Stolen credentials were the root cause of more than 30% of data breaches last year, according to
Verizon’s 2025 Data Breach Investigations Report. Attackers compromised more than 23 million unmanaged and user-controlled devices—including personal laptops and home systems used in remote work settings—to extract login information, often using session cookies to bypass multi-factor authentication and other access controls.
“Credentials don’t just manifest—you’re either phishing them, brute forcing them, or stealing them via malware,” said Philippe Langlois, lead data scientist at Verizon and co-author of the 2025 DBIR, speaking at last
month’s RSAC 2025.
Those numbers aren’t outliers—they’re symptoms of a deeper failure in enterprise cybersecurity. Identity systems, Langlois noted at RSAC 2025, are now routinely exploited as entry points with attackers relying less on technical exploits—like finding and exploiting software vulnerabilities—and more on credential-based access, where they simply log in using stolen usernames, passwords, or hijacked sessions.
A recent breach at the U.K.'s
Legal Aid Agency illustrates the risk of relying on identity systems that lack strong session controls, endpoint oversight, and multi-factor enforcement. In this incident, attackers used compromised credentials to access internal systems and exfiltrate millions of sensitive legal and financial records, disrupting services and prompting an emergency shutdown.
Similar identity-driven breaches have occurred, such as those impacting
Marks and Spencer,
Coinbase,
Snowflake, and
23andMe - illustrating how widespread and persistent the problem has become.
“We see this over and over again—attackers use credentials to walk right in,” Langlois said. “The network didn’t fail. The login did.”
Despite more than a decade of investment in zero trust architecture—a model that assumes no one, not even someone inside your network, should be trusted by default—adversaries continue to gain footholds not through hacking, but by impersonating users with stolen credentials.
Zero trust is a cybersecurity approach based on one simple idea; never automatically trust anyone or anything inside or outside your network without verifying them first. It assumes that threats could already be inside the system, so every access request must be checked, every time.
Trust busters
Some believe the zero trust model is antiquated, not because of the core idea itself—but because of how the industry has implemented it. Andy Ellis, partner at YL Ventures and former CSO of Akamai, is among those that assert the zero trust model hasn’t kept up with how threats or users actually behave.
He believes it places too much trust in complex software running on endpoints, creates brittle systems that punish normal human behavior, and focuses on constant surveillance instead of resilient design. Rather than eliminating implicit trust. Ellis argues, many zero trust implementations have simply relocated trust to new and equally vulnerable places.
Experts at RSAC 2025 warned that the security industry is dangerously overconfident in how it handles identity. Strategies meant to reduce trust such as limiting lateral movement, segmenting networks, and requiring continuous authentication may actually concentrate risk in unintended places like software agents or vulnerable endpoints.
One example: infostealer malware often grabs session tokens from unmanaged devices, allowing attackers to bypass MFA entirely. Once inside, they exploit endpoint software with elevated privileges, turning tools meant for monitoring into weapons for lateral movement.
Meanwhile, cybersecurity leaders at RSAC - from YL Ventures, Verizon, CrowdStrike, Microsoft, and FBI - said current identity defenses are too brittle, too trusting, and increasingly blind to how adversaries operate.
What makes them brittle? Overreliance on perimeter-based firewalls, weak session monitoring, and ineffective identity governance that leaves ghost accounts active long after employees leave.
Adam Meyers, senior vice president of Counter Adversary Operations at CrowdStrike, said identity continues to be the top target for attackers.
“Adversaries want to work less, easier and faster, and so we've seen them going after the softer targets. Identity has been a massive issue for organizations,” he said during an RSAC panel on North Korean IT worker threats.
That critique echoed Ellis’s broader concern that identity is now inseparable from the humans behind the keyboard, and security controls must reflect that complexity.
“Every major ransomware breach is enabled by software on the endpoint,” Ellis said. “We made the endpoint trust us, and that’s where we went wrong.”
Zero trust theater
During a keynote “Having Zero Trust to Give: What Should Have Been Next?” Ellis argued the cybersecurity industry misunderstood zero trust from the start. “We should have removed trust from the endpoint,” he said. “Instead, we made the endpoint trust more software.”
Ellis pointed to a long line of high-profile breaches—SolarWinds, Kaseya, and others—where endpoint management tools themselves were abused to move laterally or exfiltrate data. He argued that the industry's response has been to increase surveillance, not reduce risk.
Zero trust principles such as “continuous monitoring” and “assume breach” have, in his view, evolved into mandates that are impractical and often harmful. “Continuous monitoring sounds great in theory,” he said. “But when that means installing agents with admin-level access on every device, you’re expanding the attack surface—not reducing it.”
Ellis also criticized organizations that treat employees as adversaries by default, which he argued erodes trust and encourages shadow IT. Instead, systems should anticipate compromise without undermining collaboration or usability. Ellis believes this point is critical because overly rigid controls can backfire—driving users to bypass them and adopt shadow IT.
If zero trust makes systems harder to use, he argues, people will naturally route around security, creating more risk, not less.
The system is built to fail
Ellis’s concerns found support among other experts who said modern infrastructure too often rewards speed and scale over resilient design. Steve Kelly, chief trust officer at the Institute for Security and Technology, compared today's digital ecosystem to roadways engineered without safety in mind during his RSAC session.
“In civil engineering, we design for the inevitability of mistakes,” Kelly said. “But in cybersecurity, we design systems where a single misstep—like clicking a phishing link—can collapse an entire organization.”
Kemba Walden, president of the Paladin Global Institute and former acting U.S. National Cyber Director, echoed that sentiment. “Cybersecurity risk is still being borne by the least resourced,” Walden said. By “least resourced,” she meant small businesses, low-income individuals, and frontline workers without dedicated IT support.
Examples include gig workers using unmanaged devices, small clinics running outdated systems, or school districts without budget for enterprise-grade MFA. These groups often lack the staffing or funding to maintain layered defenses, yet still manage sensitive data.
“We can’t separate people from their devices anymore,” Ellis said. “Most people are cyborgs—attached to two or three digital identities at any moment. And we’ve built systems that exploit, rather than protect, that relationship.”
Long live zero trust
While Ellis criticized zero trust, other RSAC speakers including Steve Kelly, Walden, and Microsoft’s Kelly Bissell, defended its principles while urging serious reform.
“Zero trust is still necessary—it just needs to move upstream,” said Bissell, who leads Microsoft's security and fraud division. He pointed to recent cases in which phishing-resistant MFA and strict DNS filtering stopped targeted phishing campaigns before users could interact with malicious infrastructure.
Bissell also cited Microsoft’s experience requiring mandatory revalidation of employee access during sensitive operations, which helped identify and revoke compromised credentials during a red team exercise.
Examples included Microsoft’s deployment of passkeys across enterprise products, DNS filtering to block spoofed domains, and mandatory identity revalidation in high-risk workflows.
Walden also emphasized that zero trust should focus more on systemic equity: “We need to stop pushing all the responsibility to individuals. The real fix has to come from how we design the infrastructure in the first place.”
Even Kelly, who echoed Ellis's metaphor about broken infrastructure, stopped short of calling zero trust a failure. Instead, he called for spreading out trust across different parts of the system—like domain name records, device health, financial transactions, and hiring processes—so that security doesn’t depend on just one layer working perfectly.
Together, these perspectives suggest the next generation of zero trust won’t be defined by perimeter controls, but by infrastructure-level resilience and shared responsibility.
Some of the examples offered included the use of phishing-resistant MFA across Microsoft’s ecosystem, increased abuse reporting and enforcement (such as domain takedowns, revoking compromised API keys, disabling rogue app integrations, and suspending fake accounts before they can escalate) take-downs and revoking API tokens) across registrars and cloud platforms, and early success with global DNS monitoring efforts like the Global Signal Exchange.
The Global Signal Exchange is a collaborative framework that allows providers to share threat intelligence and abuse data in real time, helping to flag malicious infrastructure before it can be widely used in attacks.
Walden also pointed to national digital ID frameworks in countries like Estonia and Belgium as models for embedding identity trust into infrastructure. The benefits? More reliable and user-friendly authentication. The drawbacks? Privacy concerns, vendor lock-in, and resistance from regions without centralized identity programs.
Where identity security goes next
Despite their differences, speakers across sessions agreed on one thing: identity will remain at the heart of both attack and defense. Whether through reimagined infrastructure, refined zero trust strategies, or smarter access controls, the next wave of progress will come from collaboration across government, industry, and users.
Several pointed to emerging technologies—like passkeys, hardware-backed identity, real-time risk scoring, and AI-enhanced anomaly detection—as promising tools that could strengthen defenses without overburdening users. These innovations, if deployed responsibly, offer a path toward identity systems that are both resilient and humane.
“We may never eliminate risk,” Walden said, “but we can design systems that expect failure—and still protect people when it happens.”
In a year marked by breaches, burnout, and increasingly sophisticated adversaries, that vision may be the clearest path forward.
(
Editor’s Note: A portion of this content used a large language model to distill a single source of original content, such as a transcript, data, or research report. This content was conceived, crafted and fact-checked by a staff editor, and any sourced intellectual property used is clearly credited and disclosed.)
