When the Australian Cyber Security Centre (ACSC) expanded its Essential Eight maturity model in 2021, it marked a turning point in how organisations approached digital defence. Multi-factor authentication (MFA) stopped being optional and became a baseline expectation for public sector agencies and many citizen-facing services.

Four years later, the Essential Eight has evolved beyond government. It is now the de facto benchmark for critical infrastructure and the wider private sector, yet too many organisations remain focused on checking compliance boxes rather than building confidence.

The next step isn’t about adding more tools. It’s about maturing the ones we already have, and aiming higher, toward Maturity Level 3, where defences can better protect against ongoing identity-driven threats.

Cybercrime in Australia continues to rise. The Australian Institute of Criminology reports that nearly half of Australians experienced some form of cybercrime in the past year. The Australian Signals Directorate (ASD) notes that most incidents can be traced back to weak identity controls and basic cyber hygiene failures.

The Essential Eight was designed to counter exactly that, but the threat environment has outpaced it. Phishing-as-a-service kits can clone a trusted login page in minutes. Adversary-in-the-middle (AiTM) attacks bypass the SMS and push-notification factors that many organisations rely on for Maturity Level 1 and 2 compliance. Even the most sophisticated organisations are learning that traditional defences alone can’t keep up.

That’s why Maturity Level 3 has become the new benchmark for resilience. It’s not about reaching perfection. It requires an ‘assume breach’ mindset: accepting that the perimeter will be breached, and ensuring we can limit the blast radius to keep operating.

What has changed most since the Essential Eight was first introduced is speed. Attackers no longer need time or scale to be effective. Automated phishing, credential testing and adversary-in-the-middle techniques now allow a single compromised identity to be exploited across multiple systems in minutes.

At the same time, organisations are expanding their digital footprint. Contractors, partners, cloud services, and increasingly AI-driven processes are all accessing core systems. Each of these interactions relies on identity. When identity controls are weak, risk multiplies quickly.

This is why simply meeting minimum maturity levels is no longer sufficient. Organisations that remain at Maturity Level 1 or 2 may technically comply, but they are still vulnerable to modern, identity-led attacks that bypass legacy controls.

Aiming for Maturity Level 3 is not about overengineering security. It is about aligning controls to how attacks actually occur today,  through stolen credentials, misused access, and gaps in identity governance. In that context, stronger identity assurance becomes the most effective way to reduce both likelihood and impact of a breach.