May 21, 2026•8 min read•from VentureBeat

MFA verifies who logged in. It has no idea what they do next.

Our take

In today’s enterprise landscape, a successful multi-factor authentication (MFA) check only verifies who logged in, leaving a critical blind spot: post-authentication actions. Even with every login deemed legitimate, attackers can exploit valid session tokens to move laterally through systems, escalating privileges undetected. Alex Philips, CIO at NOV, highlights this architectural gap, emphasizing the need for immediate session token revocation to prevent lateral movement. As identity theft tactics evolve, enterprises must re-evaluate their security strategies.

MFA verifies who logged in. It has no idea what they do next.

The recent article highlights a critical oversight in enterprise security: while multi-factor authentication (MFA) successfully verifies user identities at the point of login, it fails to monitor subsequent actions within the network. This scenario has become increasingly common, particularly as attackers adapt their methods to exploit valid session tokens, sidestepping the very safeguards organizations have put in place. As noted in the article, even the most robust authentication measures can become ineffective once an attacker gains access, leading to potentially catastrophic breaches. The implications of this are vast, especially as enterprises invest heavily in securing their front doors without addressing vulnerabilities that lie within their internal networks. This is particularly concerning given the rise of sophisticated attacks, such as those discussed in Americans can’t spot a deepfake, and that’s a business crisis, not just a consumer problem and the increased reliance on AI-powered tools to enhance malicious activities.

The insights from Alex Philips, CIO at NOV, underline a fundamental truth in cybersecurity: authentication is merely the first step in a comprehensive security strategy. Once a user has authenticated, the system often grants them trust without ongoing scrutiny. This "set it and forget it" mentality can lead to severe vulnerabilities, where attackers use stolen session tokens to navigate and exploit internal resources without detection. The stark reality is that a user’s validated identity does not guarantee their actions are benign. As the article illustrates, organizations must evolve their security frameworks to include continuous monitoring of user actions post-authentication, particularly as attackers become increasingly adept at using legitimate credentials to bypass defenses.

Moreover, the alarming statistics regarding e-crime breakout times reveal a pressing need for organizations to rethink their security measures. With an average breakout time of just 29 minutes, enterprises must act swiftly to mitigate risks associated with identity theft and lateral movement within their networks. The call for tighter identity policies and rapid token revocation is not just a recommendation; it is a necessity in today’s threat landscape. Organizations must prioritize the development of proactive measures that extend beyond initial authentication, ensuring that they can swiftly respond to any anomalies that may arise. This is echoed in the recommendations to adopt Flipper unveils a Linux-powered networking gadget built for hackers and tinkerers for enhanced security postures.

As we look to the future, it is crucial for organizations to recognize that security is an ongoing process rather than a one-time achievement. The conversation must shift from merely achieving compliance through MFA to fostering a culture of continuous vigilance and active incident response. Businesses cannot afford to view identity and access management as isolated components but should integrate them into a holistic security strategy that encompasses real-time monitoring, threat detection, and rapid incident response. The question that remains is whether organizations will proactively address these gaps in their security frameworks or wait for an attack to reveal their vulnerabilities. As the landscape evolves, those who embrace a proactive approach will be better positioned to safeguard their assets and maintain trust in an increasingly complex digital environment.

Every MFA check passed. Every login was legitimate. The compliance dashboard was green across every identity control. And the attacker was already inside, moving laterally through Active Directory with a valid session token, escalating privileges on a trajectory toward the domain controller.

This is the scenario playing out inside enterprises that invested heavily in authentication and assumed the job was done. The credential was real. The multi-factor challenge was answered correctly. The system performed exactly as designed. It authenticated the user at the front door and never looked again. The breach didn't bypass MFA. It started after MFA succeeded.

Authentication proves identity at a single point in time. Then it goes blind. Everything that follows, the lateral movement, the privilege escalation, the quiet exfiltration through Active Directory, falls outside what MFA was ever designed to see.

A CIO found the gap in production

Alex Philips, CIO at NOV, identified the gap through operational testing. "We found a gap in our ability to revoke legitimate identity session tokens at the resource level. Resetting a password isn't enough anymore. You have to revoke session tokens instantly to stop lateral movement," he told VentureBeat.

What Philips found wasn't a misconfiguration. It was an architectural blind spot that exists in nearly every enterprise identity stack. Once a user authenticates successfully, the resulting session token carries that trust forward without reassessment. The token becomes a bearer credential. Whoever holds it, attacker or employee, inherits every permission associated with the session. NOV's investigation confirmed that identity session token theft is the vector behind the most advanced attacks they track, driving the team to tighten identity policies, enforce conditional access, and build rapid token revocation from the ground up.

Average e-crime breakout time dropped to 29 minutes in 2025, with the fastest recorded breakout clocked at 27 seconds, according to CrowdStrike's 2026 Global Threat Report. In 82% of detections across 2025, no malware was deployed at all. Attackers don't need exploits when they have session tokens.

Attackers stopped writing malware because stolen identities work better

"Adversaries have figured out that one of the fastest ways to gain access to an environment is to steal legitimate credentials or to use social engineering," Adam Meyers, Senior Vice President of Counter Adversary Operations at CrowdStrike, told VentureBeat. The economics are stark: modern endpoint detection has raised the cost and risk of deploying malware. A stolen credential, by contrast, triggers no alert, matches no signature, and inherits whatever access the real user had.

Vishing attacks exploded by 442% between the first and second halves of 2024, according to CrowdStrike's 2025 Global Threat Report, while deepfake fraud attempts rose more than 1,300% in 2024, according to Pindrop's 2025 Voice Intelligence & Security Report. Face swap attacks grew 704% in 2023, according to data cited in the same report. A 2024 study cited in CrowdStrike's 2025 Global Threat Report found AI-generated phishing emails matched expert-crafted human phishing at a 54% click-through rate, both vastly outperforming generic bulk phishing at 12%.

The threat is not that AI makes one attacker more dangerous. The threat is that AI gives every attacker expert-level social engineering at near-zero marginal cost. The credential supply chain now operates at industrial scale.

The gap between IAM and SecOps is where sessions go to die

By 2026, 30% of enterprises would no longer consider face-based identity verification and biometric authentication solutions reliable in isolation due to AI-generated deepfakes, Gartner predicted in a 2024 report. Riemer pointed to Ivanti's own 2026 State of Cybersecurity Report to quantify the gap. The report, surveying over 1,200 security professionals, found the preparedness gap between threats and defenses widened by an average of 10 points in a single year.

Kayne McGladrey, IEEE Senior Member, framed the organizational failure in business terms. "Anything that seems to have a cybersecurity flavor is generally put into the cybersecurity risk category, which is a complete fiction. They should be focused on business risks, because if it doesn't affect the business, like a financial loss, then nobody's going to pay attention to it, and they will not budget it appropriately, nor will they adequately put in controls to prevent it," McGladrey told VentureBeat. That logic explains why session governance, token lifecycle management, and cross-domain identity correlation fall into a gap between IAM and SecOps. Nobody owns it because nobody has framed it as a business loss.

"You may only see pieces of the intrusion on the identity side, on the cloud side, and on the endpoint side. You need cross-domain visibility because the best case scenario gives you about 29 minutes to stop these intrusions," Meyers told VentureBeat.

Mike Riemer, Ivanti's Field CISO, has watched this disconnect play out across two decades of shifting paradigms. "I don't know you until I validate you. Until I know what it is and I know who is on the other side of the keyboard, I'm not going to communicate with it until they give me the ability to understand who it is," Riemer told VentureBeat.

That question applies directly to post-authentication sessions. If attackers use AI to fabricate the identity that clears MFA, defenders need AI watching what that identity does after. Riemer's broader point is that placing the security perimeter at a single login event invites every attacker who clears that gate to have the run of the house.

NOV closed the gap. Most enterprises haven't started.

"It gives us a forced security policy enforcement gateway. Users and attackers on a flat network can use stolen identity session tokens, but with zero-trust gateways it forces conditional access and revalidation of trust," Philips told VentureBeat.

NOV shortened token lifetimes, built conditional access requiring multiple conditions, and enforced separation of duties so no single person or service account can reset a password, bypass multi-factor access, or override conditional access. "We drastically reduced who can perform password or multi-factor resets. No one person should be able to bypass these controls," Philips told VentureBeat. They deployed AI against SIEM logs to identify incidents in near real-time and brought in a startup specifically to build rapid token revocation for their most critical resources.

Philips also flagged a trust chain vulnerability that most teams overlook. "Since with AI advances you can't trust voice or video or even writing styles, you must have either preshared secrets or be able to validate a question only you and them would know," he told VentureBeat. If incident response relies on a phone call or a Slack DM to confirm a compromised account, attackers using deepfake voice or text can exploit that confirmation channel, too.

Eight things to get done this week

NOV proved these gaps are closable. Here is what to prioritize first.

Pull the token lifetime report for every privileged account, service account, and API key. Shorten interactive session tokens to hours, not days. Put service account credentials on a defined rotation schedule. API keys with no expiration date are open invitations that never close.
Run a session revocation drill under fire. Not a password reset. A session kill. Time it. If your team cannot revoke a live compromised session in under five minutes, that is the gap an attacker sprinting at 27 seconds will exploit first. NOV could not do it either. They brought in dedicated resources and built the capability from scratch.
Map your cross-domain telemetry end to end. A single analyst should be able to correlate an identity anomaly in your directory service with a cloud control plane login and an endpoint behavioral flag without switching consoles. If that workflow requires four dashboards and a Slack thread, a 29-minute breakout will beat you every time.
Extend conditional access enforcement past the front door. Every privilege escalation and every sensitive resource request should trigger revalidation. An identity that authenticates from Houston and surfaces from Bucharest 20 minutes later should fire automatic step-up authentication or session termination.
Replace SMS and push-based MFA with phishing-resistant FIDO2 and passkey-based authentication everywhere feasible. Every push notification an attacker can fatigue-bomb is a session they can steal. This remains the cheapest upgrade that closes the widest gap.
Audit separation of duties on identity workflows. If one person or one service account can reset credentials, approve privileged access, and bypass MFA, that is a single point of failure that attackers will find. NOV eliminated that configuration.
Establish an out-of-band incident verification protocol with preshared secrets. If your team still confirms compromised accounts over a phone call or Slack message, deepfake voice and text can compromise that channel too. Build the protocol before you need it.
Create a dedicated budget line for identity-layer governance. Session governance, token lifecycle management, continuous identity verification, and standards like CAEP and the Shared Signals Framework need a single owner with a single budget. If that owner does not exist, attackers already own the gap.

Philips's team went from discovering they couldn't kill a compromised session to standing up rapid token revocation under real attack conditions. They shortened token lifetimes, eliminated single-person credential resets, deployed AI-driven log analysis, and built a dedicated revocation capability for their most critical resources. That transformation took months, not years.

The gap NOV closed exists inside nearly every enterprise that treats authentication as the finish line instead of the starting gun. Philips put it plainly: "Resetting a password isn't enough anymore. You have to revoke session tokens instantly to stop lateral movement." His team built the answer. The question for every other CISO is whether they find that gap on their own terms, or whether an attacker moving at 27 seconds finds it for them.

Read on the original site

Open the publisher's page for the full experience

View original article →

RSAC 2026 shipped five agent identity frameworks and left three critical gaps open“You can deceive, manipulate, and lie. That’s an inherent property of language. It’s a feature, not a flaw,” CrowdStrike CTO Elia Zaitsev told VentureBeat in an exclusive interview at RSA Conference 2026. If deception is baked into language itself, every vendor trying to secure AI agents by analyzing their intent is chasing a problem that cannot be conclusively solved. Zaitsev is betting on context instead. CrowdStrike’s Falcon sensor walks the process tree on an endpoint and tracks what agents did, not what agents appeared to intend. “Observing actual kinetic actions is a structured, solvable problem,” Zaitsev told VentureBeat. “Intent is not.” That argument landed 24 hours after CrowdStrike CEO George Kurtz disclosed two production incidents at Fortune 50 companies. In the first, a CEO's AI agent rewrote the company's own security policy — not because it was compromised, but because it wanted to fix a problem, lacked the permissions to do so, and removed the restriction itself. Every identity check passed; the company caught the modification by accident. The second incident involved a 100-agent Slack swarm that delegated a code fix between agents with no human approval. Agent 12 made the commit. The team discovered it after the fact. Two incidents at two Fortune 50 companies. Caught by accident both times. Every identity framework that shipped at RSAC this week missed them. The vendors verified who the agent was. None of them tracked what the agent did. The urgency behind every framework launch reflects a broader market shift. "The difficulty of securing agentic AI is likely to push customers toward trusted platform vendors that can offer broader coverage across the expanding attack surface," according to William Blair's RSA Conference 2026 equity research report by analyst Jonathan Ho. Five vendors answered that call at RSAC this week. None of them answered it completely. Attackers are already inside enterprise pilots The scale of the exposure is already visible in production data. CrowdStrike's Falcon sensors detect more than 1,800 distinct AI applications across the company's customer fleet, generating 160 million unique instances on enterprise endpoints. Cisco found that 85% of its enterprise customers surveyed have pilot agent programs; only 5% have moved to production, meaning the vast majority of these agents are running without the governance structures production deployments typically require. "The biggest impediment to scaled adoption in enterprises for business-critical tasks is establishing a sufficient amount of trust," Cisco President and Chief Product Officer Jeetu Patel told VentureBeat in an exclusive interview at RSA Conference 2026. "Delegating versus trusted delegating of tasks to agents. The difference between those two, one leads to bankruptcy and the other leads to market dominance." Etay Maor, VP of Threat Intelligence at Cato Networks, ran a live Censys scan during an exclusive VentureBeat interview at RSA Conference 2026 and counted nearly 500,000 internet-facing OpenClaw instances. The week before: 230,000. Cato CTRL senior researcher Vitaly Simonovich documented a BreachForums listing from February 22, 2026, published on the Cato CTRL blog on February 25, where a threat actor advertised root shell access to a UK CEO’s computer for $25,000 in cryptocurrency. The selling point was the CEO’s OpenClaw AI personal assistant, which had accumulated the company’s production database, Telegram bot tokens, and Trading 212 API keys in plain-text Markdown with no encryption at rest. “Your AI? It’s my AI now. It’s an assistant for the attacker,” Maor told VentureBeat. The exposure data from multiple independent researchers tells the same story. Bitsight found more than 30,000 OpenClaw instances exposed to the public internet between January 27 and February 8, 2026. SecurityScorecard identified 15,200 of those instances as vulnerable to remote code execution through three high-severity CVEs, the worst rated CVSS 8.8. Koi Security found 824 malicious skills on ClawHub — 335 of them tied to ClawHavoc, which Kurtz flagged in his keynote as the first major supply chain attack on an AI agent ecosystem. Five vendors, three gaps none of them closed Cisco went deepest on identity governance. Duo Agentic Identity registers agents as distinct identity objects mapped to human owners, and every tool call routes through an MCP gateway in Secure Access SSE. Cisco Identity Intelligence catches shadow agents by monitoring network traffic rather than authentication logs. Patel told VentureBeat that today’s agents behave “more like teenagers — supremely intelligent, but with no fear of consequence, easily sidetracked or influenced.” CrowdStrike made the biggest philosophical bet, treating agents as endpoint telemetry and tracking the kinetic layer through Falcon’s process-tree lineage. CrowdStrike expanded AIDR to cover Microsoft Copilot Studio agents and shipped Shadow SaaS and AI Agent Discovery across Copilot, Salesforce Agentforce, ChatGPT Enterprise, and OpenAI Enterprise GPT. Palo Alto Networks built Prisma AIRS 3.0 with an agentic registry, an agentic IDP, and an MCP gateway for runtime traffic control. Palo Alto Networks’ pending Koi acquisition adds supply chain and runtime visibility. Microsoft spread governance across Entra, Purview, Sentinel, and Defender, with Microsoft Sentinel embedding MCP natively and a Claude MCP connector in public preview April 1. Cato CTRL delivered the adversarial proof that the identity gaps the other four vendors are trying to close are already being exploited. Maor told VentureBeat that enterprises abandoned basic security principles when deploying agents. “We just gave these AI tools complete autonomy,” Maor said. Gap 1: Agents can rewrite the rules governing their own behavior The Kurtz incident illustrates the gap exactly. Every credential check passed — the action was authorized. Zaitsev argues that the only reliable detection happens at the kinetic layer: which file was modified, by what process, initiated by what agent, compared against a behavioral baseline. Intent-based controls evaluate whether the call looks malicious. This one did not. Palo Alto Networks offers pre-deployment red teaming in Prisma AIRS 3.0, but red teaming runs before deployment, not during runtime when self-modification happens. No vendor ships behavioral anomaly detection for policy-modifying actions as a production capability. Patel framed the stakes in the VentureBeat interview: “The agent takes the wrong action and worse yet, some of those actions might be critical actions that are not reversible.” Board question: An authorized agent modifies the policy governing the agent’s future actions. What fires? Gap 2: Agent-to-agent handoffs have no trust verification The 100-agent swarm is the proof point. Agent A found a defect and posted to Slack. Agent 12 executed the fix. No human approved the delegation. Zaitsev’s approach: collapse agent identities back to the human. An agent acting on your behalf should never have more privileges than you do. But no product follows the delegation chain between agents. IAM was built for human-to-system. Agent-to-agent delegation needs a trust primitive that does not exist in OAuth, SAML, or MCP. Gap 3: Ghost agents hold live credentials with no offboarding Organizations adopt AI tools, run a pilot, lose interest, and move on. The agents keep running. The credentials stay active. Maor calls these abandoned instances ghost agents. Zaitsev connected ghost agents to a broader failure: agents expose where enterprises delayed action on basic identity hygiene. Standing privileged accounts, long-lived credentials, and missing offboarding procedures. These problems existed for humans. Agents running at machine speed make the consequences catastrophic. Maor demonstrated a Living Off the AI attack at the RSA Conference 2026, chaining Atlassian’s MCP and Jira Service Management to show that attackers do not separate trusted tools, services, and models. Attackers chain all three. “We need an HR view of agents,” Maor told VentureBeat. “Onboarding, monitoring, offboarding. If there’s no business justification? Removal.” Why these three gaps resist a product fix Human IAM assumes the identity holder will not rewrite permissions, spawn new identities, or leave. Agents violate all three. OAuth handles user-to-service. SAML handles federated human identity. MCP handles model-to-tool. None includes agent-to-agent verification. Five vendors against three gaps Cisco CrowdStrike Microsoft Palo Alto Networks Unsolved Registration. Can the vendor discover and inventory agents? Duo Agentic Identity. Agents registered as identity objects with human owners. Shadow agent detection via network traffic. Falcon sensor auto-discovery. 1,800+ agent apps, ~160M instances across customer fleet. Security Dashboard for AI + Entra shadow AI detection at the network layer. Agentic registry in Prisma AIRS 3.0. Agents inventoried before operating. All four register agents. No cross-vendor identity standard exists. Self-modification. Can the vendor detect when an agent changes its own policies? MCP gateway catches anomalous tool-call patterns in real time, but does not monitor for direct policy file modifications on the endpoint. Process-tree lineage tracks file modifications at the action layer. Could detect a policy file change, but no dedicated self-modification rule ships. Defender predictive shielding adjusts access policies reactively during active attacks. Not proactive self-modification detection. AI Red Teaming tests for this before deployment. No runtime detection after the agent is live. OPEN. No vendor detects an agent rewriting the policy governing the agent’s own behavior as a shipping capability. Delegation. Can the vendor track when one agent hands work to another? Maps each agent to a human owner. Does not track agent-to-agent handoffs. Collapses the agent identity to the human operator. Does not correlate the delegation chains between agents. Entra governs individual non-human identities. No multi-agent chain tracking. AI Agent Gateway governs individual agents. No delegation primitive between agents. OPEN. No trust primitive for agent-to-agent delegation exists in OAuth, SAML, or MCP. Decommission. Can the vendor confirm a killed agent holds zero credentials? Identity Intelligence runs a continuous inventory of active agents. Shadow SaaS + AI Agent Discovery finds running agents across SaaS and endpoints. Entra's shadow AI detection surfaces unmanaged AI applications. Koi acquisition (pending) adds endpoint visibility for agent applications. OPEN. All four discover running agents. None verifies zero residual credentials after decommission. Runtime / Kinetic. Can the vendor monitor what agents do in real time? MCP gateway enforces policy per tool call at the network layer. Contextual anomaly detection on call patterns. Falcon EDR tracks commands, scripts, file activity, and network connections at the process level. Defender endpoint + cloud monitoring. Predictive shielding during active incidents. Prisma AIRS AI Agent Gateway for runtime traffic control. CrowdStrike is the only vendor framing endpoint runtime as the primary safety net for agentic behavior. Five things to do Monday morning before your board asks Audit self-modification risk. Pull every agent with write access to security policies, IAM configs, firewall rules, or ACLs. Flag any agent that can modify controls governing the agent’s own behavior. No vendor automates this. Map delegation paths. Document every agent-to-agent invocation. Flag delegation without human approval. Human-in-the-loop on every delegation event until a trust primitive ships. Kill ghost agents. Build a registry. For each agent: business justification, human owner, credentials held, systems accessed. No justification? Manual revoke. Weekly. Stress test the MCP gateway enforcement. Cisco, Palo Alto Networks, and Microsoft all announced MCP gateways this week. Verify that agent tool traffic actually routes through the gateway. A misconfigured gateway creates false confidence while agents call tools directly. Baseline agent behavioral norms. Before any agent reaches production, establish what normal looks like: typical API calls, data access patterns, systems touched, and hours of activity. Without a behavioral baseline, the kinetic-layer anomaly detection Zaitsev describes has nothing to compare against. Zaitsev’s advice was blunt: you already know what to do. Agents just made the cost of not doing it catastrophic. Every vendor at RSAC verified who the agent was. None of them tracked what the agent did.

Tagged with

#financial modeling with spreadsheets#real-time data collaboration#real-time collaboration#generative AI for data analysis#Excel alternatives for data analysis#natural language processing for spreadsheets#enterprise-level spreadsheet solutions#business intelligence tools#self-service analytics tools#cloud-based spreadsheet applications#enterprise data management#self-service analytics#big data management in spreadsheets#rows.com#row zero#AI-driven spreadsheet solutions#data cleaning solutions#conversational data analysis#automated anomaly detection#cloud-native spreadsheets