MFA verifies who logged in. It has no idea what they do next.

All multi-factor authentication (MFA) checks were successful, and every login was legitimate, with the compliance dashboard showing no issues across all identity controls. However, an attacker had already infiltrated the system, using a valid session token to move laterally within Active Directory, escalating privileges on their way to the domain controller.

This scenario is unfolding in enterprises that have heavily invested in authentication, believing it to be the end of the security process. The credentials used were genuine, the multi-factor verification was completed correctly, and the system functioned as intended, verifying the user at the initial point of entry but failing to monitor subsequent activities. The breach occurred after MFA was successfully bypassed.

Authentication confirms identity at a single moment, then becomes inactive. It does not track the subsequent lateral movements, privilege escalations, or subtle data extractions through Active Directory, which are beyond its intended scope.

A CIO Identifies a Security Gap

Alex Philips, CIO at NOV, discovered a significant security gap during operational testing. “We found a gap in our ability to revoke legitimate identity session tokens at the resource level. Resetting a password isn’t enough anymore. You have to revoke session tokens instantly to stop lateral movement,” he stated to VentureBeat.

Philips determined this was not a misconfiguration but an inherent blind spot in the architecture of nearly every enterprise identity stack. Once authenticated, a session token carries trust without further checks, acting as a bearer credential. Whoever possesses it, whether an attacker or an employee, gains all associated permissions. NOV’s investigation revealed that session token theft is the primary vector in the most advanced attacks they monitor, prompting the team to enhance identity policies, enforce conditional access, and establish rapid token revocation capabilities.

According to CrowdStrike’s 2026 Global Threat Report, the average time for e-crime breakout fell to 29 minutes in 2025, with the quickest breakout recorded at 27 seconds. In 82% of 2025 detections, no malware was used, with attackers exploiting session tokens instead.

Shift from Malware to Stolen Identities

“Adversaries have figured out that one of the fastest ways to gain access to an environment is to steal legitimate credentials or to use social engineering,” Adam Meyers, Senior Vice President of Counter Adversary Operations at CrowdStrike, told VentureBeat. Modern endpoint detection has increased the cost and risk associated with deploying malware. In contrast, using a stolen credential raises no alarm, matches no signature, and provides the same access as the legitimate user.

Vishing attacks surged by 442% between the first and second halves of 2024, as reported by CrowdStrike’s 2025 Global Threat Report. Deepfake fraud attempts increased by over 1,300% in 2024, according to Pindrop’s 2025 Voice Intelligence & Security Report. Face swap attacks rose 704% in 2023. A 2024 study in CrowdStrike’s 2025 report found that AI-generated phishing emails had a 54% click-through rate, outperforming generic bulk phishing’s 12%.

The real threat is not that AI enhances a single attacker’s capabilities but that it equips all attackers with advanced social engineering tools at minimal cost, resulting in an industrial-scale credential supply chain.

The Overlooked Gap Between IAM and SecOps

By 2026, Gartner predicted that 30% of enterprises would no longer trust face-based identity verification and biometric authentication solutions due to AI-generated deepfakes. This was outlined in a 2024 report. Ivanti’s 2026 State of Cybersecurity Report highlighted the gap, noting a 10-point average increase in the preparedness gap between threats and defenses over a year.

Kayne McGladrey, an IEEE Senior Member, emphasized that cybersecurity issues are often misclassified, focusing on business risks rather than cybersecurity risks. This misclassification leads to gaps in session governance, token lifecycle management, and cross-domain identity correlation, with no clear ownership or framing as a business loss.

“You may only see pieces of the intrusion on the identity side, on the cloud side, and on the endpoint side. You need cross-domain visibility because the best case scenario gives you about 29 minutes to stop these intrusions,” Meyers told VentureBeat.

Mike Riemer, Ivanti’s Field CISO, observed this disconnect over two decades. “I don’t know you until I validate you. Until I know what it is and I know who is on the other side of the keyboard, I’m not going to communicate with it until they give me the ability to understand who it is,” Riemer told VentureBeat.

This issue is crucial for post-authentication sessions. If attackers use AI to create identities that pass MFA, defenders need AI to monitor post-authentication activities. Riemer argues that relying on a single login as the security perimeter allows attackers who pass the initial check to access the entire system.

NOV Closes the Security Gap

“It gives us a forced security policy enforcement gateway. Users and attackers on a flat network can use stolen identity session tokens, but with zero-trust gateways it forces conditional access and revalidation of trust,” Philips explained to VentureBeat.

NOV reduced token lifetimes, implemented conditional access with multiple requirements, and enforced separation of duties, ensuring no single person or service account can reset a password, bypass multi-factor access, or override conditional access. “We drastically reduced who can perform password or multi-factor resets. No one person should be able to bypass these controls,” Philips told VentureBeat. They utilized AI for real-time analysis of SIEM logs and partnered with a startup to develop rapid token revocation for critical resources.

Philips also identified a vulnerability in the trust chain that teams often ignore. “Since with AI advances you can’t trust voice or video or even writing styles, you must have either preshared secrets or be able to validate a question only you and them would know,” he told VentureBeat. If incident response depends on a phone call or a Slack message to confirm a compromised account, attackers using deepfake voice or text can exploit these channels.

Eight Priorities for Immediate Action

NOV demonstrated that these security gaps can be addressed. Here are the top priorities:

1. Review token lifespans for all privileged accounts, service accounts, and API keys. Reduce interactive session tokens to hours, not days, and establish a rotation schedule for service account credentials. API keys without expiration are perpetual vulnerabilities.

2. Conduct a session revocation drill under pressure, timing the process. If your team cannot revoke a live compromised session within five minutes, attackers will likely exploit this gap, as happened with NOV. They developed the capability from scratch with dedicated resources.

3. Ensure comprehensive cross-domain telemetry mapping. An analyst should be able to link an identity anomaly in your directory service with a cloud control plane login and an endpoint behavioral flag without switching consoles. If the process involves multiple dashboards and a Slack thread, a 29-minute breakout will outpace your defenses.

4. Extend conditional access enforcement beyond the initial login. Every privilege escalation and sensitive resource request should prompt revalidation. An identity that logs in from Houston and later appears in Bucharest within 20 minutes should trigger automatic step-up authentication or session termination.

5. Upgrade to phishing-resistant FIDO2 and passkey-based authentication, replacing SMS and push-based MFA. Push notifications susceptible to fatigue attacks are vulnerable to theft. This is the most cost-effective upgrade to close a significant security gap.

6. Conduct a thorough audit of duty separations in identity workflows. If one person or service account can reset credentials, approve privileged access, and bypass MFA, it presents a single point of failure that attackers will exploit. NOV addressed this configuration.

7. Develop an out-of-band incident verification protocol with preshared secrets. If compromised accounts are confirmed over phone or Slack, deepfake voice and text vulnerabilities can be exploited. Establish the protocol before it’s needed.

8. Allocate a specific budget for identity-layer governance. Session governance, token lifecycle management, continuous identity verification, and standards like CAEP and the Shared Signals Framework require a dedicated owner and budget. Without this, attackers will exploit the gap.

Philips’s team transformed from being unable to terminate a compromised session to implementing rapid token revocation under real attack conditions. They reduced token lifetimes, eliminated single-person credential resets, used AI-driven log analysis, and built a dedicated revocation capability for critical resources. This transformation took months, not years.

The gap NOV addressed is prevalent in enterprises that view authentication as the endpoint rather than the beginning of security measures. Philips emphasized the need for immediate revocation of session tokens to prevent lateral movement, stating, “Resetting a password isn’t enough anymore. You have to revoke session tokens instantly to stop lateral movement.” His team provided a solution, and the challenge for other CISOs is whether they will identify this gap independently or wait for an attacker to exploit it first.