They create governance risk because authentication spans two systems with different lifecycle rules. A user may still be valid in Active Directory while their PostgreSQL role, database, or network access is no longer justified. That mismatch can leave stale privileges behind unless access reviews and offboarding reach the database layer.
Why This Matters for Security Teams
active directory backed database logins create governance risk because the trust decision is split across two control planes: directory identity on one side and database authorization on the other. That split is easy to miss during joiner, mover, and leaver workflows, especially when the database role is inherited indirectly from an AD group or linked login. NHI Management Group research on lifecycle management shows that access failures often appear at the handoff between systems, not within either system alone, which is why reviews must extend beyond the directory.
For security teams, the practical risk is stale privilege. A person can be removed from AD, yet still retain a database principal, mapped role, or network path that keeps data reachable. That mismatch undermines least privilege, weakens audit evidence, and complicates incident response because revocation must be validated in two places. Guidance in the NIST Cybersecurity Framework 2.0 is clear that identity governance must support access lifecycle controls end to end, not just at login time. In practice, many security teams discover this only after a terminated account still works in the database, rather than through intentional offboarding testing.
NHIMG guidance on Lifecycle Processes for Managing NHIs and Regulatory and Audit Perspectives is directly relevant here because auditors will ask whether access removal is verified at the resource layer, not just in the directory.
How It Works in Practice
In a typical AD backed database pattern, a user authenticates with directory credentials and the database maps that identity to a local login, role, or group membership. The governance risk comes from the fact that the mapping is often durable while the business justification is temporary. If the AD group remains intact, the database may continue to trust the user even after the original project, support need, or employment status changes.
Current best practice is to treat the directory and the database as separate enforcement points with separate review evidence. That means aligning offboarding, access recertification, and privileged access management so that removal from AD triggers validation of the database principal, role grants, and any inherited memberships. Where possible, use short-lived access paths and explicit approval for elevated database roles rather than broad, standing group membership. The NIST Cybersecurity Framework 2.0 supports this kind of layered governance, and NHIMG’s Top 10 NHI Issues highlights why credential lifecycle and over-privilege remain recurring failure modes.
- Inventory every AD group that maps to a database login or role.
- Verify whether database access is direct, inherited, or nested through another role.
- Require evidence that leaver actions remove both directory membership and database authorization.
- Review dormant database principals separately from AD accounts.
- Log and alert on successful database authentication by accounts no longer justified in AD.
This guidance tends to break down in legacy environments with shared service accounts, manually managed role mappings, or replicated directory trusts because access removal is no longer deterministic.
Common Variations and Edge Cases
Tighter database access governance often increases operational overhead, so organisations must balance revocation certainty against administrative friction. That tradeoff is especially visible when AD is used for convenience rather than as the true source of entitlement.
One common edge case is a disabled AD account that still has a valid database session token or cached connection. Another is a service account that is intentionally exempt from human offboarding but is still managed poorly enough to look like a stale human login. Best practice is evolving here, and there is no universal standard for every platform, but the control objective is consistent: prove that directory deprovisioning actually removes data-layer access. The governance issue is also amplified when database access is granted through nested AD groups, because the effective privilege is harder to review and easier to miss during certification.
For teams building evidence for auditors, the most useful approach is to pair directory reports with database-side entitlement reports and compare them regularly. The 2024 ESG Report: Managing Non-Human Identities notes that 72% of organisations have experienced or suspect a breach of non-human identities, which reinforces the need to track access at every control boundary. Where PostgreSQL is fronted by AD but also supports local roles, direct grants, or admin bypasses, those exceptions must be documented explicitly because that is where governance gaps accumulate fastest.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and access enforcement are split across AD and database layers. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Stale database roles and mapped logins are classic non-human identity lifecycle failures. |
| NIST AI RMF | GOVERN | Governance requires accountable ownership over cross-system identity decisions. |
Assign clear owners for directory and database access decisions, then test deprovisioning end to end.
