Over the past year, Leapfrog has watched AI evolve from a powerful assistant into something far more consequential: agentic systems capable of reasoning, acting autonomously, and chaining decisions at machine speed. These AI models don’t get tired, they don’t hesitate, and they don’t make the same mistakes humans do. They simply execute.
And that has fundamentally changed the threat landscape. Tasks that once demanded human coordination, such as credential stuffing, phishing personalization, and lateral movement, can now be automated, scaled, and continuously optimized by AI-driven tools.
For years, Leapfrog’s Chief Security Officer, Bryant G. Tow, has stressed Multi Factor Authentication (MFA) as a best practice. Today, with the rapid growth of AI and autonomous attack tooling, Bryant insists, “MFA is no longer a recommendation, it’s a requirement for operational safety”.
AI Has Drastically Decreased the Mean Time to Exploit
Historically, attackers needed time, coordination, and skill to weaponize vulnerabilities. That era is over. AI can now find a vulnerability, write an exploit, and launch it, all without human involvement. The time it takes cyber criminals to start attacking newly discovered security weaknesses, the Mean Time to Exploit (MTE), used to take weeks or months, now takes minutes.
Bryant reiterates, “The current compression of the MTE is one of the most dangerous shifts we’ve seen in decades.”
Identity remains the primary attack vector
Usernames and passwords are no longer meaningful security controls when AI models can generate realistic phishing lures, rapidly test stolen credentials, and exploit human behavior at machine speed. Static credentials are simply incompatible with an environment where attackers operate 24/7 and iterate near-infinite times.
This is why Bryant often reminds leaders, “Governance is your first line of defense. Policies, training, and hygiene matter more than any single tool.”
MFA directly addresses this imbalance. By requiring something a user has or is, MFA breaks the automation loop that AI-powered attacks depend on. Even when credentials are compromised, MFA introduces friction, signal, and detection opportunities that slow adversaries and expose malicious behavior.
As organizations deploy their own AI and agentic workflows, the blast radius of a compromised identity grows exponentially. A single compromised identity can now trigger automated actions, access sensitive data, or operate systems without human oversight.
Bryant refers to the strategy behind Leapfrog’s CyberRisk Beyond IT program: “In the arms race between attackers and defenders, people, process, and technology together are what keep you ahead.”
AI may be accelerating the threat landscape, but the fundamentals still win. When 55% of your cyber risk comes from the non-tech aspects of your organization, according to Bryant, “The best defenses are still practical ones: awareness, training, and consistent habits.”
MFA is one of those habits. It’s simple, proven, and effective—and it’s now essential.
Our Advice to Every Organization
Leapfrog has been advocating MFA for years. Today, we’re elevating it from “strongly recommended” to mandatory for responsible operations. We strongly advise organizations to fully implement MFA across all critical systems, identities, and remote access points.
Would your organization benefit from a more encompassing cyber risk strategy? Leapfrog offers full or co-managed IT support with vCSO services, protecting your assets and improving your operational efficiency. Reach out today to start a conversation.
