Every MFA check passed. Every login was legitimate. The compliance dashboard was green across every identity control. And the attacker was already inside, moving laterally through Active Directory with a valid session token, escalating privileges on a trajectory toward the domain controller.
This is the scenario playing out inside enterprises that invested heavily in authentication and assumed the job was done. The credential was real. The multi-factor challenge was answered correctly. The system performed exactly as designed. It authenticated the user at the front door and never looked again. The breach didn’t bypass MFA. It started after MFA succeeded.
Authentication proves identity at a single point in time. Then it goes blind. Everything that follows, the lateral movement, the privilege escalation, the quiet exfiltration through Active Directory, falls outside what MFA was ever designed to see.
Alex Philips, CIO at NOV, identified the gap through operational testing. “We found a gap in our ability to revoke legitimate identity session tokens at the resource level. Resetting a password isn’t enough anymore. You have to revoke session tokens instantly to stop lateral movement,” he told VentureBeat.
What Philips found wasn’t a misconfiguration. It was an architectural blind spot that exists in nearly every enterprise identity stack. Once a user authenticates successfully, the resulting session token carries that trust forward without reassessment. The token becomes a bearer credential. Whoever holds it, attacker or employee, inherits every permission associated with the session. NOV’s investigation confirmed that identity session token theft is the vector behind the most advanced attacks they track, driving the team to tighten identity policies, enforce conditional access, and build rapid token revocation from the ground up.
Average e-crime breakout time dropped to 29 minutes in 2025, with the fastest recorded breakout clocked at 27 seconds, according to CrowdStrike’s 2026 Global Threat Report. In 82% of detections across 2025, no malware was deployed at all. Attackers don’t need exploits when they have session tokens.
“Adversaries have figured out that one of the fastest ways to gain access to an environment is to steal legitimate credentials or to use social engineering,” Adam Meyers, Senior Vice President of Counter Adversary Operations at CrowdStrike, told VentureBeat. The economics are stark: modern endpoint detection has raised the cost and risk of deploying malware. A stolen credential, by contrast, triggers no alert, matches no signature, and inherits whatever access the real user had.
Vishing attacks exploded by 442% between the first and second halves of 2024, according to CrowdStrike’s 2025 Global Threat Report, while deepfake fraud attempts rose more than 1,300% in 2024, according to Pindrop’s 2025 Voice Intelligence & Security Report. Face swap attacks grew 704% in 2023, according to data cited in the same report. A 2024 study cited in CrowdStrike’s 2025 Global Threat Report found AI-generated phishing emails matched expert-crafted human phishing at a 54% click-through rate, both vastly outperforming generic bulk phishing at 12%.
The threat is not that AI makes one attacker more dangerous. The threat is that AI gives every attacker expert-level social engineering at near-zero marginal cost. The credential supply chain now operates at industrial scale.
By 2026, 30% of enterprises would no longer consider face-based identity verification and biometric authentication solutions reliable in isolation due to AI-generated deepfakes, Gartner predicted in a 2024 report. Riemer pointed to Ivanti’s own 2026 State of Cybersecurity Report to quantify the gap. The report, surveying over 1,200 security professionals, found the preparedness gap between threats and defenses widened by an average of 10 points in a single year.
Kayne McGladrey, IEEE Senior Member, framed the organizational failure in business terms. “Anything that seems to have a cybersecurity flavor is generally put into the cybersecurity risk category, which is a complete fiction. They should be focused on business risks, because if it doesn’t affect the business, like a financial loss, then nobody’s going to pay attention to it, and they will not budget it appropriately, nor will they adequately put in controls to prevent it,” McGladrey told VentureBeat. That logic explains why session governance, token lifecycle management, and cross-domain identity correlation fall into a gap between IAM and SecOps. Nobody owns it because nobody has framed it as a business loss.
“You may only see pieces of the intrusion on the identity side, on the cloud side, and on the endpoint side. You need cross-domain visibility because the best case scenario gives you about 29 minutes to stop these intrusions,” Meyers told VentureBeat.
Mike Riemer, Ivanti’s Field CISO, has watched this disconnect play out across two decades of shifting paradigms. “I don’t know you until I validate you. Until I know what it is and I know who is on the other side of the keyboard, I’m not going to communicate with it until they give me the ability to understand who it is,” Riemer told VentureBeat.
That question applies directly to post-authentication sessions. If attackers use AI to fabricate the identity that clears MFA, defenders need AI watching what that identity does after. Riemer’s broader point is that placing the security perimeter at a single login event invites every attacker who clears that gate to have the run of the house.
“It gives us a forced security policy enforcement gateway. Users and attackers on a flat network can use stolen identity session tokens, but with zero-trust gateways it forces conditional access and revalidation of trust,” Philips told VentureBeat.
NOV shortened token lifetimes, built conditional access requiring multiple conditions, and enforced separation of duties so no single person or service account can reset a password, bypass multi-factor access, or override conditional access. “We drastically reduced who can perform password or multi-factor resets. No one person should be able to bypass these controls,” Philips told VentureBeat. They deployed AI against SIEM logs to identify incidents in near real-time and brought in a startup specifically to build rapid token revocation for their most critical resources.
Philips also flagged a trust chain vulnerability that most teams overlook. “Since with AI advances you can’t trust voice or video or even writing styles, you must have either preshared secrets or be able to validate a question only you and them would know,” he told VentureBeat. If incident response relies on a phone call or a Slack DM to confirm a compromised account, attackers using deepfake voice or text can exploit that confirmation channel, too.
NOV proved these gaps are closable. Here is what to prioritize first.
Pull the token lifetime report for every privileged account, service account, and API key. Shorten interactive session tokens to hours, not days. Put service account credentials on a defined rotation schedule. API keys with no expiration date are open invitations that never close.
Run a session revocation drill under fire. Not a password reset. A session kill. Time it. If your team cannot revoke a live compromised session in under five minutes, that is the gap an attacker sprinting at 27 seconds will exploit first. NOV could not do it either. They brought in dedicated resources and built the capability from scratch.
Map your cross-domain telemetry end to end. A single analyst should be able to correlate an identity anomaly in your directory service with a cloud control plane login and an endpoint behavioral flag without switching consoles. If that workflow requires four dashboards and a Slack thread, a 29-minute breakout will beat you every time.
Extend conditional access enforcement past the front door. Every privilege escalation and every sensitive resource request should trigger revalidation. An identity that authenticates from Houston and surfaces from Bucharest 20 minutes later should fire automatic step-up authentication or session termination.
Replace SMS and push-based MFA with phishing-resistant FIDO2 and passkey-based authentication everywhere feasible. Every push notification an attacker can fatigue-bomb is a session they can steal. This remains the cheapest upgrade that closes the widest gap.
Audit separation of duties on identity workflows. If one person or one service account can reset credentials, approve privileged access, and bypass MFA, that is a single point of failure that attackers will find. NOV eliminated that configuration.
Establish an out-of-band incident verification protocol with preshared secrets. If your team still confirms compromised accounts over a phone call or Slack message, deepfake voice and text can compromise that channel too. Build the protocol before you need it.
Create a dedicated budget line for identity-layer governance. Session governance, token lifecycle management, continuous identity verification, and standards like CAEP and the Shared Signals Framework need a single owner with a single budget. If that owner does not exist, attackers already own the gap.
Philips’s team went from discovering they couldn’t kill a compromised session to standing up rapid token revocation under real attack conditions. They shortened token lifetimes, eliminated single-person credential resets, deployed AI-driven log analysis, and built a dedicated revocation capability for their most critical resources. That transformation took months, not years.
The gap NOV closed exists inside nearly every enterprise that treats authentication as the finish line instead of the starting gun. Philips put it plainly: “Resetting a password isn’t enough anymore. You have to revoke session tokens instantly to stop lateral movement.” His team built the answer. The question for every other CISO is whether they find that gap on their own terms, or whether an attacker moving at 27 seconds finds it for them.
Presented by Veriff
Americans can’t reliably distinguish real from AI-generated content, and that’s not just a media literacy problem; it’s a direct threat to how businesses verify identity online.
New research finds that while many people are aware of deepfakes, their ability to distinguish them from reality is barely better than a coin flip. A 2026 survey conducted by Veriff and Kantar among 3,000 respondents in the United States, the United Kingdom, and Brazil shows Americans scoring just 0.07 on a scale where 0 represents random guessing.
If people can’t distinguish authentic visual content, they can’t reliably distinguish authentic identities. In practice, that means the same users interacting with digital services are often unable to tell whether the person on the other side of a screen is real.
That ineffectiveness has direct consequences for every digital business that relies on image- and video-based identity verification to confirm who is on the other side of a screen. That includes everything from customer bank onboarding and account recovery to marketplace seller verification, high-value ecommerce transactions, social platform authentication, and enterprise access control.
In the U.S., those consequences are already material — synthetic identity fraud now accounts for billions in annual losses, and the tools to generate convincing fakes are now widely accessible.
The report also identifies a small but high-risk cohort: the roughly 7% of users who perform poorly at detecting deepfakes, yet remain confident in their ability and rarely verify what they see. While this is small as a percentage, at scale it represents millions of accounts that are highly exploitable targets for fraud.
If users can’t reliably distinguish real from synthetic identities, then any system that depends on visual verification is fundamentally exposed. Identity verification can no longer be treated as a compliance function; instead, it has to be built as core digital infrastructure.
“Now that AI-generated content is becoming indistinguishable from reality, the human eye alone is no longer a reliable line of defense,” says Ira Bondar-Mucci, fraud platform lead at Veriff. “Businesses and policymakers in the U.S. need to close this awareness gap urgently, while simultaneously investing in automated verification technologies that can catch what humans simply can’t.”
The United States might be the global epicenter of generative AI development, but American consumers demonstrate the lowest familiarity with deepfakes among the three surveyed markets. Only 63% of U.S. adults are familiar with the term, compared to 74% in the UK and 67% in Brazil.
“There’s a paradox at play,” Bondar-Mucci says. “The U.S. is the global epicenter of AI development, yet American consumers are the least familiar with one of its most dangerous byproducts. Historically, consumers have had higher baseline trust in digital content, with the conversation about fraud centered more on data privacy than on content authenticity. The problem is that low awareness doesn’t reduce risk, it amplifies it. If you don’t know what a deepfake is, you’re far less likely to pause and verify whether you’ve encountered one.”
In practice, the randomness that characterizes consumer’s ability to distinguish real from fake is evident across the ways people assess different types of content. Video content proved to be especially difficult to assess, with fake videos frequently identified as authentic and real videos often flagged as fake. Even in side-by-side comparisons, respondents split their judgments close to evenly, another indication that visual inspection alone is no longer a reliable method for verifying authenticity.
Roughly half of U.S. respondents say they are confident in their ability to identify deepfakes, but that confidence far exceeds actual performance, demonstrating that self-assessment is effectively meaningless.
Within that population, there’s that small but high-risk cohort: the approximately 7% of users who are inaccurate, yet overconfident in their ability and rarely verify suspicious content.
“This confidence-competence gap creates a false sense of security that fraudsters are primed to use,” says Bondar-Mucci. “When people believe they can’t be fooled, they stop looking for the signs. That’s precisely when they’re most vulnerable, whether to a synthetic identity used in financial fraud or a fabricated video designed to manipulate trust.”
For businesses, the implication is clear: any organization that still relies on manual review processes or customer self-attestation is inheriting this vulnerability directly. Human judgment is an increasingly unreliable safeguard, and verification needs to be built into systems by default. This means automated, technology-led, and not dependent on the end user’s self-assessment of their ability to tell real from fake.
Concern about deepfakes is high across the U.S., with 79% of respondents reporting they are rather or extremely concerned about personal fraud and impersonation.
The U.S. diverges from other markets in where that concern gets directed. Americans are more likely than UK or Brazilian respondents to trust social media platforms and digital services to identify and manage AI-generated content. That delegation of responsibility may be reducing individual vigilance at exactly the moment the threat is accelerating.
“We’re seeing synthetic identities used to open fraudulent accounts and authorize transactions, and deepfake videos deployed to bypass basic verification checks,” he explains. “What makes this particularly urgent is the combination of great concern with relatively high platform trust. That gap between perceived and actual protection is exactly where fraud thrives.”
The gap between what Americans believe they can detect and what they actually can is not a knowledge problem that awareness campaigns will resolve, but a design flaw in any system that places the burden of identity verification on unassisted human judgment.
The effective response is not to remove humans from the verification loop, but to stop assigning them tasks that human perception can no longer perform reliably. Organizations that persist in relying on manual review processes or customer self-attestation are absorbing this vulnerability into their operations.
The alternative is automated, AI-powered identity verification that operates at the point of interaction, detects synthetic media before a human decision is required, and does not depend on the end user’s ability to distinguish real from fake.
“Seeing is no longer believing,” says Bondar-Mucci. “The companies that build verification infrastructure around that reality, rather than around the assumption that it will be otherwise, are the ones best positioned to sustain customer trust as the synthetic media landscape continues to evolve.”
Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. For more information, contact sales@venturebeat.com.
More than a dozen Nvidia GPU flaws were fixed, including several high-severity ones.

When Microsoft announced it was acquiring GitHub in a $7.5 billion deal in 2018, developers were nervous. Some were concerned about Microsoft controlling GitHub, and others were taking a wait-and-see approach. Nearly eight years later, GitHub is now fighting for its survival, amid a surge of outages, security issues, and pressure from competitors. In the […]
Researchers found a new Elasticsearch instance containing plenty of sensitive data.
TeamPCP continues its attack on open source projects, now apparently asking for $50,000.
The loophole allows spammers and scammers to send emails from a legitimate Microsoft email address typically used for sending genuine account alerts.
GitHub is just the latest victim of TeamPCP, a gang that has carried out a spree of software supply chain attacks that has impacted hundreds of organizations.
France is already moving on from Zoom and Microsoft Teams in favor of homegrown alternatives. Other countries are quickly following suit.
MSHTA is being used for both simple and advanced threats, deploying loaders and infostealers.