The identity-centric framing is correct, but there's a gap the industry still isn't talking about honestly: MFA fatigue and push bombing have made even "properly secured" identities exploitable. The Uber breach in 2022 wasn't a credential gap — they had MFA. The attacker just kept pushing until someone accepted. The model assumes authentication = verified intent, and that assumption is breaking down.