Executive Brief
Pulse Continuous Authentication & Identity Assurance
Securing Every Moment of Every Session, For Users and AI Agents Alike
Pulse Continuous Authentication & Identity Assurance | affirmedid.com | May 2026
The Problem with Today's Security
Every organization that provides access to digital services faces the same hidden vulnerability: authentication happens once, at the point of login, and then stops. From that moment on, whether the session lasts 10 minutes or 10 hours, the system has no reliable way of knowing whether the person who logged in is still the person in control.
This gap is where modern attacks occur. Stolen credentials used mid-session. Devices handed to an unauthorized person. Employees moving to unexpected locations. Compromised phones continue to hold active access tokens. Traditional security tools have no answer to any of these scenarios once the login ceremony is complete.
As AI-powered automation becomes central to enterprise operations, the stakes increase further. AI agents frequently run for hours without direct human interaction, making decisions and accessing sensitive data on the user's behalf. A compromised session that feeds an autonomous agent can cause far greater harm than a compromised human session alone.
The Core Gap: Authentication today is a gate, not a guard. Once a user is through the door, conventional security has no reliable way to verify they are still who they claimed to be, or that they are still in control of their session at all.
The Pulse Proposition
Pulse is a Continuous Authentication & Identity Assurance (CA) framework developed by AffirmedID. Unlike conventional security products that are assembled from separate tools bolted together, Pulse was designed from the ground up as a single, integrated system. It closes the post-login security gap entirely, providing real-time, ongoing verification that the right person stays in control, from the moment they log in until the moment they log out.
The framework comprises four tightly integrated components, each serving a distinct role, and each designed to work seamlessly with the others:
| Pulse | Auth | Connect | Agentic AI Extension |
|---|---|---|---|
| Orchestration Hub | Continuous Monitoring | Session & Policy Enforcement | Agentic Trust Chain |
| Co-ordinates all components end-to-end | Streams 4 live trust signals from user’s phone | Enforces policy via OIDC/SAML protocols | Anchors AI agent sessions to human identity |
How the Components Work Together
01 Pulse, The Orchestration Engine
The intelligent hub that co-ordinates all other components throughout every session
Pulse is the central orchestrator that manages the full session lifecycle. At the moment a user logs in, Pulse assigns a unique Correlation ID to that session, a persistent reference that links every subsequent event, from trust score changes and policy decisions to enforcement actions and audit log entries. This means that at any point, security teams have a complete, unbroken record of what happened, when, and why.
Pulse removes the integration complexity that plagues conventional approaches. There is no need to stitch together separate vendors for authentication, monitoring, and enforcement. Every element was built to interoperate from day one, giving organizations a single pane of glass across the entire security operation.
02 Auth, The Continuous Monitoring Layer
The user’s smartphone becomes a persistent, real-time source of trust intelligence
The Auth component transforms the user’s mobile phone into a continuous security sensor. Once installed and bonded to the user through behavioral patterns and a PIN, the Auth app streams five live trust signals to the central analysis engine throughout the entire session, not just at login:
- Identity Trust Score, behavioral biometrics confirm the same person remains in control, based on interaction patterns learned during initial bonding.
- Passive Proximity Trust Score, Bluetooth verification confirms the authenticated phone remains physically near the device being used. If the user steps away, proximity degrades.
- Active Proximity Trust Score (optional, available with the Sentinel service), goes beyond passive Bluetooth detection by actively verifying proximity through direct engagement between the user’s phone and the access device, providing a higher-assurance proximity signal where required.
- 3D Location Trust Score, GPS and barometric altitude monitoring provides floor-level precision. Standard security tools can only detect location changes in two dimensions; Pulse can detect whether a user has moved to a different floor of the same building.
- Device Health Trust Score, real-time integrity monitoring catches jailbreaks, malware indicators, hijack attempts, and other device compromise events as they happen.
03 Connect, Session Management and Policy Enforcement
Industry-standard protocols deliver automated, real-time enforcement without custom development
Connect is the policy enforcement point, embedded within the OIDC and SAML identity providers that most enterprise environments already use. It receives trust decisions from the analysis engine and acts on them immediately, without any additional enforcement layer, and without relying on manual intervention.
When trust is sufficient, sessions continue normally. When trust degrades to a medium threshold, a step-up authentication challenge is issued automatically. When trust falls to a low threshold, the session is terminated outright. Critically, Connect does not wait for the user to make their next request before acting, push notifications propagate enforcement decisions to all registered systems within milliseconds of a trust event occurring.
Connect also exposes AuthZEN evaluator endpoints, implementing the OpenID Foundation’s emerging standard for authorization queries. This means existing applications can query the current trust state of any active session inline, without architectural redesign.
04 Agentic AI Extension, Continuous Trust for Autonomous Workflows
The security model extends naturally to AI agents acting on users’ behalf
As organizations deploy AI agents, systems that access data, execute workflows, and make decisions autonomously on behalf of users, a new category of security risk emerges. Pulse addresses this directly through its Agentic AI extension, built upon the same Continuous Authentication & Identity Assurance and AuthZEN authorization infrastructure as the rest of the framework.
The governing principle is straightforward: every AI agent, however autonomous, was initiated by a human. That human origin is the immutable anchor of the agent’s authority. Pulse enforces what can be described as a chain of custody for AI agency:
- Every agent session carries the Correlation ID of the originating human session, providing complete traceability from agent action back to human identity.
- If the human’s trust score degrades, because their device has been compromised, their location has changed unexpectedly, or their behavior has become anomalous, that signal propagates immediately through the entire agent chain.
- Where an agent spawns sub-agents to handle parallel tasks, each sub-agent inherits a scoped authorization linked to the same human origin and is subject to the same trust evaluation.
- High-privilege actions by agents, access to sensitive financial data, customer records, or system configuration, can be configured to require real-time re-evaluation or explicit human confirmation before proceeding.
The result is that AI agent sessions are as auditable, controllable, and revocable as human sessions, a capability that enterprise security teams are increasingly requiring as a condition of AI adoption.
Real-World Threat Scenarios
The following scenarios illustrate the practical difference Pulse makes against threats that conventional authentication cannot address:
| Threat Scenario | Without Pulse | With Pulse |
|---|---|---|
| Mid-session credential theft | Attackers reuse stolen login, system unaware until next login check | Behavioral anomaly detected immediately; session terminated before damage occurs |
| Unexpected location change | User in London at 9am, accessed from abroad 20 mins later, traditional auth sees no issue | 3D location monitoring (including floor-level altitude) flags impossible travel; step-up or termination triggered instantly |
| Device compromise mid-session | Phone jailbroken while session is active, access continues unchecked | Device health score detects compromise in real time; access revoked automatically |
| AI agent over-running authority | Credentials stolen 20 mins into a 2-hour autonomous agent workflow | Continuous trust monitoring detects anomaly; AuthZEN blocks further agent actions; full audit trail preserved |
Compliance and Standards Alignment
Pulse is aligned with the principal security frameworks that enterprise and regulated-industry customers require, reducing the compliance burden significantly:
- Zero Trust Architecture (ZTA), Pulse embodies the ‘never trust, always verify’ mandate throughout the full session, not merely at the perimeter.
- NIST SP 800-207, continuous diagnostics and trust evaluation are aligned with NIST’s Zero Trust Architecture guidelines; all PDP decisions are logged for continuous monitoring requirements.
- CMMC, authorization audit trails, real-time monitoring, and policy-based enforcement meet Level 2 and Level 3 access control and audit requirements.
- FIDO2 / Passkey, Pulse is aligned with Apple, Google, Microsoft, and FIDO Alliance passkey standards for phishing-resistant authentication. Uniquely, Pulse extends that phishing resistance beyond the login event to cover the entire session, through Asymmetric Device Assertions delivered continuously throughout the session lifecycle.
- AuthZEN, Pulse implements the OpenID Foundation’s AuthZEN access evaluation specification, providing a vendor-neutral, interoperable authorization protocol.
Phishing Resistance Beyond Login: A Unique Pulse Capability
FIDO2 phishing resistance has traditionally applied only to the login moment, once a session is underway, that protection ends. Pulse Asymmetric Device Assertion changes this. By continuously delivering cryptographically bound device attestations throughout the session, not just at login, Pulse extends phishing resistance across the entire lifecycle, from pre-login through authentication to post-logout.
The result is a continuously attested session: phishing resistance is no longer a property of the login event alone, but a persistent guarantee that travels with every action taken. This is, to our knowledge, a unique capability in the market, and a material step forward for organizations seeking assurance that goes beyond securing the front door.
Deployment and Commercial Flexibility
Pulse is available in deployment models suited to the scale and requirements of enterprise partners:
- Subscription Model, cloud-hosted, per-user/per-month pricing for deployments up to 1,000 users per client, with zero on-premises infrastructure requirements.
- Licensed Model, on-premises deployment of the complete framework for larger deployments or organizations requiring data sovereignty; annual licensing with full support.
- Integrator Licensing, organizations wishing to embed the Pulse framework within their own platforms may license the complete stack on a white-label basis, with full integration support and customizable branding.
Typical integration timelines run from contract to production in eight to ten weeks, subject to deployment complexity.
Summary
Pulse represents a fundamental shift in how digital security is delivered, from a checkpoint at login to a continuous, intelligent assurance that persists for the duration of every session, whether that session is driven by a human or an autonomous AI agent.
Pulse offers a fully integrated framework that addresses the security gaps that conventional tools leave open, satisfies the compliance requirements of regulated enterprise customers, and provides the audit-ready architecture that AI-enabled services increasingly demand.
Download This Brief
Download the Pulse CA Executive Brief as a Word document for offline reading or sharing with your team.
Download Executive Brief (.docx) ↓Pulse CA™ — AffirmedID at affirmedid.com — Copyright © June 2026