Is your identity security strategy broken? | Very Important Questions

Introduction

Identity-based attacks aren’t rising because attackers have gotten smarter. They’re rising because defenders are still playing by the old rules.

The traditional identity and access management model treats authentication as a binary even—you log in, you’re trusted. But modern attackers don’t bother with the front door. They steal session cookies after authentication, bypass MFA entirely, and move freely through environments that security teams assume are locked down.

In this episode of Very Important Questions, host Ben Baker sits down with Jason Rebholz—founder of Evoke Security and former CISO—to dig into why identity security programs keep failing, what practitioners actually need to do differently, and what’s coming as AI agents and non-human identities compound an already messy problem.

Chapters

• 0:00  Cold open: Identity is a verb
• 1:42  Introductions
• 2:01  The biggest architectural flaw in IAM
• 3:09  The SSO tax
• 4:22  Session cookie hijacking: the “teleporting car” explained
• 6:54  Why attackers are pivoting to credential-based attacks
• 8:53  How painful is least privilege enforcement at scale?
• 12:27  The post-authentication blind spot
• 14:54  How attackers are bypassing MFA
• 17:07  What identity security solutions actually need to do
• 19:01  How tool fragmentation undermines detection
• 20:25  Non-human identities and AI agents
• 23:24  Closing thoughts: assume the attacker gets past the front door

The biggest flaw in traditional identity and access management

The gap between how IAM is supposed to work and how it actually works in practice is enormous. The vision—one unified system managing access across every application, every user, every permission—doesn’t exist. What most organizations have instead is a collection of disconnected tools, manual processes, and coverage gaps that leave large portions of their identity environment unmanaged.

Jason Rebholz, Founder, Evoke Security: “We have this picture of what IAM should be—this utopia where one single system manages it all. It just could not be further from the truth. It’s so disjointed. And this is not for want of trying.”

One of the most concrete symptoms of this fragmentation is the SSO tax—the enterprise licensing premium that vendors charge to enable single sign-on integration. In practice, many organizations find that a substantial share of their SaaS tools can’t be tied into SSO at all, either because the cost is prohibitive or because the budget sits in another department. The result is a shadow identity environment that security teams have little visibility into and even less control over.

Session cookie hijacking: why MFA isn’t enough

The most dangerous thing happening in identity security right now isn’t credential stuffing or brute force. It’s session cookie hijacking—and it bypasses MFA entirely.

Here’s how it works. When a user authenticates to an application—even with a passkey or MFA—the application issues a session cookie. Think of it as a hall pass: it proves you’ve already cleared the front door, so you don’t have to authenticate again. Info stealer malware targets these cookies specifically. Once stolen, an attacker can inject the cookie into their own browser and operate as the victim without ever triggering a login event.

Jason Rebholz, Founder, Evoke Security: “The attacker can take that session cookie, pop it into their browser, and now they’re acting as you. They’re teleporting straight into your moving vehicle—you’ve already taken it out of the garage and you’re driving down the highway, and all of a sudden the attacker’s in the car with you.”

This is why the security industry’s framing of identity as a static, point-in-time checkpoint is fundamentally broken. Authentication at the front door is necessary but not sufficient. What happens after login—the entire session—is where the real risk lives, and where most organizations have almost no visibility.

Why attackers have shifted to credential-based attacks

The shift toward identity-based attacks isn’t random. It’s a rational response to the security industry’s success in other areas. EDR has made malware harder to use without getting caught. Living-off-the-land techniques are easier to detect. But credentials? Credentials are everywhere, they’re valuable, and once you have them—especially in a SaaS-heavy environment—you may not need malware at all.

Every modern organization has a massive attack surface accessible entirely through identity: SaaS applications, cloud environments, remote access infrastructure. An attacker with valid credentials can move laterally, access sensitive data, and persist in an environment without ever deploying a payload.

Least privilege at scale: the reality

Least privilege is the right principle. The problem is execution. Enforcing least privilege at scale requires understanding exactly what access each user actually needs to do their job—a question most organizations have never formally answered. Getting there means talking to every team, mapping access against job function, sourcing the right tooling, and then doing it all over again as roles change, employees leave, and new applications get added.

Jason Rebholz, Founder, Evoke Security: “Every day you go into work without shoes and socks on, just walking on glass. That’s about what it feels like. And it’s not for want of trying—it’s just a very difficult, very expensive process. I don’t know of a single identity project you can complete in less than a year.”

The failure mode is familiar: annual access reviews that managers rubber-stamp, permission escalations that never get revoked, service accounts with admin rights that nobody owns. It’s not negligence—it’s the predictable outcome of a process that demands constant human attention in an environment that never stops changing.

The post-authentication blind spot

Most identity security tools are optimized for the front door. They detect anomalous logins: impossible travel, unfamiliar locations, VPN mismatches. What they don’t cover is everything that happens after a user—or an attacker using stolen credentials—successfully authenticates.

For cloud-native organizations running entirely on SaaS, this blind spot is enormous. Without the ability to correlate post-authentication behavior across applications, a compromised account can exfiltrate data, escalate privileges, and move laterally for days without triggering a single alert.

Jason Rebholz, Founder, Evoke Security: “That blind spot is 99.9% of everything that user is doing—because it’s everything that happens after the login. That’s the stuff you want to pay attention to. It’s kind of like reading a book where every third page is ripped out.”

How modern attackers bypass MFA

MFA remains one of the most effective security controls available. The problem is that not all MFA is equal—and attackers know exactly how to work around the weakest implementations.

Adversary-in-the-middle (AiTM) attacks send users to convincing phishing pages that proxy the real authentication flow. The user enters their credentials and MFA code, the attacker captures both in real time, and the session cookie is theirs. No malware required. And once they have the session cookie, standard login-anomaly detections won’t fire—because there’s no new login to detect.

Attackers also deliberately position their infrastructure to defeat impossible-travel and geo-based detections, using proxies or VPNs located in the same region as the legitimate user.

What effective identity security actually requires

The answer starts with visibility—not just at the authentication gate, but across the full session lifecycle. That means collecting and correlating logs from every application a user touches, understanding what normal behavior looks like for each user, and building detections that surface anomalies in what users are doing, not just how they logged in.

Jason Rebholz, Founder, Evoke Security: “Identity is a verb, not a noun. You have to think about it as something that is an action—it’s ongoing, and we have to keep pace with it. It’s the actions that matter. That’s what you want to pay attention to after the gate.”

Strong passkeys at the front door remain valuable. But the detection program has to extend well beyond them—covering session-based activity, post-authentication behavior, and the full context of what a compromised identity can do once it’s inside.

How tool fragmentation undermines identity threat detection

Even organizations with solid detection logic are hampered by the siloed nature of their security tooling. Identity tools don’t talk to endpoint tools. Endpoint tools don’t talk to cloud. The result is a detection program that can only see parts of the story—and an attacker who’s learned to stay in the gaps.

Correlating activity across a user’s full environment—stitching together what happened in SaaS, cloud, endpoint, and network into a coherent session view—is the only way to build detection coverage that’s actually hard to evade. Without that correlation, even well-written detections are missing the context they need to fire reliably.

Non-human identities and the AI agent problem

The identity management problem is about to get significantly harder. As AI agents become a standard part of how organizations operate, non-human identities (NHIs)—service accounts, API keys, machine credentials, automation tokens—will multiply rapidly. Anyone who’s looked at the NHI count in a mature cloud environment already knows how unmanageable the list is. Agents will add an entirely new layer of complexity.

Jason Rebholz, Founder, Evoke Security: “When we have agents, it’s just going to add to that list. They’re temporal—they’ll come and go. Is that the same identity? Is that a different one? And when agents can communicate with agents, it’s going to become a total rat’s nest from an identity perspective.”

Rebholz introduces a concept worth taking seriously: least autonomy. In an agent-driven world, the question may not just be “what resources can this identity access?” but “how much can it act independently?” Designing for least autonomy—constraining what agents can do without human oversight—may become as important as least privilege is today.

Closing thoughts: assume the front door fails

The core message from this conversation isn’t pessimistic—it’s practical. Identity attacks are succeeding in part because defenders are still investing heavily in the front door while leaving the rest of the house unmonitored. Attackers know this. They’ve designed their tooling and techniques around it.

Jason Rebholz, Founder, Evoke Security: “Identity is the real crux of security today. With how technology is being built and how systems are operated, identity is the central thing that’s either going to make or break you. You have to assume the attacker is going to bypass the front door.”

The teams that come out ahead will be the ones who’ve rounded out their detection programs—who are monitoring session-based activity, building detection coverage beyond the login event, and treating identity as the dynamic, ongoing thing it actually is.

Key takeaways

1. IAM is fundamentally fragmented. The single-system identity utopia doesn’t exist. The SSO tax means large chunks of your SaaS environment may be invisible to your identity controls.
2. MFA can be bypassed—and often is. Session cookie hijacking and AiTM attacks let attackers skip the authentication step entirely. MFA is necessary but not sufficient.
3. The post-authentication blind spot is where attacks live. Most organizations have solid front-door detection and almost no visibility into what happens after login.
4. Least privilege is right—but brutally hard to enforce at scale. Without automation and constant maintenance, it degrades quickly into security theater.
5. Identity is a verb, not a noun. Effective identity security means continuous monitoring of what identities are doing, not just how they authenticated.
6. Non-human identities are about to become much harder to manage. AI agents will dramatically increase NHI counts—and may require rethinking privilege around least autonomy, not just least access.
7. Assume the attacker gets past the front door. Build your detection program for that reality—session-based coverage, correlated signal, and post-authentication visibility.

Frequently asked questions about identity security

What is identity security in cybersecurity?

Identity security is the practice of protecting user accounts, credentials, and access rights from unauthorized use. It encompasses authentication controls, access management, privilege governance, and the detection of identity-based threats—including credential theft, session hijacking, and lateral movement using legitimate credentials.

How do attackers bypass MFA?

The two most common techniques are adversary-in-the-middle (AiTM) phishing—where an attacker proxies an authentication session in real time to capture both credentials and MFA codes — and info stealer malware, which harvests session cookies from an already-authenticated device. Both methods let attackers skip the login process entirely, bypassing even phishing-resistant MFA implementations.

What is the SSO tax?

The SSO tax refers to the practice of SaaS vendors charging enterprise-tier pricing specifically to enable single sign-on integration. This creates a situation where many organizations cannot tie a significant portion of their SaaS tools into centralized identity controls, leaving gaps in visibility and governance.

What are non-human identities (NHIs)?

Non-human identities are machine-based accounts used by software systems rather than human users—including service accounts, API keys, OAuth tokens, automation credentials, and increasingly, AI agents. NHIs often have broad access permissions and are rarely monitored with the same rigor as human user accounts, making them an attractive target for attackers.

What does “identity is a verb” mean in the context of identity security?

The phrase captures the idea that identity security can’t be treated as a static checkpoint. Identities are dynamic: they act continuously, access resources, change over time, and can be compromised mid-session. Effective identity security requires ongoing monitoring of what identities do, not just verification of who they are at login.

How does Expel approach identity threat detection?

Expel’s identity security coverage monitors activity across the full session lifecycle—from authentication through post-login behavior—correlating signals across SaaS, cloud, and endpoint to detect threats that bypass front-door controls. This includes coverage for session-based attacks, credential-based lateral movement, and privilege abuse. Learn more: expel.com/solutions/identity-security/

External resources

• MITRE ATT&CK: Steal Web Session Cookie (T1539)
• MITRE ATT&CK: Adversary-in-the-Middle (T1557)

This transcript has been edited for clarity and readability. For more identity security insights, visit expel.com/blog or follow Expel on LinkedIn.