MFA verifies who logged in. It has no idea what they do next.

Passed every MFA check. Every login was valid. The compliance dashboard on each identity control was green. And the attacker was already inside, moving through Active Directory with a valid session token, escalating privileges on a trajectory toward the domain controller.

This scenario is playing out inside enterprises that have invested heavily in certification and assumed the job is done. The certificate was genuine. Multi-factor challenge answered correctly. The system performed exactly as designed. It authenticated the user at the front door and was never seen again. The breach did not bypass the MFA. It started after the success of MFA.

Authentication proves identity at the same time. Then it goes blind. Everything that happens next, the lateral movement, the privilege escalation, the quiet intrusion through Active Directory, is outside what MFA was designed to look at.

A CIO found a gap in production

CIO Alex Phillips identified the gap through operational testing in November. "We found a gap in our ability to revoke valid identity session tokens at the resource level. Resetting the password is no longer enough. You must immediately revoke the session token to stop lateral activity," he told VentureBeat.

What Philips found was not a misconfiguration. This was an architectural blind spot that exists in almost every enterprise identity stack. Once a user successfully authenticates, the resulting session token carries that trust forward without recalculation. The token becomes a bearer credential. Whoever holds it, attacker or employee, gets every permission associated with the session. NOV’s investigation confirmed that identity session token theft is the vector behind the most advanced attacks they tracked, leading the team to tighten identity policies, enforce conditional access, and build faster token revocation from the ground up.

The average time for an e-crime breakout to drop to 29 minutes in 2025, with the fastest recorded breakout clocking in at 27 seconds, according to CrowdStrike’s 2026 Global Threat Report. In 82% of investigations in 2025, no malware was deployed. When attackers have session tokens they do not need an exploit.

Attackers stop writing malware because stolen identities work better

"Adversaries have discovered that the fastest way to gain access to the environment is to steal legitimate credentials or use social engineering," Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, told VentureBeat. The economics are clear: modern endpoint detection has increased the cost and risk of deploying malware. A stolen credential, in contrast, raises no warnings, has no signature matching, and inherits whatever access the original user had.

According to CrowdStrike’s 2025 Global Threat Report, vishing attacks increased by 442% between the first and second half of 2024, while deepfake fraud attempts increased by more than 1,300% in 2024, according to Pindrop’s 2025 Voice Intelligence & Security Report. According to data cited in the same report, face swap attacks increased by 704% in 2023. A 2024 study cited in CrowdStrike’s 2025 Global Threat Report found that AI-generated phishing emails matched expert-crafted human phishing at a 54% click-through rate, both significantly outperforming generic bulk phishing at 12%.

The danger is not that AI makes an attacker more dangerous. The danger is that AI gives expert-level social engineering at almost zero marginal cost to each attacker. The credential supply chain now operates on an industrial scale.

The difference between IAM and SecOps is where sessions expire

bIn 2026, 30% of enterprises will no longer consider facial-based identity verification and biometric authentication solutions separately trustworthy due to AI-generated deepfakes, Gartner predicted in a 2024 report. Reimer pointed to Ivanti’s own 2026 State of Cybersecurity report to measure the gap. The report, which surveyed more than 1,200 security professionals, found that the preparedness gap between threats and defenses has increased by an average of 10 points a year.

Kayne McGladrey, senior member of the IEEE, frames organizational failure from a business perspective. "Anything that appears to be cyber security is usually put into the cyber security risk category, which is entirely a fiction. They should focus on business risks, because if it doesn’t impact the business like a financial loss, no one will pay attention to it, and they won’t properly budget for it, nor have adequate controls in place to prevent it." McGladrey told VentureBeat. This reasoning explains why session governance, token lifecycle management, and cross-domain identity correlation come at the intersection between IAM and SecOps. No one owns it because no one sees it as a business loss.

"You can see intrusion fragments only on the identity side, the cloud side, and the endpoint side. You need cross-domain visibility because in the best case you get about 29 minutes to stop these intrusions," Meyers told VentureBeat.

Ivanti’s Field CISO, Mike Reimer, has witnessed this disconnect over the course of two decades of changing paradigms. "I don’t know you until I verify you. Unless I know what it is and I don’t know who is on the other side of the keyboard, I will not communicate with it until they give me the ability to understand who it is," Reimer told VentureBeat.

This question applies directly to post-authentication sessions. If attackers use AI to create an identity that clears MFA, defenders need to monitor the AI ​​to see what the identity then does. Reimer’s broader point is that keeping the security perimeter at a single login event invites every attacker to run home who clears that gate.

NOV closed the gap. Most of the enterprises have not started.

"This gives us a forced security policy enforcement gateway. Users and attackers on a flat network can use stolen identity session tokens, but with a zero-trust gateway it forces conditional access and revalidation of trust," Phillips told VentureBeat.

NOV shortened token lifetimes, created conditional access requiring multiple conditions, and enforced separation of duties so that no one person or service could reset account passwords, bypass multi-factor access, or override conditional access. "We’ve significantly limited who can perform a password or multi-factor reset. No person should be able to bypass these controls," Phillips told VentureBeat. They deployed AI against SIEM logs to identify events in real-time and brought in a startup specifically to create fast token revocation for their most critical resources.

Phillips also identified a trust chain vulnerability that most teams ignore. "Since with the advancement of AI you can’t rely on voice or video or even writing style, you must either have secrets already shared or be able to validate a query that only you and they would know," he told VentureBeat. If incident response relies on a phone call or Slack DM to confirm a compromised account, attackers using deepfake voice or text could exploit that confirmation channel as well.

eight things to do this week

NOV proved that these gaps could be closed. Here’s what to prioritize first.

1. Pull token lifetime reports for each privileged account, service account, and API key. Shorten interactive session tokens to hours instead of days. Keep service account credentials on a scheduled rotation schedule. API keys with no expiration date are open invitations that never close.

2. Run a session revocation drill under fire. Password not reset. A murder session. give it time. If your team can’t abort a live compromise session in less than five minutes, an attacker running in 27 seconds will be the first to exploit the gap. Even NOV could not do this. They brought dedicated resources and built capacity from the beginning.

3. Map your cross-domain telemetry from end to end. A single analyst should be able to correlate an identity anomaly in your directory service with an endpoint behavior flag without cloud control plane logins and switching consoles. If that workflow requires four dashboards and a Slack thread, a 29-minute breakout will beat you every time.

4. Extend conditional access enforcement beyond the front door. Every privilege escalation and every sensitive resource request should trigger revalidation. An identity that authenticates from Houston and emerges from Bucharest 20 minutes later should trigger automatic step-up authentication or session termination.

5. Wherever possible, replace SMS and push-based MFA with phishing-resistant FIDO2 and passkey-based authentication. Every push notification that an attacker can fatigue-bomb is a session they can steal. This is the cheapest upgrade that bridges the wide gap.

6. Audit separation of duties on identification workflows. If an individual or a service account can reset credentials, grant privileged access, and bypass MFA, that’s a single point of failure that attackers will find. NOV removed that configuration.

7. Establish an out-of-band event verification protocol with pre-shared secrets. If your team still confirms compromised accounts over a phone call or Slack message, deepfake voice and text can compromise that channel as well. Create protocol before you need it.

8. Create a dedicated budget line for identity-layer governance. Session governance, token lifecycle management, continuous identity verification, and standards like CAEP and the Shared Signals Framework require a single owner with a single budget. If that owner doesn’t exist, the attackers already have access.

Phillips’ team stood up for rapid token revocation under real attack conditions after discovering that they could not terminate a compromise session. They shortened token lifetimes, eliminated single-person credential resets, deployed AI-powered log analysis, and built a dedicated revocation capability for their most critical resources. That change took months, not years.

The gap closed by NOV exists inside almost every enterprise that treats certification as a finish line rather than a starting gun. Phillips put it clearly: "Resetting the password is no longer enough. You must immediately revoke the session token to prevent lateral movement." His team prepared the answer. The question for every other CISO is whether they find that gap on their own terms, or whether an attacker moving at the speed of 27 seconds finds it.

<a href