Myth
“We have CA everywhere”
In practice, CA coverage is uneven. Legacy protocols, service accounts, and emergency exclusions quietly create high-trust lanes.
Research Note · Identity Controls
Conditional Access Drift
How good policies quietly become useless
Conditional Access is often treated as a one-time control. In practice, it degrades slowly; through exceptions, legacy paths, and emergency bypasses; until it no longer enforces risk where attackers actually operate.
Most CA failures are not configuration mistakes; they are governance failures.
Executive summary
CA fails gradually, not catastrophically
Most organizations deploy Conditional Access correctly; once. Over time, business pressure, migrations, vendor needs, and incident workarounds erode enforcement. Attackers exploit the remaining allowed paths.
Reality
Attackers live in the gaps
Token reuse, consent abuse, and legacy auth paths allow attackers to operate inside “compliant” environments without triggering CA challenges.
Outcome
False confidence replaces risk reduction
Leadership assumes CA mitigates identity risk; until an incident demonstrates otherwise.
Drift mechanics
How Conditional Access erodes
Drift is caused by human decisions under pressure; not bad intent.
Temporary exceptions that never expire
Migration, outages, and vendor access often introduce exclusions that persist indefinitely.
Legacy authentication left enabled
Protocols and apps that bypass CA remain active for compatibility; creating permanent weak points.
Break-glass accounts misused
Emergency access becomes operational convenience, sidestepping CA entirely.
Policy sprawl without ownership
Multiple overlapping policies obscure intent and reduce enforceability.
Program direction
Treat CA as a living control plane
Conditional Access requires lifecycle management, not just configuration.
Assign explicit ownership
Someone must own CA drift: reviewing exceptions, validating coverage, and removing legacy paths.
Continuously validate coverage
Measure what traffic is actually governed by CA and what is not.
Monitor success events, not failures
Successful legacy logins and token usage are higher signal than blocked attempts.
Rehearse emergency access
Break-glass should be tested, logged, and tightly constrained; not assumed safe.