The dashboard showed progress. Critical vulnerabilities were trending down, SLA adherence hovered in the low nineties, and weekly reports highlighted steady movement across teams. Tickets were created, owners were assigned, and remediation dates were tracked. From a governance standpoint, the system appeared to function. Exposure was visible, action was recorded, and timelines were in place.
But the pattern beneath the numbers was less stable. High-risk findings were sometimes reclassified to extend deadlines, exceptions accumulated to protect release schedules, and remediation work was quietly deferred when competing priorities emerged. Teams resolved what was convenient and postponed what was disruptive. The queue moved, but not always in the direction that reduced the most risk.
Frameworks aligned to NIST guidance and ISO control expectations require timely remediation of identified vulnerabilities based on severity and exposure. These requirements are typically operationalized through SLAs that define how quickly issues must be addressed once discovered.
In practical terms, the control establishes the following expectations:
- Critical and high-risk vulnerabilities must be remediated within defined timeframes
- Ownership must be assigned for each finding
- Status must be updated as remediation progresses
- Exceptions must be controlled, justified, and time-bound
- Evidence must demonstrate that remediation meets defined SLAs
These requirements operate within a system of interacting players.
This control operates across five players, each shaping how MFA behaves once it leaves policy and enters real systems. Their incentives are not aligned by default, and the control inherits that misalignment.
- Governor — defines MFA requirements and enforcement expectations
- Operator — implements MFA within technical and operational constraints
- User — experiences authentication friction and adapts behavior
- Adversary — exploits gaps through phishing proxies, token theft, and fatigue-based attacks
- Arbiter — evaluates whether MFA requirements are satisfied
The adversary does not attempt to defeat MFA directly. It observes where enforcement weakens and concentrates effort there.
The Governor defines MFA as a mechanism for reducing the probability of unauthorized access. The intended benefit is a lower likelihood of account compromise and a stronger security posture. However, the Governor does not directly absorb the cost required to achieve that outcome. That cost is distributed across Operators and Users, creating a structural imbalance between policy intent and operational reality.
The Operator must implement MFA across systems with varying levels of maturity. Full enforcement increases engineering effort, introduces additional failure points, and generates support overhead when authentication flows break or degrade. Minimal compliance reduces immediate cost and preserves system stability while still satisfying observable control requirements. The Operator therefore optimizes for a balance between implementation cost, system reliability, and delivery pressure rather than security alone.
The User experiences MFA as friction embedded within routine workflows. Each authentication step introduces time cost and cognitive interruption, which compounds at scale. When friction remains tolerable, compliance is stable. When friction increases, behavior shifts toward avoidance. Users rely on remembered devices, reuse sessions, or seek informal bypasses that preserve productivity. Over time, the system reflects user tolerance more than policy intent.
The Arbiter evaluates whether MFA is present and can be evidenced. This evaluation favors visibility over consistency. Meanwhile, the Adversary adapts. Instead of breaking authentication factors directly, attackers capture session tokens through phishing proxies, exploit inconsistent enforcement paths, and leverage fatigue-based techniques to induce user approval. This creates a repeated game in which attackers continuously adjust to the system’s weakest points.
At its core, this reduces to a strategic interaction between the Governor and the Operator.
Framing
The Governor determines how strictly MFA should be enforced, while the Operator determines how completely it is implemented. This interaction defines the system’s structure.
Matrix (Current State)
|
Operator: |
Operator: |
|
| Governor: Strict Enforcement |
Strong security, high operational cost |
Conflict, delivery friction, exception growth |
| Governor: Flexible Enforcement |
Balanced implementation, moderate cost |
Low cost, audit viability, weak security |
Interpretation
Full implementation under strict enforcement produces the strongest security outcome but carries significant operational cost. Authentication failures increase, user friction compounds, and engineering effort rises. This makes the outcome difficult to sustain without continuous alignment and investment.
Flexible enforcement combined with minimal compliance produces a different result. The control exists, audit requirements are satisfied, and operational disruption is minimized. From an economic perspective, this outcome minimizes implementation cost while preserving sufficient audit viability. It is therefore stable, even though it produces uneven security outcomes.
Most organizations settle into minimal compliance under flexible enforcement. MFA is implemented where it is easiest to deploy and most visible to evaluators, while more complex or disruptive areas remain partially covered. Exceptions accumulate, enforcement becomes inconsistent, and the control fragments across the system.
This equilibrium persists because it satisfies the immediate incentives of multiple players. Operators minimize disruption and preserve system stability. Users experience reduced friction and maintain productivity. Arbiters receive sufficient evidence to validate control presence. The system appears stable because it minimizes short-term cost.
The Adversary exploits this equilibrium by targeting inconsistent enforcement pathways. MFA is bypassed through session hijacking, phishing proxies, and fatigue-based attacks rather than direct compromise. As these gaps persist, the attacker’s expected payoff increases relative to the cost of attack.
The system tolerates this equilibrium because the perceived cost of disruption exceeds the perceived probability of compromise.
The Governor defines requirements that assume consistent enforcement, but the Operator must implement them under real constraints. This creates a persistent gap between intent and execution that is resolved through exceptions.
The Operator enforces MFA in ways that introduce friction, while the User adapts to reduce that friction. Over time, this interaction weakens enforcement without changing the formal requirement.
The Arbiter evaluates evidence rather than behavior. The system optimizes for what is measured, not what is effective.
To shift the system, incentives must be realigned. MFA cannot rely on uniform enforcement across all contexts, as this creates unnecessary cost and friction that destabilizes implementation.
Adaptive MFA introduces differentiation based on risk. High-risk access paths, such as privileged actions or anomalous behavior, trigger stronger authentication requirements, while low-risk interactions are streamlined. This reduces unnecessary friction while preserving strong control where it matters most.
Operators require architectural support to implement MFA consistently. Embedding MFA within identity systems reduces reliance on exceptions and aligns implementation with policy intent. This lowers operational cost while improving enforcement consistency.
Evaluation criteria must evolve beyond presence. Measuring enforcement consistency, exception management, and high-risk coverage shifts the system toward effectiveness and reduces adversary advantage.
With incentives realigned, MFA enforcement becomes more consistent across high-risk access paths while unnecessary friction is reduced in lower-risk scenarios. Users experience authentication as proportional rather than disruptive, and operators maintain system stability without undermining control intent.
The adversary’s position weakens as enforcement gaps narrow. Attack strategies that relied on inconsistent coverage become less effective, increasing the cost and complexity of exploitation. The system does not eliminate risk, but it redistributes it in a way that is more difficult to exploit.
The equilibrium shifts from cost minimization toward balanced optimization.
Matrix (New State)
|
Operator: |
Operator: |
|
| Governor: Risk-Based Enforcement |
Strong security, manageable cost (dominant) |
Visible gaps, elevated risk, audit pressure |
| Governor: Static SLA Enforcement |
Inconsistent outcomes | Weak control, adversary advantage |
Interpretation
Adaptive implementation aligned with risk-based enforcement becomes the dominant outcome because it balances cost and security more effectively than uniform enforcement. It reduces unnecessary friction while maintaining strong protection where risk is concentrated.
Minimal compliance becomes less stable as visibility improves and high-risk gaps become more apparent. Both internal pressure and adversary behavior reinforce the shift toward stronger enforcement.
In this system, the dominant strategy is risk-aligned remediation that prioritizes vulnerabilities based on exploitability, exposure, and operational impact while embedding remediation into normal engineering workflows and delivery cycles.
This works because the system begins rewarding sustained exposure reduction over statistical SLA performance, making prolonged deferral more costly over repeated cycles.
Vulnerability SLAs are often treated as static rules that define when remediation must occur. In practice, they operate inside a dynamic system shaped by engineering capacity, delivery pressure, operational stability, exploit availability, and governance incentives. The system does not optimize for remediation speed alone. It optimizes simultaneously for uptime, release continuity, measurable performance, and manageable disruption. Behavior follows that structure.
Over time, remediation queues begin reflecting organizational tradeoffs more than stated policy intent. Vulnerabilities that are costly to fix, disruptive to release schedules, or operationally inconvenient become easier to defer, reclassify, or absorb into exception processes. Meanwhile, adversaries continue adapting as exploit availability increases and exposure persists.
The game eventually reveals what the organization is truly willing to fix—and what it has learned to tolerate.








