The next phase of zero trust: From recognizing known threats to stopping threats
The next phase of zero trust: From recognizing known threats to stopping threats
Publish Date: 2026-05-13 17:01:00
Source Domain: federalnewsnetwork.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
Zero trust, as articulated in the Federal Zero Trust Strategy (M-22-09), was not just a technical strategy. It was a governance intervention, and importantly, one backed by dedicated funding for execution.
It forced a long-overdue shift in federal cybersecurity thinking, from perimeter-based trust to continuous verification, and translated that shift into measurable objectives. By anchoring progress to specific capabilities such as phishing-resistant multi-factor authentication (MFA) and endpoint detection and response, M-22-09 created a common goal across agencies and introduced accountability into a historically fragmented security landscape.
But the success of the Federal Zero Trust Strategy also revealed its primary limitation: It optimized federal cybersecurity around the identification and management of known threats and hunting of unknown threats in an environment where adversaries are increasingly acting with novelty, speed and unpredictability.
When measurement becomes the ceiling
M-22-09 deliberately translated strategic principles into named controls because measurement was essential to progress. Agencies could report, the Office of Management and Budget could assess, and Congress could oversee whether agencies had implemented crucial security guardrails, such as phishing-resistant MFA, endpoint detection and response, vulnerability disclosure policies and others — enabling coordinated action across the federal enterprise.]]>
Meanwhile, adversaries continued shifting toward techniques that evade static controls, including identity abuse, software supply chain compromise and automation-driven intrusion. But agencies remained incentivized to meet these measurable zero trust goals.
The next phase of zero trust
For these reasons, the next phase of zero trust should be grounded in a simple but impactful shift: Federal cybersecurity must prioritize stopping threats, not incrementally improving recognition of known threats.
This is not a repudiation of zero trust principles. Continuous verification, least privilege and assume-breach remain foundational, but they must be operationalized in an environment where adversaries intentionally design attacks to evade recognition. The EvilTokens campaign illustrates the point: a phishing-as-a-service platform that uses Microsoft’s own OAuth device code flow to capture authentication tokens directly, bypassing both credentials and MFA. It can persist for up to 90 days, surviving even password resets. The attack succeeds not because organizations lacked the right controls, but because it exploits a legitimate authentication mechanism rather than a known malicious pattern.
This campaign shows that by the time a threat is fully understood, categorized and documented, it is often already obsolete — or worse, successful.
Why artificial intelligence changes the equation
Artificial intelligence-native security systems differ fundamentally from traditional, rule-based approaches. Rather than relying on prior knowledge of specific threats and indicators, they model expected behavior and assess risk based on deviation, context and probability. AI doesn’t ask whether an activity matches a known malicious pattern, it asks whether the activity should be occurring at all.
AI also challenges the role of threat intelligence, which has been long treated as a prerequisite for effective defense. Agencies ingest feeds, translate indicators into rules, and tune tools to detect known adversary behaviors. This process is resource-intensive and increasingly fragile.
The shift from recognizing to stopping is more urgent because adversaries are also leveraging AI. Microsoft recently reported that AI-enabled phishing campaigns are achieving “click-through rates [of] 54%, compared to roughly 12% for more traditional campaigns,” reflecting a 450% increase in effectiveness. AI-native approaches invert the threat intelligence dependency by focusing on stopping behavior-based threats rather than waiting to recognize threats that have already been studied.]]>
The result is a posture focused on stopping threats outright, regardless of novelty or attribution, while reducing dependence on complex rule sets, continuous tuning, and brittle architectures that struggle to adapt at scale.
Policy recommendations for the next phase of zero trust
To align zero trust with current and emerging risk realities, federal cybersecurity policy should evolve in the following ways:
1. Shift zero trust guidance from prescriptive controls to outcome-oriented capabilities.
Zero trust guidance should emphasize demonstrable reductions in operational risk rather than the deployment of specific tools. Progress should be assessed using outcome-oriented measures, some of which already exist within Federal Information Security Modernization Act (FISMA) metrics, such as reductions in mean time to detect, identify, recover and resolve incidents. These metrics are meaningful, however, only in the presence of sufficient detection coverage. Without it, low numbers can reflect blind spots rather than strong defense.
FISMA metrics can be complemented by indicators that reflect modern defensive effectiveness, such as an alert-to-investigation ratio and security labor allocation toward high-value activities. These metrics can assess whether agencies are achieving better outcomes while rationalizing investment trends toward AI-native capabilities that reduce noise, complexity and operational burden.
2. Explicitly recognize AI-native security systems as a preferred means of achieving zero trust objectives.
Federal policy should fund the use of AI-native security systems designed to operate without reliance on prior threat enumeration or continuous manual tuning. The Cybersecurity and Infrastructure Security Agency has already signaled this direction: the Secure Cloud Business Applications (ScuBA) baseline for Microsoft Exchange Online recommends that phishing protection should include an AI-based phishing detection tool.
Beyond improved detection and prevention, AI-native systems materially change how limited cybersecurity personnel are used by allowing human expertise to focus on high-value activities such as deep investigation, incident response and strategic risk management, rather than chasing every alert generated by high-noise tooling.
In an environment where cybersecurity talent is scarce and mission demands are increasing, this shift is both operationally necessary and fiscally responsible.
3. Authorize autonomous decision-making within defined, auditable security boundaries.
Federal cybersecurity policy should explicitly authorize the use of autonomous decision-making in narrowly scoped security functions such as detection, containment and response. Actions must be clearly bounded in scope, observable, auditable after the fact, and governed by policy-defined intent rather than ad hoc exception. Security is the appropriate starting point for this shift, where speed directly affects outcomes and delayed response carries measurable risk.
Authorizing autonomy within defined boundaries acknowledges an operational reality: adversaries already operate at machine speed, and defense constrained to purely human-mediated decision making cannot consistently keep pace.]]>
4. Modernize logging requirements to prioritize value over volume.
Since the issuance of M-22-09, many agencies have struggled to meet logging requirements in a way that clearly justifies and rationalizes their cost. Indiscriminate event collection has driven significant infrastructure expense and operational overhead without a corresponding increase in actionable security insight.
Logging should remain foundational, but policy should prioritize higher-value security signals over volume. AI-native systems make this shift feasible by identifying which activity is most relevant to risk, investigation and response, while preserving accountability and investigation value.
Completing the zero trust evolution
Zero trust began as a rethinking of trust boundaries in a world where networks could no longer be assumed safe. The next phase of zero trust should complete that evolution by rethinking how defense is executed and acknowledging that systems optimized to recognize known threats will always lag behind adversaries’ intent on novelty.
In an environment defined by continuous change, resilience depends not on knowing the threat, but on being able to stop it. Zero trust, refreshed in this way, can remain the foundation of federal cybersecurity without becoming its ceiling.
Yejin Jang is vice president of government affairs at Abnormal AI.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
