← Back

Identity Is the Perimeter

Apr 10, 2026 · 2 min read

There is no perimeter.

I've worked on enterprise security across three very different places — New York State government, a global bank, and now Microsoft — and the one thing each of them eventually learned, usually the expensive way, is that the network boundary isn't where the attackers are. The attackers are in the inbox. The attackers are in the session token. The attackers are holding a phone that is pretending to be a person.

The actual perimeter is an identity.

Once you accept that, the security program gets smaller and sharper. Most enterprises are running a hundred controls to defend a castle that was demolished in 2018. A small number of those controls still matter. The rest is theater.

Three things that actually move risk

Phishing-resistant MFA. Not SMS. Not push. FIDO2 / passkeys, or nothing. Every other factor is one distracted tap away from being someone else's account. The win isn't just fewer phish — it's an entire class of attack that stops being possible.

Conditional access that is actually conditional. "Require MFA" is not a policy. "Require a compliant device, from a known location, with a phishing-resistant factor, for this specific application" is a policy. Most organizations have the licenses. Very few have the muscle to wield them.

An audit log you actually read. Microsoft Entra ID gives you a rich identity event stream for free. Most customers forward it to a SIEM that nobody queries. If I could only keep one detection, it would be: this identity just did something it has never done before, from a place it has never been.

Three controls. That's most of the program.

What most people miss

The real question isn't "how do we stop phishing?" It's "how do we make phishing irrelevant?" Those are different projects with different budgets and different success criteria.

The first is a forever-war. The second is a one-year plan.

Passkeys don't make phishing harder. They make phishing a category that no longer applies to you. That is a different kind of win — the kind that retires the threat rather than managing it — and it is available, right now, to any organization willing to do the unglamorous work of telling five thousand employees to re-enroll their factors.

Most won't. The ones that do are the ones I want to work with.

Identity Is the Perimeter