By NHI Mgmt Group Editorial TeamDomain: Governance & RiskSource: IS DecisionsPublished July 7, 2026

TL;DR: Hybrid identity has shifted from a transitional phase to a long-term operating model, and Active Directory still anchors authentication across many environments even as cloud services expand, according to IS Decisions. That reality makes legacy directory security gaps, not migration timelines, the practical issue IAM teams must confront.


At a glance

What this is: This article argues that hybrid identity is now a durable operating model and that Active Directory remains central to it, despite legacy security gaps and growing cloud integration complexity.

Why it matters: It matters because IAM, PAM, and identity architects still have to govern a directory that anchors both on-premises and cloud access, while compensating for controls Active Directory does not provide by default.

By the numbers:

👉 Read IS Decisions' analysis of Active Directory security in hybrid identity


Context

Hybrid identity is no longer just a transition between on-premises and cloud. For many organisations, it is the operating model that has to work every day, which makes Active Directory security a continuing IAM issue rather than a legacy cleanup exercise.

Active Directory still anchors authentication for a large share of enterprise environments, even as Entra ID and other cloud platforms expand the identity surface. The practical problem is that hybrid estates combine two different design assumptions, so gaps in control, monitoring, and access governance are easier to miss.

The article's primary point is that the market has moved on from treating hybrid as temporary, but the identity architecture has not disappeared with it. That is typical of large enterprises with entrenched directories and mixed workloads.


Key questions

Q: How should security teams govern authentication in hybrid Active Directory and cloud identity environments?

A: Security teams should govern authentication by mapping each access path to the directory that actually enforces policy, then applying MFA and contextual controls at the authentication edge. The goal is not to force a single identity model everywhere. It is to make sure legacy systems, SaaS access, and remote endpoints are all covered by visible, enforceable controls.

Q: Why does Active Directory still matter to modern identity programmes?

A: Active Directory still matters because it often acts as the authoritative control plane for authentication, group-based authorisation, and privileged administration. When directory trust is centralised, its availability and integrity affect user access, service accounts, and recovery operations across the enterprise. Identity teams should treat it as core security infrastructure, not an ageing back-office service.

Q: What fails when Active Directory is treated as complete security by default?

A: The programme misses controls that modern identity models assume, including MFA, conditional access, monitoring, and session governance. That leaves access paths under-enforced and makes hybrid identity harder to audit, especially when the same identity can move between on-premises and cloud systems.

Q: How do teams reduce risk when AD remains the primary identity store?

A: They should focus on explicit control layering, not directory nostalgia. That means tightening group memberships, validating federation paths, adding session and access monitoring, and proving that cloud and on-premises enforcement are both working before they rely on the directory as the authority.


Technical breakdown

Why hybrid identity creates control gaps in Active Directory

Hybrid identity combines legacy directory models with cloud-era access patterns. Active Directory was built around on-premises trust boundaries, group membership, and domain-centric administration, while cloud platforms expect more granular and continuously evaluated control planes. When both are tied together through federation or sync, the result is not a single uniform system but two governance models stitched together. That creates blind spots in monitoring, conditional access, and access revocation, especially when the same identity can touch both environments. Practical implication: treat hybrid as a control integration problem, not just a directory integration problem.

Practical implication: Map which access decisions still depend on Active Directory and identify where cloud controls are assumed but absent.

How Active Directory object growth changes identity governance

Directory objects now carry far more identity data than they did when Active Directory was first designed. A user object can include authentication material, certificates, compliance labels, app attributes, and broad group memberships, which increases both object size and governance complexity. The move to larger database pages in newer Windows Server builds is a signal that object sprawl is no longer an edge case. This matters because every extra attribute becomes part of the trust and access surface. Practical implication: review which identity attributes are actually needed and which are accumulated drift that weakens control quality.

Practical implication: Reduce unnecessary directory attributes and group memberships before object bloat becomes a security and operations problem.

Why MFA, conditional access, and session control cannot be assumed in AD

Out of the box, Active Directory does not provide the same default security posture as modern cloud identity systems. Controls such as MFA, conditional access, secure SSO, account monitoring, and concurrent session governance often need to be added through adjacent tools or policy layers. That means the directory can remain the authentication anchor while still lacking enforcement depth at the session and access layer. For IAM teams, the technical question is not whether AD is obsolete, but where the control plane is incomplete. Practical implication: validate which protections are native, which are bolted on, and which are missing entirely.

Practical implication: Close session and authentication gaps with explicit control ownership rather than assuming directory defaults are sufficient.


Threat narrative

Attacker objective: The objective is to turn identity compromise in Active Directory into broader access across the hybrid estate, including cloud-connected systems.

  1. entry: Attackers often enter through compromised AD credentials, admin accounts, or weakly governed remote access paths that bridge on-premises and cloud estates.
  2. escalation: Once inside, privilege elevation in Active Directory can expose broader administrative reach and move the attacker toward high-value identities.
  3. impact: A compromised directory can become a launch point for spread into cloud services, creating estate-wide identity compromise rather than a single-host incident.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Hybrid identity has become the default operating model, so Active Directory governance is now a permanent discipline rather than a migration bridge. The article correctly describes hybrid as long-term for many organisations, which means identity teams cannot plan around a clean cutover to cloud-only control. The practical implication is that AD remains a governance anchor even when cloud identity grows around it.

Active Directory object bloat is now an access governance problem, not just a directory design issue. The move toward larger directory objects reflects the accumulation of certificates, authentication keys, labels, and memberships that sit inside the trust boundary. That increases the amount of identity state security teams must reason about, and it makes visibility into object content a prerequisite for sane entitlement control.

Active Directory still lacks by-default controls that modern identity programmes increasingly assume are present. MFA, conditional access, monitoring, and session governance are not optional enhancements in hybrid estates, they are the missing controls that determine whether the directory can safely remain authoritative. IAM programmes that treat AD as complete out of the box are modelling an environment that no longer exists.

Identity control in hybrid estates is really a question of where enforcement happens. If enforcement only exists in the cloud, on-premises identities become the weak link. If enforcement only exists in AD Group Policy Objects, cloud access paths remain under-governed. The practical conclusion is that hybrid identity requires a control plane view, not a product-by-product checklist.

Strong hybrid governance depends on making directory trust explicit. The article shows that organisations retain Active Directory because they want control, not because they are unaware of cloud alternatives. That makes the real decision a governance one: which identities, sessions, and privileges should still be anchored in AD, and which should be moved to controls with tighter verification and monitoring.

From our research:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing how remediation windows stay open longer than teams expect.
  • 52 NHI Breaches Analysis shows how standing privilege and delayed revocation repeatedly convert identity exposure into enterprise-wide impact.

What this signals

Directory governance in hybrid estates is moving from an architecture question to an operating-discipline question. Teams that still assume the directory is the only place identity risk lives will under-invest in session controls, federation oversight, and monitoring of identity state across cloud and on-premises boundaries. The programmes that adapt fastest will be the ones that treat hybrid enforcement as a continuous control plane problem, not a one-time migration artifact.

Hybrid identity also expands the number of identities that have to be governed as a population. With 90% of IT leaders saying properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs, the practical lesson is that AD cannot be assessed in isolation from service accounts, certificates, and other machine identities that still depend on it.

The next programme decision is whether Active Directory remains the authoritative store for every identity or only for the identities that truly require it. That decision will shape recertification cadence, monitoring scope, and the split between native directory controls and adjacent security tooling.


For practitioners

  • Inventory the identities still anchored in Active Directory Document which users, service accounts, certificates, and application links still rely on AD as the source of truth. Then map the cloud services they can reach so you can see where hybrid trust extends beyond intended boundaries.
  • Separate native controls from bolt-on controls List which protections are delivered by Active Directory itself and which depend on adjacent tooling for MFA, session control, monitoring, or conditional access. This shows where your enforcement model is incomplete.
  • Reduce directory object and membership drift Review user objects, application attributes, and group memberships for fields that no longer serve access decisions. Use the review to remove unnecessary identity data before object growth weakens administration and audit clarity.
  • Validate hybrid access paths end to end Trace a real access path from on-premises authentication to cloud application use, including federation and monitoring points. Look for places where a compromised directory identity could still pivot into cloud services.

Key takeaways

  • Hybrid identity has become a durable operating model, so Active Directory security remains a live IAM problem rather than a migration footnote.
  • Directory growth and missing default controls make object governance, session enforcement, and federation oversight central to hybrid risk reduction.
  • Teams should map where identity enforcement actually happens and close the gaps between on-premises directory control and cloud access control.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Hybrid AD environments accumulate secrets and credentials that need lifecycle governance.
NIST CSF 2.0PR.AC-4Hybrid identity depends on enforcing least privilege across directory and cloud access paths.
NIST Zero Trust (SP 800-207)Hybrid identity needs explicit trust boundaries across on-premises and cloud resources.
NIST SP 800-53 Rev 5IA-5Identity material in AD and linked systems must be managed across its lifecycle.
CIS Controls v8CIS-5 , Account ManagementAccount governance is central to controlling hybrid access sprawl in AD estates.

Use account management controls to review memberships, disable stale accounts, and tighten administrative reach.


Key terms

  • Hybrid Identity: Hybrid identity is an architecture that connects on-premises directories with cloud identity providers and SaaS applications. It creates operational flexibility, but it also expands the blast radius of identity compromise across multiple systems that share trust and authentication dependencies.
  • Active Directory: Microsoft's directory service for managing identities, authentication, and permissions across many enterprise environments. In security analysis, it matters because it often sits at the center of access control, so a compromise can affect users, systems, and administrative trust across the organisation.
  • Directory Object Bloat: Directory object bloat is the accumulation of too many attributes, memberships, and identity-related fields inside directory objects. It weakens manageability, increases audit complexity, and can hide risk because administrators lose clarity on which identity data is still necessary for access decisions.
  • Session Control: Session control is the enforcement layer that governs how long access lasts, how many sessions are allowed, and whether a connection is monitored or terminated. In hybrid identity, it matters because authentication alone does not tell you whether access is being used safely after login.

What's in the full article

IS Decisions' full article covers the operational detail this post intentionally leaves for the source:

  • The specific Windows Server 2025 functional level changes and what they mean for domain controller interoperability
  • The article's examples of how UserLock extends Group Policy Objects for MFA, session management, and real-time monitoring
  • The practical discussion of concurrent sessions, RDS, terminal, and VPN connection control in a hybrid estate
  • The author's full argument for why Active Directory remains a long-term identity anchor in mixed environments

👉 The full IS Decisions article expands on the hybrid operating model and the controls used to harden Active Directory.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org