Subscribe to the Non-Human & AI Identity Journal

Why do regulated industries need adaptive MFA instead of static MFA?

Static MFA treats every login the same, which creates unnecessary friction for low-risk sessions and insufficient scrutiny for sensitive ones. Regulated environments need assurance that responds to context, because the risk of a routine portal login is not the same as the risk of a privileged transaction or ePHI access.

Why This Matters for Security Teams

static mfa was designed for a world where a login event could be treated as a mostly fixed trust decision. Regulated industries do not operate in that world. A clerk opening a low-risk portal, a clinician accessing ePHI, and an administrator approving a privileged change all carry different business impact, yet static MFA applies the same challenge pattern to each. That creates friction where it is not needed and leaves sensitive actions under-assessed.

adaptive mfa is part of a broader move toward contextual assurance, which aligns with the intent of the NIST Cybersecurity Framework 2.0 and the audit expectations described in Ultimate Guide to NHIs — Regulatory and Audit Perspectives. Security teams are increasingly expected to show that authentication strength reflects session risk, transaction sensitivity, and identity behaviour, not just the fact that a password was followed by a second factor. NHI Management Group guidance also notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which reinforces why authentication must respond to context rather than remain flat across every event. In practice, many security teams encounter weakness only after a privileged workflow or sensitive data access has already been abused, rather than through intentional testing of authentication decisions.

How It Works in Practice

Adaptive MFA evaluates risk at the moment of access and adjusts the challenge accordingly. The decision can include device posture, geolocation, IP reputation, impossible travel, session history, privilege level, time of day, and whether the user is attempting a sensitive transaction rather than a routine login. In regulated environments, that matters because the authentication event is only one signal. The system should also consider what is being accessed, whether the request is consistent with prior behaviour, and whether the action crosses a compliance boundary such as payment data, patient records, or production changes.

Current guidance suggests combining adaptive MFA with zero trust and privileged access controls rather than using it as a standalone control. For example, a user may get a low-friction prompt for normal self-service activity, but step up to a phishing-resistant factor for admin work, ePHI access, or step-up approval. That approach is more defensible when paired with lifecycle controls described in the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and with high-risk patterns documented in Top 10 NHI Issues. In practice, teams often implement adaptive MFA through policy engines that trigger step-up rules for unusual risk, then log the reason for auditability.

  • Use stronger prompts for privileged sessions, data exports, and administrative approvals.
  • Reduce friction for low-risk, repeated, and device-bound access.
  • Pair MFA with session monitoring, not just initial sign-in checks.
  • Review policy decisions regularly so risk signals do not become stale.

These controls tend to break down in legacy applications that cannot pass context to the identity provider because the system cannot distinguish a harmless login from a high-impact transaction.

Common Variations and Edge Cases

Tighter authentication often increases user friction and help desk volume, requiring organisations to balance stronger assurance against operational overhead. That tradeoff is especially visible in hospitals, banks, and public-sector environments where multiple user classes, emergency access, and third-party integrations all coexist. Best practice is evolving, but there is no universal standard for exactly which signals must trigger step-up MFA in every regulated workflow.

Some organisations use adaptive MFA only at the perimeter, which leaves internal applications, API access, and privileged consoles underprotected. Others over-tune policies and generate so many prompts that users begin to bypass the control through workarounds. Risk-based authentication also becomes less reliable when device telemetry is sparse, when users work through shared terminals, or when session context is lost between systems. In those cases, the right answer may be to combine adaptive MFA with stronger identity proofing, shorter session lifetimes, and tighter authorization checks rather than adding more prompts. That is consistent with the governance perspective in the Ultimate Guide to NHIs and the attack patterns described in the Microsoft Midnight Blizzard breach. Regulated industries should treat adaptive MFA as a policy layer, not as a substitute for least privilege or continuous monitoring.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-7 Adaptive MFA supports continuous, context-aware access decisions.
NIST Zero Trust (SP 800-207) Zero trust relies on dynamic verification instead of fixed trust at login.
OWASP Agentic AI Top 10 A1 Dynamic auth is critical when autonomous systems can change behaviour at runtime.
CSA MAESTRO IAM-02 Agent and workload access should be governed by context and task sensitivity.
NIST AI RMF Risk-based controls align with AI governance needs for changing context and impact.

Use runtime policy and step-up controls for high-risk actions, not static assumptions about access patterns.