The Evidence

Every access check passes.
The consequence is ungoverned.

Six cases across finance, infrastructure, supply chain, and telecommunications. Each follows the same structural pattern.

Zero Trust verifies access: who can get in, from what device, through what network, and under what conditions. It does not verify whether the actor holds organizational authority to bind the organization through the system they accessed.

That gap sits at the commitment boundary, the moment a system action becomes a real organizational commitment. The following cases show what happens when access is verified but authority is not.

Where the gap appears

Each case follows the same pattern. Access is verified. Authority is not.

Access verified
Authority gap
AC enforced
Bounded
+ Network Compromise (Bangladesh Bank, 2016)

Attackers used stolen SWIFT credentials to submit 35 fraudulent transfer requests totaling $951 million. Five transfers totaling $101 million were processed before a spelling error triggered manual review.

$81 million irrecoverably transferred. Each was a binding financial commitment that passed every access control in the chain.

Transfer authority bounded per identity. Aggregate exposure evaluated across transactions. Unauthorized commitments at that scale do not execute.

Access verified (Zero Trust)
  • Authenticated SWIFT credentials accepted
  • SWIFT network isolated (closed, trusted network)
  • Credentials carried legitimate transaction capability
  • Transaction format structurally valid
  • Monitoring present (flagged anomalies only after execution)

All access controls pass.

Commitment boundary failure
Class: Financial transfer
Scale: $81M executed, far beyond intended authority
Chain: No enforced approval chain at execution point
Authority enforced (Authority Control)
  • Apply transfer authority limits per identity
  • Use an authorization chain for high-value transfers
  • Assess aggregate exposure across transactions
  • Route out-of-scope transfers for review or escalation before execution
What Authority Control enforces → Close ✕
+ Insider Threat (Wells Fargo, 2011–2016)

Employees used legitimate system access to create approximately 3.5 million unauthorized customer accounts and credit cards. Each account creation was a routine operation within their system permissions.

$3 billion in fines and settlements. Every fraudulent account was a binding customer obligation the system permitted but the organization never authorized.

Account creation authority constrained by organizational authorization, not just system permissions. Aggregate volume anomalies detected against established authority limits.

Access verified (Zero Trust)
  • Employee identity authenticated
  • Role-based access to account creation systems valid
  • Actions occurred within authorized business applications
  • Transaction logging active for each account creation
  • Individual actions indistinguishable from legitimate operations

All access controls pass.

Commitment boundary failure
Class: Customer account creation
Scale: 3.5 million unauthorized accounts
Chain: No authorization alignment between role permissions and binding customer obligations
Authority enforced (Authority Control)
  • Limit account-creation authority by role and purpose
  • Surface aggregate volume anomalies against established authority limits
  • Align the action with documented organizational intent
  • Create durable attributable records for each account created
What Authority Control enforces → Close ✕
+ Supply Chain (SolarWinds, 2020)

Adversaries inserted compromised code into the Orion software build pipeline. The tampered update was signed, distributed through legitimate channels, and installed by approximately 18,000 organizations including U.S. federal agencies.

Attackers maintained access to Treasury, Commerce, and Homeland Security departments for over nine months through a trusted software update.

Each release treated as a commitment event with authority verification. Distribution scope bounded by explicit authority constraints. Unauthorized propagation blocked.

Access verified (Zero Trust)
  • Build system credentials authenticated
  • Pipeline stages segmented and connected via trusted paths
  • Code signing infrastructure verified build integrity
  • Distribution channels authorized and encrypted
  • Monitoring and logging active across build environment
  • Endpoint protection present on build servers

All access controls pass.

Commitment boundary failure
Class: Software trust propagation
Scale: 18,000 organizations received compromised updates
Chain: No authority verification on downstream trust distribution
Authority enforced (Authority Control)
  • Handle each software release as a governed commitment
  • Check authority against the intended distribution scope
  • Associate the release with explicit authority constraints
  • Apply limits to downstream propagation scale
What Authority Control enforces → Close ✕
+ Financial Services (JPMorgan London Whale, 2012)

Traders at JPMorgan's Chief Investment Office grew a portfolio from $51 billion to $157 billion in notional exposure over one quarter. Internal risk limits were breached more than 330 times. Each breach generated a warning. None prevented the next trade.

$6.2 billion in losses from binding financial obligations the trading system permitted but the organization never authorized at that scale.

Risk limits become structural constraints on the next commitment. As risk limits are approached, the system reduces what actions are allowed. Model changes require independent authorization.

Access verified (Zero Trust)
  • Trader identity authenticated with institutional credentials
  • Access to trading platforms role-authorized
  • Network segmentation within CIO trading infrastructure
  • Risk monitoring and reporting systems active
  • Transaction logging for every trade
  • Compliance monitoring and position reporting operational
  • No anomalous access behavior detected

All access controls pass.

Commitment boundary failure
Class: Financial commitment (derivatives trading)
Scale: $157 billion notional exposure, 330+ limit breaches
Chain: Risk limits produced warnings but did not control the next trade; VaR model changed without independent authorization
Authority enforced (Authority Control)
  • Apply aggregate position limits as structural constraints
  • Narrow what actions are allowed as risk limits are approached
  • Use independent authorization for model changes
  • Create durable records linking each trade to verified authority
What Authority Control enforces → Close ✕
+ Critical Infrastructure (Volt Typhoon / Colonial Pipeline)

Volt Typhoon (2023-2024): a Chinese state-sponsored group pre-positioned within U.S. water, energy, and transportation systems using legitimate administrative tools. Colonial Pipeline (2021): a ransomware attack led to a six-day pipeline shutdown affecting East Coast fuel supply. Both involved operational consequences created through authorized access paths.

Volt Typhoon: pre-positioned for operational disruption through stolen credentials. Colonial Pipeline: $4.4 million ransom paid, regional fuel disruption for six days. In both cases, administrative access translated directly into operational consequence.

Operational commands require authority verification independent of access credentials. System-wide impact requires multi-party authorization commensurate with consequence scale.

Access verified (Zero Trust)
  • Identity verification passed (legitimate or stolen credentials)
  • Device compliance checked
  • Network segmentation enforced across infrastructure zones
  • Endpoint detection and response active
  • SIEM logging and behavioral analytics running
  • Workload integrity monitoring present
  • Administrative commands issued through valid interfaces
  • Living-off-the-land techniques operated within all controls

All access controls pass.

Commitment boundary failure
Class: Operational commands affecting physical infrastructure
Scale: System-wide: water, energy, transportation, fuel distribution
Chain: No structural distinction between administrative access and authority to alter critical operations
Authority enforced (Authority Control)
  • Check authority for operational commands separately from access
  • Apply scope and magnitude limits to physical changes
  • Use multi-party authorization for system-wide impact
  • Associate commands with approved operational windows and conditions
  • Keep administrative access separate from operational disruption capability
What Authority Control enforces → Close ✕
+ Telecom & Surveillance (Salt Typhoon, 2023–2025)

A Chinese state-sponsored group compromised at least nine major U.S. telecom providers, accessing lawful intercept systems through stolen credentials and unpatched infrastructure. They intercepted communications of over a million users including senior political figures.

Audio recordings of presidential candidates intercepted. Sealed court orders identifying active surveillance targets obtained. By 2025, 200+ companies in 80 countries compromised.

Each intercept request verified against current judicial authorization. Scope, duration, and target limits enforced per request. Unauthorized monitoring does not execute.

Access verified (Zero Trust)
  • Operator credentials accepted as valid (stolen credentials)
  • Network segmentation across telecom infrastructure enforced
  • Access to intercept systems role-authorized
  • Endpoint protection and monitoring active
  • SIEM and security operations center operational
  • Data access controls and classification in place
  • Requests processed through standard lawful intercept interfaces

All access controls pass.

Commitment boundary failure
Class: Lawful intercept and surveillance actions
Scale: Over one million users surveilled, including presidential candidates
Chain: No enforcement of judicial authorization chain at the point of each intercept request
Authority enforced (Authority Control)
  • Check each intercept action against current judicial authorization
  • Associate each request with a specific, validated court order
  • Apply scope, duration, and target limits per authorization
  • Maintain a verifiable chain from court order to intercept action
What Authority Control enforces → Close ✕
Identity
Verified
Access
Authorized
Segmentation
Functioning
Monitoring
Present
Authority at commitment
Not evaluated

In each case, security controls verified identity and access and operated as designed. The failure occurred because no system evaluated whether the actor held authority to create the resulting organizational obligation.

See the production deployment example on its own page.

A dedicated walkthrough shows how Zero Trust governs pipeline access and where Authority Control governs whether deployment may create binding organizational consequence.

Open the CI/CD Interactive Walkthrough  →

Posture mapping

Every principle Zero Trust applies to access, Authority Control applies to commitment.

Posture
Zero Trust (Access)
Authority Control (Commitment)
Never trust
No access without verification
No commitment without verified authority
Always verify
Verify identity, device, network, workload, data
Verify authority, scope, timing, aggregate exposure, and documented authorization path
Assume breach
Contain access laterally
Contain commitment to the scope of verified authority
Least privilege
Minimum access per function
Minimum authority per function
Fail closed
Deny access by default
Deny commitment by default
Record
Log access events
Create a durable record of the decision and its scope with every commitment
Never trust
Zero Trust No access without verification
AC No commitment without verified authority
Always verify
Zero Trust Verify identity, device, network, workload, data
AC Verify authority, scope, timing, aggregate exposure, and documented authorization path
Assume breach
Zero Trust Contain access laterally
AC Contain commitment to the scope of verified authority
Least privilege
Zero Trust Minimum access per function
AC Minimum authority per function
Fail closed
Zero Trust Deny access by default
AC Deny commitment by default
Record
Zero Trust Log access events
AC Create a durable record of the decision and its scope with every commitment
Sources
  1. 1. Federal Reserve Bank of New York; Bangladesh Bank disclosure, 2016; Reuters and Bloomberg reporting
  2. 2. Consumer Financial Protection Bureau; DOJ; Wells Fargo SEC filings, 2016-2020
  3. 3. CISA, Emergency Directive 21-01: SolarWinds Orion Code Compromise, December 2020; SEC filings
  4. 4. SEC, In the Matter of JPMorgan Chase, Administrative Proceeding, 2013; U.S. Senate Permanent Subcommittee on Investigations
  5. 5. CISA Advisory AA21-201A (Volt Typhoon); Colonial Pipeline, DOJ and company disclosures, 2021
  6. 6. CISA, Joint Advisory on Salt Typhoon, 2024; congressional briefings and carrier disclosures