Guest Author: Chad Cragle, CISO, Deepwatch

Threat actors are constantly evolving, just like the broader security landscape, and multifactor authentication (MFA) alone is no longer sufficient. There has been a push for MFA, not just in 2024, but for several years. However, those who haven’t adopted this fundamental security control are at risk of an attacker exploiting MFA fatigue, social engineering, and AI-driven credential theft to circumvent authentication controls.

The next evolution in identity security should be adaptive authentication, as traditional methods like passwords and static MFA are increasingly vulnerable to sophisticated attacks. Adaptive Authentication enhances access control by dynamically evaluating multiple risk factors, including device fingerprinting, behavioral biometrics, and geo-velocity, to determine the legitimacy of a login attempt in real-time, enabling organizations to strike a balance between user experience and enhanced security.

Another advancement is going passwordless. This approach is gaining traction, with passkey, FIDO2/WebAuthn, and biometrics reducing reliance on passwords. If credentials don’t exist, they can’t be stolen or phished. However, attackers will inevitably adapt, targeting session hijacking and biometric spoofing. Organizations implementing these advancements now will be stronger as identity attacks evolve. Transitioning to more advanced controls will aid in maturity, but organizations must continually adapt as the landscape changes.

How will the threat to human identities change over the coming year?

Identity will continue to be one of the primary attack vectors for cybercriminals. However, these methods are already evolving, as AI-powered phishing, deepfake social engineering, and session hijacking will render identity-based attacks more convincing and scalable. Criminal marketplaces that sell compromised credentials and session tokens will enable attackers to bypass security controls entirely.

To counter this, organizations must adopt:

• Continuous authentication to verify users beyond initial login.
• Least privilege enforcement to minimize the blast radius of compromised accounts.
• Identity Threat Detection and Response (ITDR) to monitor, detect, and respond to anomalous identity behaviors in real time.

Traditional IAM is no longer adequate; security teams must actively monitor identity behaviors and automate response actions when anomalies are identified.

Will the implementation of Zero Trust change throughout 2025 and into 2026?

Zero Trust will evolve beyond policy statements into real-time, AI-driven enforcement. Many organizations have adopted Zero Trust principles, but static controls and manual approvals still create gaps. By 2025, Zero Trust should become more automated and adaptive.

Expect to see:

• AI-powered anomaly detection to identify and block suspicious access in real time.
• Dynamic access policies that continuously adjust based on contextual risk.
• Microsegmentation and identity-aware firewalls to minimize lateral movement during a breach.

Organizations that fail to automate enforcement will find themselves vulnerable as attackers adapt to bypass static security models.

Will Gen-AI increase this threat? Will Gen-AI reduce the threat?

AI serves as a weapon for both defenders and attackers. Threat actors are utilizing Gen-AI to automate phishing campaigns, create deepfake identities, and generate highly convincing social engineering attacks at scale. AI-powered identity fraud is no longer a theoretical concept. It is actively being employed to bypass traditional security controls.

On the defensive side, AI-driven security operations can identify anomalies, automate response actions, and enhance real-time risk analysis. Today, organizations that invest in AI-driven identity protection will be better equipped to defend against AI-powered attacks.

The key challenge lies in who innovates faster. Organizations will struggle to keep pace if attackers advance their AI capabilities more quickly than defenders. The future of identity security hinges on security teams leveraging AI not just to react to threats but to anticipate and prevent them before they occur.

Final Thoughts

Identity security is at a critical juncture. MFA alone is no longer sufficient, and adversaries are leveraging AI to erode traditional defenses—the attack surface is shifting from stolen credentials to session hijacking and AI-driven impersonation. Organizations must shift from static controls to adaptive, AI-driven security models.

Security teams should focus on:

• Proactive identity defense—AI-powered detection and continuous authentication.
• Passwordless adoption—Eliminating credentials to reduce phishing risk.
• Automated Zero Trust enforcement—Minimizing lateral movement and privilege escalation.

The winners in this evolving threat landscape will be those who embrace automation, continuous authentication, and real-time identity threat detection through advanced solutions like Managed Detection and Response (MDR). The time to act is now; if security teams don’t innovate faster than attackers, the consequences will be severe. Organizations should assess whether their current security operations can effectively detect and respond to identity-based threats.

To see how Deepwatch MDR can enhance your identity protection and overall security posture, visit our website.