The Next Phase of Zero Trust: From Recognizing Known Threats to Stopping Threats

The 2022 Federal Zero Trust Strategy marked a watershed moment for U.S. government cybersecurity, translating abstract principles into concrete controls such as phishing‑resistant multi‑factor authentication and endpoint detection. By tying progress to measurable guardrails, agencies gained a shared language and oversight mechanisms, but the strategy’s emphasis on known‑threat detection has become a ceiling as adversaries adopt fast‑moving, novel techniques that slip past static defenses.

Artificial‑intelligence‑native security platforms are redefining that ceiling. Unlike rule‑based tools that wait for a threat to be cataloged, AI models expected user and system behavior, flagging deviations before an attack fully materializes. The EvilTokens campaign illustrates the danger: it hijacks Microsoft’s OAuth device‑code flow, sidestepping both passwords and MFA, and can persist for weeks. Moreover, Microsoft reports AI‑enabled phishing achieving a 54% click‑through rate—roughly 450% higher than conventional phishing—underscoring the urgency of moving from detection to outright prevention.

Policy makers are urged to recalibrate zero‑trust guidance toward outcome‑oriented capabilities, such as reduced mean time to detect and remediate, and to formally endorse autonomous decision‑making within auditable bounds. Modernizing logging to focus on high‑value signals rather than sheer volume will further empower AI systems to prioritize real risk. These shifts promise a more resilient federal cyber posture, where agencies can stop attacks in real time regardless of novelty, thereby safeguarding critical infrastructure and public confidence.