Every MFA check passed. Every login was legitimate. The compliance dashboard was green across every identity control. And the attacker was already inside, moving laterally through Active Directory with a valid session token, escalating privileges on a trajectory toward the domain controller.
This is the scenario playing out inside enterprises that invested heavily in authentication and assumed the job was done. The credential was real. The multi-factor challenge was answered correctly. The system performed exactly as designed. It authenticated the user at the front door and never looked again. The breach didn’t bypass MFA. It started after MFA succeeded.
Authentication proves identity at a single point in time. Then it goes blind. Everything that follows, the lateral movement, the privilege escalation, the quiet exfiltration through Active Directory, falls outside what MFA was ever designed to see.
A CIO found the gap in production
Alex Philips, CIO at NOV, identified the gap through operational testing. “We found a gap in our ability to revoke legitimate identity session tokens at the resource level. Resetting a password isn’t enough anymore. You have to revoke session tokens instantly to stop lateral movement,” he told VentureBeat.
What Philips found wasn’t a misconfiguration. It was an architectural blind spot that exists in nearly every enterprise identity stack. Once a user authenticates successfully, the resulting session token carries that trust forward without reassessment. The token becomes a bearer credential. Whoever holds it, attacker or employee, inherits every permission associated with the session. NOV’s investigation confirmed that identity session token theft is the vector behind the most advanced attacks they track, driving the team to tighten identity policies, enforce conditional access, and build rapid token revocation from the ground up.
Average e-crime breakout time dropped to 29 minutes in 2025, with the fastest recorded breakout clocked at 27 seconds, according to CrowdStrike’s 2026 Global Threat Report. In 82% of detections across 2025, no malware was deployed at all. Attackers don’t need exploits when they have session tokens.
Attackers stopped writing malware because stolen identities work better
“Adversaries have figured out that one of the fastest ways to gain access to an environment is to steal legitimate credentials or to use social engineering,” Adam Meyers, Senior Vice President of Counter Adversary Operations at CrowdStrike, told VentureBeat. The economics are stark: modern endpoint detection has raised the cost and risk of deploying malware. A stolen credential, by contrast, triggers no alert, matches no signature, and inherits whatever access the real user had.
Vishing attacks exploded by 442% between the first and second halves of 2024, according to CrowdStrike’s 2025 Global Threat Report, while deepfake fraud attempts rose more than 1,300% in 2024, according to Pindrop’s 2025 Voice Intelligence & Security Report. Face swap attacks grew 704% in 2023, according to data cited in the same report. A 2024 study cited in CrowdStrike’s 2025 Global Threat Report found AI-generated phishing emails matched expert-crafted human phishing at a 54% click-through rate, both vastly outperforming generic bulk phishing at 12%.
The threat is not that AI makes one attacker more dangerous. The threat is that AI gives every attacker expert-level social engineering at near-zero marginal cost. The credential supply chain now operates at industrial scale.
The gap between IAM and SecOps is where sessions go to die
By 2026, 30% of enterprises would no longer consider face-based identity verification and biometric authentication solutions reliable in isolation due to AI-generated deepfakes, Gartner predicted in a 2024 report. Riemer pointed to Ivanti’s own 2026 State of Cybersecurity Report to quantify the gap. The report, surveying over 1,200 security professionals, found the preparedness gap between threats and defenses widened by an average of 10 points in a single year.
Kayne McGladrey, IEEE Senior Member, framed the organizational failure in business terms. “Anything that seems to have a cybersecurity flavor is generally put into the cybersecurity risk category, which is a complete fiction. They should be focused on business risks, because if it doesn’t affect the business, like a financial loss, then nobody’s going to pay attention to it, and they will not budget it appropriately, nor will they adequately put in controls to prevent it,” McGladrey told VentureBeat. That logic explains why session governance, token lifecycle management, and cross-domain identity correlation fall into a gap between IAM and SecOps. Nobody owns it because nobody has framed it as a business loss.
“You may only see pieces of the intrusion on the identity side, on the cloud side, and on the endpoint side. You need cross-domain visibility because the best case scenario gives you about 29 minutes to stop these intrusions,” Meyers told VentureBeat.
Mike Riemer, Ivanti’s Field CISO, has watched this disconnect play out across two decades of shifting paradigms. “I don’t know you until I validate you. Until I know what it is and I know who is on the other side of the keyboard, I’m not going to communicate with it until they give me the ability to understand who it is,” Riemer told VentureBeat.
That question applies directly to post-authentication sessions. If attackers use AI to fabricate the identity that clears MFA, defenders need AI watching what that identity does after. Riemer’s broader point is that placing the security perimeter at a single login event invites every attacker who clears that gate to have the run of the house.
NOV closed the gap. Most enterprises haven’t started.
“It gives us a forced security policy enforcement gateway. Users and attackers on a flat network can use stolen identity session tokens, but with zero-trust gateways it forces conditional access and revalidation of trust,” Philips told VentureBeat.
NOV shortened token lifetimes, built conditional access requiring multiple conditions, and enforced separation of duties so no single person or service account can reset a password, bypass multi-factor access, or override conditional access. “We drastically reduced who can perform password or multi-factor resets. No one person should be able to bypass these controls,” Philips told VentureBeat. They deployed AI against SIEM logs to identify incidents in near real-time and brought in a startup specifically to build rapid token revocation for their most critical resources.
Philips also flagged a trust chain vulnerability that most teams overlook. “Since with AI advances you can’t trust voice or video or even writing styles, you must have either preshared secrets or be able to validate a question only you and them would know,” he told VentureBeat. If incident response relies on a phone call or a Slack DM to confirm a compromised account, attackers using deepfake voice or text can exploit that confirmation channel, too.
Eight things to get done this week
NOV proved these gaps are closable. Here is what to prioritize first.
Pull the token lifetime report for every privileged account, service account, and API key. Shorten interactive session tokens to hours, not days. Put service account credentials on a defined rotation schedule. API keys with no expiration date are open invitations that never close.
Run a session revocation drill under fire. Not a password reset. A session kill. Time it. If your team cannot revoke a live compromised session in under five minutes, that is the gap an attacker sprinting at 27 seconds will exploit first. NOV could not do it either. They brought in dedicated resources and built the capability from scratch.
Map your cross-domain telemetry end to end. A single analyst should be able to correlate an identity anomaly in your directory service with a cloud control plane login and an endpoint behavioral flag without switching consoles. If that workflow requires four dashboards and a Slack thread, a 29-minute breakout will beat you every time.
Extend conditional access enforcement past the front door. Every privilege escalation and every sensitive resource request should trigger revalidation. An identity that authenticates from Houston and surfaces from Bucharest 20 minutes later should fire automatic step-up authentication or session termination.
Replace SMS and push-based MFA with phishing-resistant FIDO2 and passkey-based authentication everywhere feasible. Every push notification an attacker can fatigue-bomb is a session they can steal. This remains the cheapest upgrade that closes the widest gap.
Audit separation of duties on identity workflows. If one person or one service account can reset credentials, approve privileged access, and bypass MFA, that is a single point of failure that attackers will find. NOV eliminated that configuration.
Establish an out-of-band incident verification protocol with preshared secrets. If your team still confirms compromised accounts over a phone call or Slack message, deepfake voice and text can compromise that channel too. Build the protocol before you need it.
Create a dedicated budget line for identity-layer governance. Session governance, token lifecycle management, continuous identity verification, and standards like CAEP and the Shared Signals Framework need a single owner with a single budget. If that owner does not exist, attackers already own the gap.
Philips’s team went from discovering they couldn’t kill a compromised session to standing up rapid token revocation under real attack conditions. They shortened token lifetimes, eliminated single-person credential resets, deployed AI-driven log analysis, and built a dedicated revocation capability for their most critical resources. That transformation took months, not years.
The gap NOV closed exists inside nearly every enterprise that treats authentication as the finish line instead of the starting gun. Philips put it plainly: “Resetting a password isn’t enough anymore. You have to revoke session tokens instantly to stop lateral movement.” His team built the answer. The question for every other CISO is whether they find that gap on their own terms, or whether an attacker moving at 27 seconds finds it for them.