Failure Pattern
The browser assumes any active session (browser tab) reflects a legitimate user on a legitimate device — even when malware controls the browser.
User Impact
The user sees “I’m already logged in,” unaware that malicious automation is acting inside the same session.
Underlying Causes
No workload/device identity in browsers
SSO tokens stored in memory and reused
Sessions tied to browser state, not device trust
Browser extensions manipulating active sessions
Trust-Native Resolution
The session would require a TrustKey from the device, not just a cookie. Malware cannot piggyback on a session without re-establishing TrustKey provenance.
Broken Trust Assumption
Many of the most damaging breaches of the past decade occurred in environments that were fully authenticated, encrypted, and compliant.
Incidents including SolarWinds, NotPetya, Capital One, and MOVEit show a consistent pattern: attackers succeeded by inheriting trust, not by breaking it. Security controls validated access, but not intent.