Identity in the Age of AI: Rethinking Zero Trust's First Pillar

 

Part 2 of 7 in the CSA Series: AI and the Zero Trust Transformation. Read Part 1 here.

Picture a Monday morning in early 2026. A regional finance team joins what looks like a routine video call. The CFO appears on screen with familiar mannerisms, the slight rasp of a weekend cold, and an urgent directive: wire $25 million to close a confidential acquisition before Asian markets close. The team executes. By afternoon, the truth surfaces. The CFO had been on a flight to London. The face on screen was a generative model. The voice had been cloned from a podcast appearance the previous quarter.

Variants of this scenario are no longer thought experiments. The 2024 attack on engineering firm Arup’s Hong Kong office, in which deepfaked executives convinced a finance worker to transfer roughly $25 million across fifteen wire transactions, was the canary in the coal mine. Two years later, those tactics have been industrialized. What once required a sophisticated nation-state operator can now be assembled from open-source models and a few minutes of public audio.

For decades, identity served as the front door of the enterprise. It was the gate you passed through to reach everything else. Generative AI has not just picked the lock. It has convinced us the door was never there.

This is the inversion at the heart of Zero Trust in 2026. Identity is no longer a credential to be checked. It is a continuous signal to be interrogated.

 

How AI Weaponized Identity

AI changed the economics of impersonation, and the security industry is still catching up to the implications. Three converging trends now define the threat landscape.

 

The Deepfake Surge

By the first quarter of 2025, deepfake-related fraud incidents had already surpassed the total recorded for all of 2024. Detection rates remain stubbornly low. Research published in 2025 found that humans correctly identify AI-generated audio only about 60% of the time, and a widely cited iProov study reported that fewer than one in a thousand participants could perfectly distinguish synthetic from authentic media across all formats. Under pressure, on a video call, with a familiar face speaking with familiar cadence, those numbers tend to collapse further.

 

The Synthetic Identity Factory

Adversaries are no longer creating individual fake accounts. They are using large language models to generate identity clusters, sets of interconnected synthetic personas with credit histories, social graphs, professional backstories, and matching biometric profiles. These clusters defeat identity proofing systems by overwhelming them with plausible signals. A reviewer flagging one anomaly might pass it. A reviewer facing twelve consistent reinforcing data points usually does not.

 

The Erosion of Visual Trust

Gartner’s 2024 prediction that 30% of enterprises would no longer treat standalone facial biometrics as a primary trust factor by 2026 has, by most credible accounts, materialized. Diffusion-based injection attacks now defeat naive liveness checks by inserting synthetic frames directly into the video stream rather than presenting them to a camera. Real-time avatars handle the rest.

The implication is uncomfortable but unavoidable. If an adversary can convincingly become anyone, the security question stops being “who are you?” and becomes “is what you are doing consistent with who you claim to be, in this context, right now?”

 

From Static Gates to Continuous Telemetry

Zero Trust has always assumed that any single signal can be wrong. What has changed is how quickly we have to make that assumption.

The legacy authentication model checked credentials once at login and trusted the resulting session for hours, sometimes days. In 2026, that window is operationally indefensible. NIST Special Publication 800-207 reframes identity as the primary control plane, but the practical mechanics live in NIST SP 800-63-4, finalized in August 2025. Three updates matter most for security leaders.

 

Liveness Detection Becomes Table Stakes

The standard formalizes ISO/IEC 30107-3 presentation attack detection requirements, recognizing that any biometric without anti-spoofing has a finite shelf life. Passive liveness, which works in the background without user prompts, has become the practical default for high-value transactions.

 

Syncable Passkeys Reach AAL2

This is the standard’s quiet acknowledgement that phishing-resistant authentication has to be usable, or it will not be used. By treating FIDO2 passkeys synced across a user’s devices as eligible for Authenticator Assurance Level 2 under specified conditions, NIST removed one of the largest barriers to enterprise rollout.

 

Continuous Evaluation Replaces Point-in-Time Decisions

The model assumes risk context can change mid-session, and the architecture must respond. A user who authenticated cleanly at 9:00 AM and whose device begins exhibiting anomalous behavior at 9:47 AM should not retain the trust granted at 9:00 AM.

The technical pattern that ties this together is sometimes called Continuous Adaptive Risk and Trust Assessment, or CARTA. In practice, it means feeding behavioral telemetry into the policy decision point on a near-constant basis. Modern Identity Threat Detection and Response (ITDR) platforms ingest signals like keystroke cadence, mouse micro-movements, navigation paths through ERP systems, and API call sequences. The result is closer to a behavioral fingerprint, and it is harder for a deepfake to replicate than a face or a voice because it emerges from the cumulative texture of how someone actually works rather than how they look or sound.

A concrete illustration: a finance analyst typically opens the ledger system, pulls reports in a specific order, and exports CSVs at predictable intervals. The same authenticated session, behaving differently (jumping straight to bulk wire approval, navigating menus the analyst never touches, running queries at 3 AM local), should not retain the trust granted at login. The CARTA model treats that drift as the signal it is.

The architectural pattern that operationalizes all of this is the identity fabric: a centralized, AI-aware control plane that decouples identity from specific applications and ingests signals from the network, the device, and the user simultaneously. If the CFO is on a video call from a Chicago IP address while their phone’s GPS places them at Heathrow, the fabric does not need to wait for a human reviewer. The session terminates, and a step-up challenge follows.

Several SSE and SASE platforms now offer overlapping identity fabric capabilities, including Netskope, Microsoft, Cisco, Palo Alto Networks, and Zscaler. The right starting point depends as much on existing telemetry investments as on feature comparisons.

 

The Silent Majority of the Enterprise

The most consequential shift in the identity pillar is not about humans at all.

In a typical 2026 enterprise, machine identities outnumber human users by orders of magnitude. Estimates vary widely depending on architecture: surveys cite ratios in the range of 50 to 1 for traditional environments, climbing toward 500 to 1 in microservice-heavy stacks. The trend line is clear regardless of which estimate you favor. The population of API keys, service accounts, certificates, and OAuth tokens is the dominant population in your environment.

Inside that population, agentic AI has emerged as a distinct category that breaks several legacy assumptions. These are not static service accounts running fixed scripts. They are autonomous entities, often built on large language models, that move between systems, reason about tasks, and take actions on behalf of users or other systems. The Cloud Security Alliance’s Agentic Trust Framework, published in February 2026, treats these agents as first-class identities requiring their own lifecycle, their own assurance levels, and their own threat models.

Three risks deserve direct attention.

• Over-permissioning. Industry surveys consistently estimate that the vast majority of non-human identities, often cited at roughly 99%, hold permissions far beyond what their actual workloads require. The figure is approximate and varies by methodology, but the directional message is consistent. In a deepfake-driven attack, an over-permissioned agent is the equivalent of a master key left in a public lobby.
• Indirect prompt injection. An agent that processes external content (emails, documents, web pages, calendar invites) can be manipulated into executing instructions hidden in that content. Imagine an inbox-summarization agent that reads a vendor email containing the line, in white-on-white text, instructing it to forward all messages from the CFO to an external address and then delete the trace. If the agent has broad privileges, the resulting kill chain runs at machine speed and crosses systems faster than any human responder can react. OWASP’s Top 10 for LLM Applications lists this as the highest-impact category for a reason.
• Credential sprawl. API keys, OAuth tokens, and service principals tend to accumulate, rarely rotate, and often live in places they should not (source repositories, configuration files, screenshot pastes in chat tools).

The mitigation pattern is converging on ephemeral, just-in-time credentials. Frameworks like SPIFFE issue task-specific identities that exist for the duration of a single transaction and disappear when the work completes. The blast radius of a compromise shrinks from “everything this agent can ever do” to “this one transaction, for these few seconds.” That is the difference between a contained anomaly and an enterprise-wide incident.

 

The 2026 Identity Blueprint

The CISA Zero Trust Maturity Model describes the journey across the identity pillar in four stages: Traditional, Initial, Advanced, and Optimal. Most enterprises in 2026 sit between Initial and Advanced, with passwords still in production and continuous evaluation still aspirational. Closing the gap to Optimal is what the rest of this section is about.

For security leaders translating this landscape into a roadmap, the strategic shift looks like this:

Traditional Identity (Legacy)	AI-Resilient Identity (Zero Trust)
Point-in-time: authenticate once at login.	Continuous: re-verify session integrity through behavior.
Biometric-heavy: trusting Face ID alone.	Multimodal: pairing biometrics with device health, location, and behavior.
Human-centric: focused on employee logins.	Entity-centric: governing humans, bots, APIs, and AI agents under one model.
Password and SMS MFA: vulnerable to interception.	Phishing-resistant: passkeys and FIDO2 hardware.

In execution terms, four investments rise above the rest.

1. Phishing-resistant MFA. Roll out FIDO2 and WebAuthn passkeys across every IAL2 and IAL3 application. This single change removes the value of harvested credentials and intercepted SMS codes, which remain the dominant initial access vector in most breach reports.
2. Liveness verification at high-value transaction boundaries. Integrate ISO/IEC 30107-3 certified passive liveness checks anywhere a deepfake would yield material consequence: wire approvals, executive impersonation, vendor onboarding, password resets for privileged accounts.
3. Non-human identity inventory. Automate discovery of API keys, service accounts, and AI agents across cloud and on-premises environments. You cannot govern what you cannot see, and the discovery exercise alone tends to surface the most over-privileged identities in the environment.
4. Operationalized ITDR. Integrate identity telemetry directly into the SIEM and SOAR pipeline. The goal is to move identity from an audit artifact reviewed weekly to a live control surface that can terminate a session on its own when behavioral signals diverge from baseline.

 

The Path Forward

Identity is the first pillar of Zero Trust because it is the foundation of every subsequent decision. Network segmentation, encryption, and endpoint detection all depend on the assumption that the entity asking for access is who they claim to be. When that assumption breaks, the rest of the architecture inherits the failure.

By treating identity as a continuous stream of behavioral telemetry rather than a static credential, by extending the same governance to AI agents that we apply to executives, and by making liveness, phishing resistance, and ephemeral credentials the default rather than the upgrade, organizations can reclaim the identity pillar from the adversaries who have spent the last two years industrializing deception.

The digital ghost in the boardroom only wins if we keep relying on the assumptions of 2020. In a Zero Trust world, we do not trust our eyes. We trust telemetry.

Coming next in Part 3: the device pillar, where AI is rewriting both the threat model and the defensive playbook for endpoints in a hybrid, agent-driven world.