By Jay Reddy, Head of Growth, ManageEngine
In early 2025, cyber fraud losses in India were reported to have crossed ₹36,450 crore, driven largely by phishing-led UPI attacks, SIM-swap exploitation, and credential compromise. Globally, account compromise surged 389 percent year over year, representing 50 percent of all threats. When attackers possess legitimate credentials, they bypass traditional defences and move from access to exploitation faster than most detection mechanisms can respond.
Regulatory tightening reflects this tension. The Reserve Bank of India’s mandate for two-factor authentication beginning in April 2026 strengthens verification at entry. However, stronger authentication alone addresses only initial verification. It does not resolve suspicious behaviour after access is granted.
Why authentication strength alone cannot sustain identity trust
In most enterprises, identity decision-making spans multiple control planes. Authentication systems evaluate context at login. Privileged access tools enforce elevation policies independently. Cloud authorisation layers apply their own logic within distributed environments. Each performs a necessary function, but they do not inherently operate from a unified confidence model.
As a result, identity assurance established in one layer may not reflect updated risk signals in another. Privilege adjustments may not immediately affect active sessions. Moreover, behavioural anomalies may be detected without proportionate authorisation changes. It is no longer sufficient to deploy strong authentication. The issue is the absence of continuous alignment between trust evaluation and enforcement.
Continuous adaptive trust addresses this absence by treating trust as a dynamic condition rather than a one-time outcome. It establishes a unified model in which authentication signals, entitlement posture, behavioural analytics, and access sensitivity are assessed collectively, with enforcement adjusting as conditions change.
As identity expands across hybrid cloud, automation frameworks, and AI-driven systems, this coordinated recalculation becomes essential. It also exposes a fundamental constraint: fragmentation.
Fragmentation prevents coherence and makes unification necessary
When identity systems function in isolation, identity views diverge. Authentication may elevate trust based on contextual familiarity, while governance systems may decline it due to excessive privilege. Cloud entitlements may evolve independently of on-premises controls. When update cycles vary, enforcement decisions are not synchronised.
In increasingly dynamic identity environments, these inconsistencies are no longer marginal. Privilege assignments shift rapidly, contextual risk fluctuates in real time, and behavioural signals emerge mid-session. Disconnected tools and periodic coordination cannot sustain coherent trust evaluation under such conditions.
Sustaining continuous adaptive trust therefore requires deliberate unification. Identity context must be correlated holistically, decision logic must be harmonised, and enforcement must be synchronised across the identity stack. Without such integration, trust decisions diverge, response latency increases, and risk accumulates between systems.
However, while continuous adaptive trust is frequently associated with Zero Trust, the two concepts are not identical.
Distinguishing zero trust from continuous adaptive trust
Zero Trust is a security paradigm that replaces implicit trust with continuously assessed explicit trust based on identity and context. It emphasises least privilege and the elimination of standing assumptions about network location or user posture.
However, Zero Trust is strategic in nature. It defines an objective but does not prescribe the mechanics of how identity trust should be calculated and recalculated within access workflows.
Continuous Adaptive Trust is an architectural approach to implementing identity trust within a Zero Trust paradigm. It treats authentication as one form of evidence among many and requires that trust be recalculated as new signals emerge. It also requires that identity trust be evaluated in conjunction with access risk rather than in isolation.
An organisation may implement multi-factor authentication and conditional access policies and consider itself aligned with Zero Trust. However, if authentication outcomes are implicitly trusted without ongoing recalibration, trust evaluation remains episodic rather than continuous.
This also exposes a practical limitation in many Zero Trust deployments: Authentication controls are strengthened, but access decisions are not always continuously aligned with evolving risk conditions.
Continuous adaptive trust as the operational model for identity security
Continuous adaptive trust shifts identity decision-making from static authentication checkpoints to ongoing evaluation of identity confidence and access risk.
Balancing identity trust with access risk
In most architectures, contextual signals are evaluated at login. Additional authentication may be required when thresholds are exceeded, and successful verification allows the session to proceed. This improves initial assurance but assumes authentication represents a definitive checkpoint.
Risk conditions rarely remain static. Behavioural anomalies, privilege elevation, threat intelligence updates, and environmental changes can alter the risk posture during an active session. Authentication methods themselves may also provide varying levels of assurance depending on the attack context.
Continuous Adaptive Trust addresses this by evaluating authentication outcomes as one signal within an ongoing trust model. Identity confidence is reassessed using contextual and behavioural signals throughout the session life cycle while the system simultaneously evaluates the risk associated with the requested action.
Access risk varies according to asset sensitivity, transaction value, privilege scope, environmental threat conditions, and organizational tolerance thresholds. Moderate identity confidence may suffice for routine actions but be insufficient for high-impact operations such as privileged changes or sensitive data access.
Continuous Adaptive Trust maintains alignment between identity trust and access risk. As signals change, authentication requirements, access permissions, and session controls adjust accordingly. Trust evaluation therefore extends beyond login and persists throughout the session life cycle.
Translating identity analysis into adaptive response
Identity analytics provides the evidentiary foundation for continuous trust evaluation. Signals such as device familiarity, historical usage patterns, and behavioural deviations help determine whether activity remains consistent with expected identity behaviour. Entitlement analytics can also reveal excessive privilege concentration or structural exposure across distributed environments.
These observations resemble signals used in identity threat monitoring, where patterns and anomalies are analysed to detect suspicious activity. However, analysis alone does not alter the system state.
Continuous adaptive trust requires that these signals influence access decisions as activity unfolds. Authentication systems, governance platforms, privileged access controls, cloud authorisation layers, and security analytics tools all generate signals or apply controls within their own domains. Continuous adaptive trust brings these signals together so that identity confidence and access risk can be evaluated jointly and decisions can adapt during user interaction rather than remaining fixed at login.
When additional authentication occurs, its outcome feeds into the ongoing trust evaluation. When privileges change or anomalies persist, subsequent actions reflect the updated posture. In this model, analytics functions as the observation layer, while coordinated system responses translate those observations into operational decisions.
Without this connection, analytics remain informational. With it, trust assessment and system response form a continuous operational cycle.
Sustaining continuous adaptive trust requires architectural discipline
Continuous Adaptive Trust defines how organisations can achieve the Zero Trust objective by continuously evaluating identity signals and aligning identity trust with the risk of the action being performed.
Achieving this requires identity systems that can analyse signals continuously and respond automatically as conditions change. When authentication platforms, governance systems, privileged access controls, and cloud authorisation layers operate independently, signals remain fragmented and trust decisions cannot adapt in time.
Sustaining continuous adaptive trust therefore requires deliberate architectural integration across the identity stack, ensuring that identity signals, risk evaluation, and system responses operate as a coordinated control system rather than as isolated mechanisms.