MFA verifies who logged in. It has no idea what they do next.

Every MFA check passed. Every login was legitimate. The compliance dashboard was green across every identity control. And the attacker was already inside, moving laterally through Active Directory with a valid session token, escalating privileges on a trajectory toward the domain controller.This is the scenario playing out inside enterprises that invested heavily in authentication and assumed the job was done. The credential was real. The multi-factor challenge was answered correctly. The system performed exactly as designed. It authenticated the user at the front door and never looked again. The breach didn't bypass MFA. It started after MFA succeeded.Authentication proves identity at a single point in time. Then it goes blind. Everything that follows, the lateral movement, the privilege escalation, the quiet exfiltration through Active Directory, falls outside what MFA was ever designed to see.A CIO found the gap in productionAlex Philips, CIO at NOV, identified the gap through operational testing. "We found a gap in our ability to revoke legitimate identity session tokens at the resource level. Resetting a password isn't enough anymore. You have to revoke session tokens instantly to stop lateral movement," he told VentureBeat.What Philips found wasn't a misconfiguration. It was an architectural blind spot that exists in nearly every enterprise identity stack. Once a user authenticates successfully, the resulting session token carries that trust forward without reassessment. The token becomes a bearer credential. Whoever holds it, attacker or employee, inherits every permission associated with the session. NOV's investigation confirmed that identity session token theft is the vector behind the most advanced attacks they track, driving the team to tighten identity policies, enforce conditional access, and build rapid token revocation from the ground up.Average e-crime breakout time dropped to 29 minutes in 2025, with the fastest recorded breakou