CybersecurityManagementLogical Security

Zero Trust vs. Adaptive Identity: What CISOs Are Getting Wrong

By Sandeep Dommari
Row of computers an desks in front of projector screen
RUT MIIT via Unsplash
September 12, 2025

Zero Trust is hailed as the foundation of contemporary cybersecurity. However, many organizations find that their Zero Trust programs are not performing up to par, even after they have been widely adopted. The piece that's missing? Instead of using static, point-in-time checks, adaptive identity continuously assesses user trust based on changing context and risk signals.

This article provides a strategic roadmap for organizations to integrate adaptive identity capabilities for stronger, more resilient defenses, explains why static identity mechanisms are the primary cause of stalled Zero Trust deployments, and provides compelling real-world examples from various industries.

The Blind Spot for Identity in Zero Trust Implementations

Why a Lot of Zero Trust Projects Fail

Many deployments treat identity as a static checkpoint, despite Zero Trust’s mandate to “never trust, always verify.” There is a typical pattern: users enjoy extended session durations without revalidation after passing MFA at login. At the same time, threat landscapes are constantly changing; anomalous activities, compromised devices, and stolen tokens are all overlooked during the session.

A $40 million Zero Trust rollout in a major U.S. healthcare network is an example. Its primary Electronic Health Record (EHR) system, which is essential for patient care, was still based on antiquated authentication methods that allowed for persistent sessions after logging in. Because the system never questioned the user’s trust in the middle of a session, an attacker who gained access to a clinician’s laptop was able to access thousands of private patient records without being detected.

The Static Identity Missing Snapshot

An "identity snapshot" is produced by conventional identity checks, such as examining a device's posture, granting fixed role-based access, and requiring a username, password, and multi-factor authentication at login. Because they don't always consider the risks during the session, companies are vulnerable to insider threats and session hijacking.

  • Find out whether your Zero Trust setup constantly verifies your identity or uses static checkpoints.
  • Find out which old apps don't work with adaptive authentication.

The most important thing to do is to invest in technologies that make it easier to assess risks in real time.

The Effects of Static Identity

Stealing tokens and taking over sessions

Hackers broke into MGM Resorts in 2023 and stole Okta session tokens, which let them get around MFA completely. Tokens were valid for a long time without being revalidated, which let attackers move around freely and get access to sensitive systems for weeks without being caught.

Hardcoded secrets and cloud credential sprawl

The 2022 Uber hack showed how hackers can get to hardcoded AWS API keys that are stored in public repositories. Static identity mechanisms couldn't find unusual use of these credentials, which gave attackers more time to stay on the network.

The problem with identity snapshots

Static identity checks done at login miss risks that change during a session. Attackers use this flaw to gain more access, move sideways, and steal data before it is noticed.

  • Shorten the lifetimes of session tokens to reduce exposure windows.
  • Set up risk-based authentication, which starts MFA on its own.
  • Use User and Entity Behavior Analytics (UEBA) to find problems.

Adaptive Identity: Trust that is always there and based on the situation

What is adaptive identity?

Adaptive Identity looks at contextual data points, like changes in device health, geolocation, or unusual behavior, and changes access permissions on the fly during active sessions.

  • Behavioral Biometrics: Keystroke patterns, mouse movements, and touch dynamics create unique user profiles.
  • Risk-Based MFA: Instead of just being shown at login, challenges are shown as needed when there are spikes in risk.
  • Identity Threat Detection and Response (ITDR): Real-time threat intelligence is sent to identity risk models.

Microsoft Entra Identity Protection

Microsoft's adaptive identity system checks for login problems like impossible travel to stop account takeovers. If it finds any, it requires reauthentication or ends the session.

  • When deploying adaptive identity pilots, start with sensitive data and important apps.
  • Use behavioral analytics to make things easier for users and cut down on false positives.
  • Work with IAM providers that offer orchestration and dynamic risk scoring.

What the industry has to offer and what it has to deal with

Care for health

Legacy EHR systems don't work well with modern authentication, which makes them more risky. In 2023, a ransomware attack took advantage of static LDAP authentication in a hospital's EHR, which caused a lot of problems with operations.

Cash

Banks and other financial institutions have to deal with complicated rules and very smart phishing attempts. Adaptive identity that includes behavioral biometrics has cut account takeover fraud by 40% at major banks.

The Tech

It's common to have hardcoded secrets and DevOps tokens that are all over the place. Recent events with SaaS providers show that businesses are at risk of undetected breaches when they use long-lived tokens that don't change identity.

  • Adaptive identity strategies should be tailored to the risks and rules that are specific to each industry.
  • For early adaptive identity integration, pay attention to legacy systems and high-risk apps.

New Risks Pointing out the need for an adaptive identity

  • Token Theft: AITM phishing kits are responsible for more than 30% of token-based account takeover incidents.
  • AI-Assisted Attacks: Attackers use AI to map networks and quickly figure out how to move sideways.
  • Threat Intel Integration: Real-time feeds help identify risk scoring and quickly block bad access.
  • M&A Complexity: Adaptive identity stops breaches from getting worse by bringing together risk monitoring across all infrastructures.
  • Add threat intelligence to identify decision-making systems to make them better.
  • Make identity frameworks that take into account the distinctions across clouds and the difficulty of mergers.

Teams should learn about the most recent threats that AI poses.

CISO Adaptive Identity Transition Roadmap

  • Make a list of the most important legacy systems and static identity touchpoints, and then rate them.
  • Start by granting cloud apps adaptive identity and VPN access to pilot applications that are at high risk.
  • Identity orchestration layers can help you connect older systems without any problems.
  • Measure and Improve: Keep improving your models while keeping an eye on key performance indicators (KPIs) like phishing losses, prohibited high-risk access, and user friction.
  • Make sure leaders are on board by stressing the benefits of minimizing risk and keeping the firm running.
  • Find out what the pros and cons of the platform are by working with IAM providers.
  • Put money on training and change management so that users can easily switch to the new system.

Assessing Achievement and Ongoing Development

One of the main performance indicators (KPIs) is the number of high-risk access attempts that were stopped.

  • Fewer cases of account takeover and phishing.
  • Average risk scores for sessions and frequency of finding anomalies.
  • Help desk authentication support tickets are examples of user experience metrics.

Checklist

  • The red team should practice session hijacking and lateral movement on a regular basis.
  • Do penetration testing with a focus on orchestration points and adaptive identity controls.
  • Re-train AI and ML detection models to deal with new kinds of attacks.

The New Limits of Adaptive Identity

Static authentication methods put businesses at risk because they have to deal with smart enemies, a complicated hybrid cloud, and threats that change quickly. Adaptive Identity gives you the living, ongoing trust fabric you need to fully implement Zero Trust.

CISOs who put adaptive identity integration at the top of their list will not only close important security holes, but they will also be able to safely lead digital transformation.

Look over your identity environment today. To make your Zero Trust architecture truly dynamic, aware of its surroundings, and strong, find static gaps, test adaptive identity in key systems, and improve the design. It is very important for the future of business security.

KEYWORDS: biometric access management IAM systems identity (ID) management multi-factor authentication
Rc upload 1757512702896 1

Sandeep Dommari is a senior cybersecurity architect and IAM strategist with over 18 years of experience designing secure access frameworks across Fortune 100 enterprises. His work focuses on application security, adaptive identity, and building secure-by-design architectures for critical industries.

Blog Topics

Security Blog

On the Track of OSAC

Blog Roll

Security Industry Association

Security Magazine's Daily News

SIA FREE Email News

SDM Blog

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!