Identity Security Gap: What Zero Trust Doesn’t Protect – And How to Close It

8 min Reading Time

Zero Trust made a promise: Trust no one, verify everything, minimize the blast radius. But attackers have adapted. They don’t break in anymore – they log in. With stolen session tokens, AI-generated phishing emails, and deepfake voice calls, they bypass MFA and Zero Trust policies alike. This vulnerability has a name: the Identity Security Gap.

TL;DR

🔒 87 percent of organizations experienced at least two identity-based breaches in the past 12 months (CyberArk 2025).
⚠️ 84 percent of compromised accounts had MFA enabled. Session token theft completely bypasses the second factor (Obsidian Security).
🛡️ Vishing attacks surged by 442 percent within six months, driven by AI voice synthesis (CrowdStrike GTR 2025).
📊 17.3 billion stolen session cookies are circulating on the dark web. Each malware infection harvests an average of 1,861 cookies (SpyCloud 2025).
🔧 ITDR (Identity Threat Detection and Response) closes the gap between granting access and detecting abuse.

The Illusion of Security

The numbers speak for themselves. According to the CyberArk Identity Security Landscape Report 2025, 87 percent of surveyed organizations reported at least two successful identity-based breaches in the past twelve months. Ninety-one percent experienced at least one incident. At the same time, 87 percent of large organizations already use multi-factor authentication.

This means most companies are being compromised despite having MFA. The issue isn’t whether MFA is enabled. The real question is: What happens after an attacker bypasses the second factor?

Obsidian Security quantified this precisely: 84 percent of the compromised accounts they observed had MFA activated. Attackers didn’t need to crack it – they simply bypassed it.

87 %

had 2+ Identity Breaches

84 %

compromised despite MFA

+442 %

Vishing increase H2 2024

Sources: CyberArk 2025, Obsidian Security, CrowdStrike GTR 2025

How Attackers Bypass Zero Trust

Zero Trust rests on one core principle: Every access request is verified, regardless of location. This works well against network-based attacks. But it has a blind spot: When an attacker possesses a legitimate session token, the system sees them as an authenticated user. Zero Trust cannot tell whether the person behind the token is actually authorized.

Session token theft is the most efficient bypass method. Infostealer malware such as Lumma, Redline, and Vidar extracts session cookies directly from browser memory. No password needed, no MFA prompt. The attacker imports the cookie into their browser and gains immediate access. Microsoft explicitly warned in its Digital Defense Report 2025 about the theft of ESTSAUTHPERSISTENT cookies in Azure and Microsoft 365 environments.

The scale is massive: SpyCloud has documented 17.3 billion stolen session cookies on the dark web. On average, each malware infection harvests 1,861 cookies and 44 credentials. In 2024 alone, infostealers exfiltrated 548 million credentials.

AiTM phishing (Adversary-in-the-Middle) is the second major vector. Attackers position themselves as a transparent proxy between the user and the service. The user sees the real login page, enters their credentials, and completes MFA. But the proxy captures the session token. Microsoft observed over 10,000 AiTM attacks per month against Microsoft 365 users in 2024. Toolkits like Tycoon 2FA, EvilProxy, and Evilginx have industrialized the process. As of June 2025, 88 percent of all AiTM attacks are proxy-based.

“Credential compromise is the most common cause of data breaches. Yet, the importance of Identity and Access Management for achieving cybersecurity objectives is often underestimated.”
Gartner, cited in CyberArk CISO Guide 2026

The Human Factor: 442 Percent More Vishing

Beyond technical bypasses, one attack vector is growing that cannot be solved with technology alone. According to the CrowdStrike Global Threat Report 2025, voice phishing (vishing) increased by 442 percent between the first and second halves of 2024. This surge is fueled by AI voice synthesis: just three seconds of audio are enough to create a voice clone with 85 percent accuracy.

CrowdStrike also reports that AI-generated phishing emails achieve a click-through rate of 54 percent – compared to just 12 percent for human-crafted phishing. The industrialization of social engineering via generative AI is fundamentally reshaping the threat landscape.

For IT security teams, this means traditional phishing training is no longer sufficient when attack quality has quadrupled. Technical controls must now compensate for social engineering, not just complement it.

The Blind Spot: Machine Identities

Most identity security strategies focus on human users. Yet, the CyberArk Machine Identity Report 2025 reveals that machine identities (service accounts, API keys, certificates, workload identities) outnumber human identities by a factor of 82 to 1. Nearly half of these have sensitive or privileged access rights.

Meanwhile, 68 percent of organizations have not implemented identity security controls for AI systems. Forty-seven percent cannot secure shadow AI usage. In a world where AI agents increasingly access systems autonomously, every uncontrolled machine identity becomes a potential entry point.

82 : 1

Machine Identities to Human Identities in Enterprises

Source: CyberArk Machine Identity Report 2025

ITDR: The Missing Layer

Identity Threat Detection and Response (ITDR) closes the gap that Zero Trust leaves open. While Zero Trust governs access, ITDR monitors behavior after authentication. Gartner coined the term once it became clear that traditional IAM hygiene – such as PAM and Identity Governance – is no longer enough.

ITDR correlates authentication logs, device signals, and user context in real time. If a user logs in from Munich and five minutes later a session activates from Bucharest, ITDR detects the inconsistency. If a service account suddenly accesses resources it has never touched before, ITDR raises the alarm.

In July 2025, Microsoft unveiled its ITDR strategy, integrating it into Microsoft Entra. The approach combines token protection, conditional access evaluation, and continuous anomaly detection. For DACH-region companies already using Microsoft 365, this offers the fastest path into ITDR.

What IT Security Teams Should Do Now

1. Prioritize session token protection. Implement token binding and conditional access policies that tie tokens to specific devices. Use short token lifespans (maximum 8 hours for sensitive systems). Enable Continuous Access Evaluation (CAE) wherever available.

2. Roll out passkeys. Passkeys (FIDO2) are currently the only phishing-resistant authentication mechanism. According to the FIDO Alliance 2025, 47 percent of companies have already deployed enterprise passkeys. Crucially: eliminate all phishable fallback mechanisms (SMS, “forgot password”) – otherwise, the fallback undermines the security.

3. Inventory machine identities. Catalog service accounts, API keys, and certificates. Review privileged access rights. Implement rotation and lifecycle management. With 82 machine identities per human, this is where the greater risk lies.

4. Implement ITDR. Deploy behavior-based anomaly detection for Active Directory and cloud identities. Correlate authentication logs across all identity providers. Enable automatic session revocation upon suspicious activity.

5. Modernize social engineering defenses. With vishing attacks up 442 percent, standard training is no longer enough. Technical measures include out-of-band verification for sensitive requests, automated deepfake detection in video calls, and callback policies for all financial transactions above a threshold.

Conclusion: Identity Is the New Perimeter

Zero Trust transformed network security. But it left a gap: identity itself. When 87 percent of organizations suffer identity-based breaches despite MFA and Zero Trust, identity security is no longer just one priority among many – it is the priority.

The technology exists. Token binding, passkeys, ITDR, and machine identity management are all available. What’s missing is the realization that securing identity deserves at least as much attention as securing the network. Anyone who still believes MFA is sufficient hasn’t understood the threat landscape of 2026.

Frequently Asked Questions

What is the Identity Security Gap?

The gap between what Zero Trust and MFA protect (network access) and what attackers actually exploit – stolen identities and session tokens. 84 percent of compromised accounts had MFA enabled. Attackers bypass it rather than break it.

Why is MFA no longer reliable?

Attackers use session token theft (infostealer malware), AiTM phishing (transparent proxies), and social engineering (AI-powered vishing). All three methods bypass MFA by capturing the token after successful authentication or tricking the user into revealing it.

What is ITDR?

Identity Threat Detection and Response. A Gartner-coined approach that performs behavioral analysis after authentication. ITDR detects when a legitimate session is being abused – for example, through impossible travel speeds, atypical access patterns, or sudden privilege escalation.

How dangerous are machine identities?

Machine identities (service accounts, API keys, certificates) outnumber human identities 82 to 1. Nearly half have privileged access rights. Sixty-eight percent of organizations have not implemented specific security controls for machine identities.

What should companies do first?

Enable session token protection (token binding, short lifespans, CAE). Deploy phishing-resistant authentication (passkeys/FIDO2) and eliminate all phishable fallbacks. Inventory machine identities. Then implement ITDR as a continuous monitoring layer.