MFA and zero standing privilege are still the control gap in enterprise access

At a glance

What this is: This is an enterprise access security analysis that argues MFA everywhere, zero standing privilege, and telemetry are the key controls for reducing credential-driven compromise and lateral movement.

Why it matters: It matters because IAM, PAM, and NHI teams all have to govern the same attack pattern across human logins, privileged access paths, and machine-facing credentials.

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

👉 Read Whiteswan Security's analysis of MFA, zero standing privilege, and RDP risk

Context

MFA and zero standing privilege are identity control problems before they are endpoint or network problems. The article is really about how attackers turn stolen passwords, exposed RDP paths, and weak monitoring into durable access, then move laterally before defenders can react.

For IAM and PAM teams, the important question is not whether authentication exists, but whether access can persist long enough to be abused. The same governance gap shows up across human users, privileged accounts, and non-human identities when standing access is left in place without strong telemetry and step-up controls.

Key questions

Q: How should security teams reduce risk from stolen credentials in enterprise environments?

A: Start by assuming a password will be exposed and design the environment so that a valid login does not equal broad access. Enforce MFA everywhere, remove standing privilege, and monitor remote administration paths such as RDP and directory services. The goal is to shrink what a compromised identity can do after authentication, not just stop the initial login.

Q: Why do standing privileges make compromised accounts so dangerous?

A: Standing privileges give an attacker reusable access the moment one account is compromised, which turns a single successful phishing or password attack into a wider internal threat. Because the entitlement already exists, the attacker does not need to wait for approval or trigger a review. That makes lateral movement faster and harder to contain.

Q: How can organisations tell whether their identity controls are actually working?

A: Look for reduced access persistence, fewer unexpected privileged sessions, and stronger detection of unusual remote access activity. If MFA is enabled but attackers can still move through RDP, directory services, or privileged accounts without immediate friction, the control set is incomplete. Effective governance shows up as smaller blast radius and faster detection.

Q: What should teams prioritise first, MFA or zero standing privilege?

A: They should implement both, but the priority order depends on the current exposure. If remote access and stolen credentials are the main path in, MFA should be immediate. If privileged accounts are already broadly reusable, zero standing privilege may reduce risk faster because it removes the access attackers want after they authenticate.

Technical breakdown

Why compromised credentials still lead to lateral movement

Stolen credentials remain effective because many environments still treat password possession as proof of intent. Once an attacker authenticates, the environment often trusts the session until something obviously malicious happens. That delay matters. In practice, attackers use valid access to enumerate systems, identify remote admin paths, and pivot through directory services or exposed remote access points such as RDP. MFA reduces the usefulness of a stolen password, but it does not by itself fix over-broad session trust or weak access monitoring. Telemetry is what turns authentication events into detection opportunities.

Practical implication: correlate authentication, RDP, and directory activity so valid logins do not become invisible lateral movement.

What zero standing privilege changes in access design

Zero standing privilege removes persistent rights that attackers can inherit after compromising an identity. Instead of leaving privileged access continuously available, access is granted only when needed and for a defined task. That matters because standing privilege is what lets a single phished account become an administrative foothold. In enterprise environments, the difference between ordinary access and privileged access is often not the login itself but the durable entitlement behind it. ZSP reduces the amount of access available for abuse, especially when combined with MFA and strong session telemetry.

Practical implication: move privileged entitlements out of permanent membership and into just-in-time access workflows.

Why telemetry is the control that makes MFA and ZSP measurable

Telemetry is the record of how identity behaves across logins, sessions, and privileged actions. Without it, MFA is only an entry gate and ZSP is only a policy intent. With it, teams can spot impossible travel, unusual RDP patterns, repeated step-up prompts, and abnormal privilege use after authentication. This is especially important in environments where Active Directory or remote administration tools sit at the centre of access control. The technical issue is not lack of data collection in isolation, but lack of correlated identity signals that show whether access is being used as expected.

Practical implication: build identity telemetry around authentication, privilege elevation, and remote access paths, not just sign-in success.

Threat narrative

Attacker objective: The attacker aims to turn one compromised credential into durable internal access that supports privilege escalation and lateral movement.

1. entry via phished or brute-forced credentials gives the attacker a valid authentication path into the corporate environment.
2. escalation occurs when weak RDP controls, standing privileges, or directory trust allow the attacker to pivot from a normal account into broader access.
3. impact follows when the attacker uses that access to move laterally, reach critical systems, or exfiltrate data before detection catches up.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

MFA everywhere is not a sufficient control if standing access remains the default. MFA reduces the value of a stolen password, but it does not remove the durable entitlement that lets a compromised identity keep moving after login. The programme failure here is assuming authentication hardening and privilege governance are separable disciplines. Practitioner conclusion: treat MFA and ZSP as one access-control system, not two independent projects.

Zero standing privilege is the right answer to a persistent entitlement problem, not just a privileged access problem. The article’s real signal is that attackers do not need to defeat every control if one account can retain reusable access across sessions. Standing access creates a predictable abuse window across human users and machine-facing paths alike. Practitioner conclusion: redesign access so privileged capability exists only at the moment of task execution.

Telemetry becomes the enforcement layer when identity is the attack path. The article correctly ties detection to real-time monitoring because authentication alone cannot reveal intent or misuse. Without correlated logs across identity providers, RDP, and directory systems, defenders cannot distinguish normal logon from staged lateral movement. Practitioner conclusion: identity telemetry must be a first-class control objective, not an incident response afterthought.

Active Directory and remote access are governance choke points, not just technical assets. When directory trust and RDP exposure sit at the centre of access design, every compromise is an identity governance event as much as a security event. That is why MFA, ZSP, and telemetry belong in the same control conversation as lifecycle review and privileged access recertification. Practitioner conclusion: govern directory and remote access paths as critical identity infrastructure.

Identity blast radius is the better mental model than login success rate. The article shows that one successful authentication can still be a low-impact event if privilege is tightly bounded and monitored. The field should measure how far a credential can travel, not merely whether it can authenticate. Practitioner conclusion: prioritise controls that shrink blast radius across human, privileged, and non-human access.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• Confidence gaps in NHI governance are reflected in another finding from the same research: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps.
• For a broader control lens, the 52 NHI Breaches Report shows how identity exposure patterns repeatedly become real incident paths.

What this signals

Identity blast radius is now the right programme metric. Teams should stop treating MFA adoption as the finish line and start measuring how far a compromised account can move before it is contained. The operational question is whether a stolen credential can still reach RDP, directory services, or admin workflows without immediate friction. For teams building out identity telemetry, the NIST Cybersecurity Framework 2.0 remains the cleanest way to map detection and response to identity events.

The next maturity step is to treat privileged access, remote access, and session telemetry as one governance surface. That means aligning PAM, IAM, and NHI controls so standing access does not survive beyond the task that needs it. Where organisations still rely on reusable access, the security programme is carrying hidden identity debt.

Standing access debt: persistent entitlement that outlives the task or role it was created for. In practice, it is the gap between having access and needing access, and it is what attackers exploit after a valid login. Teams that can quantify and reduce that debt will see smaller attack paths and faster containment, especially in environments with heavy RDP or directory dependence.

For practitioners

• Enforce MFA on every external and privileged entry point Require step-up authentication for email, VPN, RDP, administrative portals, and any path that can reach directory services or critical systems. Do not leave exceptions for legacy convenience.
• Replace standing privilege with just-in-time access Move privileged rights out of permanent group membership and into task-scoped elevation that expires when the work ends. Review who can self-approve and who can grant emergency access.
• Correlate identity telemetry across sign-in and remote access Join authentication logs, privilege elevation events, and RDP session data so suspicious patterns are visible in one view. Alert on repeated prompts, unusual session duration, and unexpected admin activity.
• Harden directory and remote administration paths Treat Active Directory, RDP, and other remote management channels as high-value control planes. Restrict exposure, segment administrative access, and audit where privileged sessions can originate.

Key takeaways

• MFA lowers exposure, but standing privileges and weak telemetry still let compromised credentials become a lateral-movement problem.
• The article’s strongest operational signal is that identity controls fail when authentication, privilege, and remote access are governed separately.
• Practitioners should focus on reducing identity blast radius through just-in-time access, correlated telemetry, and tighter control of directory and RDP paths.

Key terms

• Zero Standing Privilege: Zero standing privilege is an access model in which elevated permissions are not permanently assigned. Privilege is granted only when needed for a specific task and then removed, reducing the chance that a compromised account can reuse admin capability later.
• Identity Telemetry: Identity telemetry is the set of logs and signals that show how identities authenticate, elevate privilege, and use access across systems. It becomes useful when teams correlate those events across providers and remote access paths to detect abnormal behaviour quickly.
• Identity Blast Radius: Identity blast radius is the amount of damage a compromised identity can cause before containment. It reflects how far a valid account can travel across systems, privileges, and sessions, and it is a more practical metric than login success alone.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Whiteswan Security: MFA and Zero Standing Privileges for stronger enterprise defense. Read the original.