Start with replication rights, privileged service accounts, and any identity that can touch LSASS or perform sensitive directory queries. Those controls have the highest blast radius and the greatest potential to enable rapid compromise. They should be reviewed alongside lifecycle and offboarding processes, not only during incident response.
Why This Matters for Security Teams
In an AD-heavy environment, the first identities to review are the ones that can turn a routine foothold into domain-wide impact: replication rights, privileged service accounts, and identities that can query directory data at scale. Those accounts are often inherited, undocumented, or excluded from standard joiner-mover-leaver workflows, which makes them easy to miss until abuse is underway. NIST’s NIST Cybersecurity Framework 2.0 reinforces the need to identify, govern, and continuously monitor the assets and identities that carry the most risk. NHIMG research shows the problem is not theoretical: in the Ultimate Guide to NHIs, 97% of NHIs carry excessive privileges, and only 5.7% of organisations have full visibility into their service accounts. In practice, many security teams discover these exposures only after unusual directory replication, credential dumping, or lateral movement has already occurred, rather than through intentional access review.
How It Works in Practice
A practical review order starts with control, not with asset count. First, inventory identities that hold domain replication permissions, delegated admin rights, or extended directory query permissions. Then separate human admin accounts from service accounts, because service accounts are often long-lived, non-interactive, and poorly owned. Next, verify whether any of those identities can access LSASS, run remote management tools, or read sensitive directory attributes such as group membership, SPNs, and credential-related metadata.
This is where Top 10 NHI Issues is directly relevant: the same over-privilege and weak lifecycle control patterns that affect NHIs also appear in AD through service principals, automation accounts, and vendor-integrated identities. NIST guidance on identity governance and monitoring, including NIST Cybersecurity Framework 2.0, supports a risk-based triage model. That means reviewing:
- Replication permissions such as directory sync, DCSync-style rights, and schema or configuration write access
- Privileged service accounts used by backups, monitoring, identity sync, and endpoint tooling
- Accounts that can access LSASS, deploy remote code, or invoke powerful directory search functions
- Offboarding gaps where old service accounts remain active after system retirement or vendor change
Review should also include password age, rotation cadence, group nesting, and whether the account is exempt from MFA or conditional access controls. NHIMG’s 52 NHI Breaches Analysis shows how quickly a single credential can cascade when privilege is broad and review is shallow. These controls tend to break down when AD is tightly coupled to legacy apps and no one can change privileges without risking outage.
Common Variations and Edge Cases
Tighter identity review often increases operational overhead, requiring organisations to balance blast-radius reduction against application stability and uptime. That tradeoff is especially visible in AD environments with legacy middleware, domain-linked appliances, and third-party support accounts that were never designed for modern least-privilege patterns. Current guidance suggests treating these as exceptions to be documented, time-bounded, and reviewed separately, not as permanent exemptions.
One common edge case is a service account that appears low risk because it is non-interactive, yet holds replication or directory read rights through nested groups. Another is a break-glass account that is intentionally powerful but never tested, monitored, or rotated. There is no universal standard for this yet, but best practice is to tag these identities by function and privilege tier, then review them on a shorter cadence than ordinary user accounts. Where possible, align the review to Ultimate Guide to NHIs – Standards principles for governance, visibility, and rotation so the AD program is not treated as a separate silo. The most dangerous cases are usually the ones that look like routine infrastructure until someone maps their effective permissions.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Identity inventory and ownership are key for finding high-risk AD service accounts. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access review applies directly to replication and admin accounts. |
| NIST AI RMF | Risk governance and monitoring principles support prioritising the highest blast-radius identities. |
Inventory privileged AD and service identities first, then assign owners and review effective access.
