Start by identifying every allowed sign-in method per application and per user class. Then remove unused or weaker options, especially for privileged access and sensitive workloads. The goal is not to add more MFA choices, but to narrow the set until users cannot be silently pushed from phishing-resistant methods to phishable fallbacks.
#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.