structure where attackers have far less time and opportunity.
Alex Philips emphasized the importance of enforced governance: “Resetting a password isn’t enough anymore. You have to revoke session tokens instantly to stop lateral movement.” He also identified a growing threat in the way organizations confirm incidents. When verification relies on phone calls, texts, or voice messages, AI‑generated deepfake media can exploit human trust. His team introduced preshared‑secret protocols, questions or keys known only between internal teams, to verify authenticity without voice or image cues.
For executives, NOV’s outcome provides a clear roadmap. Protecting post‑login activity requires technological enforcement and cultural change. Authentication should not end with MFA success; it must extend through the entire identity lifecycle. A structured combination of conditional access, rapid token revocation, and human validation protocols gives enterprises measurable resilience against credential and session‑based attacks.
Concrete action steps to mitigate identity exploitation risks
Enterprises facing the same post‑authentication challenges can take immediate, measurable steps. The first step is to pull the session‑token lifetime report for every user account, especially privileged and service accounts, and shorten validity periods to hours instead of days. Second, teams should run live session‑revocation drills. The goal is to kill an active compromised session in under five minutes. If that cannot be achieved, the organization remains exposed.
Next, unify visibility across identity, endpoint, and cloud platforms so analysts can trace user actions from login to execution without switching tools or relying on manual data correlation. Extend conditional access checks beyond initial authentication; revalidate identity for every sensitive privilege escalation or cross‑region login. Replace push‑ or SMS‑based MFA with phishing‑resistant FIDO2 or passkey systems that are cryptographically bound to physical devices and cannot be replayed.
Philips’s team also audited separation of duties. They ensured no individual or automation process could both initiate and approve credential resets. That eliminated single points of failure and reduced internal misuse risks. Adding an out‑of‑band verification protocol with preshared secrets further strengthened incident response against deepfake impersonation attempts.
Finally, allocate a dedicated budget for identity‑layer governance. This ensures continuous investment in token lifecycle control, standards such as Continuous Adaptive Evaluation Protocols (CAEP), and frameworks like Shared Signals that link identity and security operations.
For senior leaders, these steps define where security and business performance intersect. They transform identity management from a static compliance measure into an adaptive defense capability. Done consistently, they build an environment where trust is measurable, reversible, and always under the company’s control.
Rethinking authentication as the start of continuous security
Most organizations still treat multi‑factor authentication (MFA) as the point where security responsibilities end. In reality, that moment should mark the beginning of continuous oversight. Authentication establishes identity once, but identity trust decays the longer a session remains unchecked. Modern attacks exploit this false sense of completion by operating entirely within authenticated sessions.
Alex Philips, CIO at NOV, has been clear on this: “Resetting a password isn’t enough anymore. You have to revoke session tokens instantly to stop lateral movement.” His team’s work proved that post‑authentication defense is both possible and necessary. By focusing on rapid session termination, conditional verification, and AI‑driven anomaly detection, NOV converted authentication into a live process that evolves as the session does. This transformation reduced the time attackers could remain undetected and made identity verification part of every operational decision.
Mike Riemer, Field CISO at Ivanti, reinforced the same principle from a broader industry view. He stated, “Until I know who is on the other side of the keyboard, I’m not going to communicate.” This mindset recognizes identity as fluid, something that must be continuously validated through context, behavior, and system state. It’s a modern discipline of ongoing trust assessment, not a static event.
Executives should view this shift as strategic, not procedural. Treating authentication as dynamic strengthens both security posture and business resilience. It requires uniting identity management, automation, and analytics under a shared mission: sustained verification. The companies that embrace this model minimize exposure windows, reduce operational risk, and preserve agility at scale.
The message for leadership is straightforward. Authentication is no longer a point‑in‑time event; it is an ongoing conversation between systems, users, and behaviors. Enterprises that adapt to this continuous verification model are building the foundation for durable, adaptive security, one that keeps pace with both technology and the adversaries who exploit it.
In conclusion
Identity is now the primary battlefield of cybersecurity. Attackers no longer need to write complex code; they only need to look legitimate. They exploit trust that was earned once and never questioned again. This is where enterprise security must evolve, from verifying access to continuously validating trust.
For decision-makers, the path forward is clear. Treat identity as a living signal, not a static credential. Build systems that reassess trust dynamically, use AI to monitor behavior in real time, and give teams the ability to kill compromised sessions instantly. These capabilities aren’t technical upgrades, they’re operational necessities.
Cybersecurity spending often focuses on threats you can see. The next era of defense is about the ones you can’t. When authentication becomes ongoing and context-aware, identity shifts from being your weakest link to your strongest proof of control. That shift defines the companies that will stay in command of their systems, their data, and their future.
A project in mind?
Schedule a 30-minute meeting with us.
Senior experts helping you move faster across product, engineering, cloud & AI.
