What changed was not attacker capability - credential compromise is a constant. What changed was the validity of the assumption that credentials remain bound to their original holder. The proliferation of breach databases and credential markets means that valid authentication material circulates at scale. The system's trust model was designed for an environment where credential compromise was rare and localized. That environment no longer exists. But the trust model was never re-evaluated against the shift. The system continued to treat every authenticated session as equivalent to the original authentication event, regardless of how much time had passed or how the credential was obtained.
The mechanism of failure is the substitution of reference for verification. Once authenticated, the identity was treated as continuously valid - not because the system confirmed ongoing legitimacy, but because the credential matched an entry in the access control list. Every subsequent action - opening documents, traversing departments, copying files across systems - was permitted because the identity was recognized, not because its context was evaluated. When access patterns diverged from baseline - unusual hours, unrelated departments, volume spikes - the system accepted them because no policy violation existed at the point of initial authentication. Detection tools monitored for known attack signatures: malware callbacks, privilege escalation exploits, anomalous binary execution. They did not monitor for the absence of trust revalidation. Lateral movement was invisible because it looked identical to legitimate access - it was legitimate access, executed by an illegitimate holder of legitimate credentials.
This is the structural pattern: execution based on reference, not verification. It occurs wherever a system treats identity or configuration state as persistent without re-evaluation. The same architecture - authenticate once, trust indefinitely - produced the same outcome at OPM, at Equifax, at every organization where a single credential compromise converted into sustained, undetected lateral access. The pattern is not incident-specific. It is a property of systems that delegate trust without enforcing it continuously.
The control exists. The outcome does not. Access logs recorded every event. Identity policies defined every boundary. Session management tracked every connection. These are artifacts of compliance - evidence that a user entered the system at some point - not mechanisms of defense. They do not confirm whether the credential holder at hour one is the same entity operating at hour one thousand. The system was optimized for availability and continuity, not for resilience against persistent credential compromise. It does not fail. It behaves exactly as built. And that is the failure.