Zero Trust secures access. Authority Control secures consequence.

Authority Control does not prevent credential compromise. It prevents compromised credentials from creating unauthorized consequence.

Authority Control does not protect the token. It protects what the token is allowed to do.

Data Control

Authority Control introduces a structural constraint where one has not previously existed.

2025
3,3221
Data compromises
ITRC annual report series
Record high in 2025; 79% increase over five years.
2025
278.8M1
Individuals impacted
ITRC annual report series
2024 spiked on mega-breaches; 2025 fell as attacks became more targeted.
2025
$10.22M2
Average U.S. breach cost
IBM/Ponemon report series
Record high in 2025; 9% year-over-year increase.
Records compromised per breach, 2007 to 2024
2007
TJX Companies94M3
2009
Heartland Payment130M3
2015
Anthem80M4
2015
OPM21.5M5
2017
Equifax147M6
2018
Marriott500M3
2024
Change Healthcare190M7
2024
National Public Data2.9B8

Access controls have grown more sophisticated every year. The scale of consequence has grown faster.

The structural gap
Fine-grained access control narrows what an identity can reach. Fine-grained authority control would narrow what that identity can do with that reach.
Access scope
What the identity can reach
overlap
Authority limits
What the identity is allowed to produce
= Authorized consequence
Data actions that create consequence
Export
Bulk extraction beyond need
Reclassification
Changing sensitivity or access tier
Deletion
Irrecoverable removal of records
Scope expansion
Widening retrieval or query boundaries
Publication
Release into an operational or external system
Training approval
Authorization for model training or fine-tuning

Where Authority Control operates

Authority Control is deployed by the organization that defines data authority, owns the data, and controls the integrations that move it. The customer holds the defining role. Authority Control enforces what the customer has defined.

This is deployable today against existing data exposures, without waiting for platform vendors. Every SaaS integration, every delegated token, every automated pipeline that moves data is a commitment surface where Authority Control can be applied at the customer edge.

Where the gap appears

Access controls pass. Authority over consequence remains open. Access is verified. Commitment is not.

Access verified
Authority gap
Authority Control enforced
Bounded
+ OAuth Integration Data Exfiltration (Salesloft / Drift, 2025)

Current Exposure

OAuth tokens used for a legitimate Drift-to-Salesforce chatbot integration were used to extract Salesforce data across 700+ customer organizations. Every enterprise that consumes OAuth-mediated SaaS integrations carries this structural exposure today.

Why Zero Trust Does Not Stop It

Zero Trust verifies the token and the session. It does not evaluate whether the bulk export action matches what the integration was trusted to do. Authentication is not authority.

What Authority Control Changes
Constrain: The customer defines authority scope for the integration: allowed actions, prohibited actions, magnitude limits, and aggregate exposure bounds.
Inform: Authority Control evaluates each action against the authority scope through Salesforce Event Monitoring. Anomalies and out-of-scope attempts are signaled to the access layer in real time.
Enforce: Bulk export attempts that exceed the defined scope are held with a durable, attributable record, regardless of whether the underlying token is authenticated.
Authority Enforced (Authority Control)

Compromised tokens cannot create consequence beyond the authority scope defined for the integration. The exposure of a compromised integration is bounded by what the integration was authorized to do, not by what its credentials technically allow.

Who deploys: The Salesforce customer, not Salesforce itself. No platform vendor cooperation is required.

Close ✕
+ Catastrophic-Scale Exfiltration (Change Healthcare, 2024)

Current Exposure

Every healthcare processor, payer, and clearinghouse carries this exposure today. Authenticated access to processing systems can still create catastrophic data-movement consequence unless bulk extraction is evaluated as a distinct authority class before execution.

Attackers accessed Change Healthcare systems and exfiltrated data for 192.7 million individuals, including medical data, SSNs, and insurance information.

Why Zero Trust Does Not Stop It

Zero Trust verifies credentials, network paths, and application access. It does not evaluate whether a specific bulk data movement request falls within authorized commitment scope at catastrophic volume.

What Authority Control Changes
Constrain: Bulk data movement is treated as a distinct commitment class with volume thresholds, data-class limits, and escalation rules.
Inform: Large or unusual data-movement patterns are surfaced before enforcement is enabled.
Enforce: Data movement outside defined scope is held or blocked with a durable decision record.
Authority Enforced (Authority Control)

No single identity holds authority for consequence at that magnitude. The blast radius of valid access is bounded by what the identity is authorized to move, not just by what the systems can technically export.

Close ✕
+ API Misconfiguration (TransUnion, 2025)

Current Exposure

Every enterprise running third-party APIs and SaaS integrations carries this exposure today. A path that serves one legitimate lookup can also serve millions of records unless lookup and bulk extraction are governed as different commitment classes.

Attackers exploited misconfigured API permissions in a third-party Salesforce integration, exfiltrating SSNs and credit data for 4.4 million customers.

Why Zero Trust Does Not Stop It

Zero Trust verifies the third-party integration, the Salesforce environment, and the API path. It does not evaluate whether the bulk export action matches what the integration was trusted to do. Authentication is not authority.

What Authority Control Changes
Constrain: Single-record lookup and bulk query are governed as distinct action classes, with ceilings per integration identity and exclusions for SSN-class fields.
Inform: Bulk query anomalies are signaled before enforcement is turned on.
Enforce: Bulk exports above threshold are held with a durable, attributable record.
Authority Enforced (Authority Control)

A third-party integration cannot create data consequence beyond the authority scope defined for it. The exposure is bounded by what the integration is authorized to retrieve, not by what its credentials can technically reach.

Close ✕
+ Insider Data Exfiltration (Coinbase, 2025)

Current Exposure

Overseas support contractors used legitimate access to exfiltrate customer data for 69,461 users, including partial SSNs and ID images. Their data interactions were structurally indistinguishable from legitimate support operations.

Estimated cost: $400 million. Least privilege was satisfied. Least authority was absent.

Why Zero Trust Does Not Stop It

Zero Trust verifies contractor identity, role-based access, and the application path. It does not evaluate whether viewing, copying, and exporting fall within distinct authority classes at aggregate scale.

What Authority Control Changes
Constrain: Viewing, copying, and exporting are treated as distinct action classes with aggregate ceilings per contractor identity.
Inform: Volume anomalies and access outside active ticket context are surfaced before enforcement is turned on.
Enforce: Data actions outside defined scope are held with a durable, attributable record.
Authority Enforced (Authority Control)

A support identity cannot create data consequence beyond the authority scope defined for it. The exposure is bounded by what the identity is authorized to move, not just by what the systems technically allow.

Close ✕
The structure
Across every case, the breach vector differs. The consequence pattern is the same.
Access
The attacker reaches the data. The vector varies.
Gap
Data actions that create consequence proceed with no structural gate. Reaching the data and creating consequence through it are treated as equivalent.
Authority
Each data action is evaluated against verified authority: type, scale, timing, source. The consequence surface shrinks from everything the identity can reach to what it is authorized to commit.

Access narrows reach. Authority narrows consequence. Together, they bound blast radius as a function of two independent dimensions.

Sources
  1. 1. ITRC, 2023 Annual Data Breach Report (18th edition), released January 25, 2024; 3,205 compromises and 353,027,892 individuals impacted.
  2. 2. ITRC, 2024 Annual Data Breach Report (19th edition); 3,152 compromises and approximately 1.35 billion individuals impacted.
  3. 3. ITRC, 2025 Annual Data Breach Report (20th edition), released January 29, 2026; 3,322 compromises and 278,827,933 victim notices.
  4. 4. IBM Security and Ponemon Institute, Cost of a Data Breach Report 2024; average U.S. breach cost of $9.48M for 2023.
  5. 5. IBM Security and Ponemon Institute, Cost of a Data Breach Report 2025; average U.S. breach cost of $10.22M for 2025.
  6. 6. Compiled from SEC filings, FTC enforcement actions, and company breach disclosures.
  7. 7. Anthem Inc., breach notification filing, February 2015; HHS Office for Civil Rights.
  8. 8. U.S. Office of Personnel Management, cybersecurity incident disclosures, 2015.
  9. 9. UnitedHealth Group and Change Healthcare breach disclosures, 2024.
  10. 10. National Public Data breach disclosures and reporting, 2024.