TL;DR: Active Directory remains the identity backbone for most enterprises, while identity-based attacks now dominate modern campaigns and can reach domain compromise in under two minutes, according to Delinea and cited industry reporting. The control gap is continuous visibility and remediation, not another quarterly review cycle.
At a glance
What this is: This is an analysis of why Active Directory still anchors enterprise identity risk and which controls reduce exposure to misconfigurations attackers routinely exploit.
Why it matters: It matters because hybrid IAM teams still depend on AD as a control plane, so gaps in discovery, privilege tiering, and delegation can become domain-wide compromise paths.
By the numbers:
- Microsoft's 2024 Digital Defense Report documented 600 million identity attacks per day.
- CrowdStrike reported that 80% of their detections now involve identity-based techniques rather than malware.
- In 2024, the Five Eyes intelligence alliance published a joint advisory cataloging 17 specific AD attack techniques in active use.
👉 Read Delinea's analysis of five controls that reduce Active Directory risk
Context
Active Directory remains a core identity control plane in hybrid enterprises because it still authenticates users, services, and machines that cloud-only directories do not fully replace. That makes Active Directory risk an IAM and NHI issue, not just a Windows administration issue, because service accounts, delegated privileges, and legacy protocols can turn ordinary configuration drift into domain compromise.
The problem is not that Active Directory is obsolete. The problem is that many security programs still manage it as if the attack surface were static, even though permissions, delegation, and service accounts change continuously. In that context, the article's controls are less about hardening a single directory and more about reducing the blast radius of identity failures across the wider enterprise.
The source article reflects a typical posture for large hybrid environments: AD remains authoritative, cloud identity is downstream, and attackers exploit the mismatch between that architecture and the cadence of traditional IAM governance.
Key questions
Q: What breaks when Active Directory controls are managed only through quarterly reviews?
A: Quarterly reviews miss the drift that matters most. Service accounts gain access, delegation is expanded, and nested groups accumulate privilege between review cycles. By the time the next review happens, an attacker may already have used the path. Continuous discovery and risk-based remediation are needed because AD exposure changes faster than formal governance cadences.
Q: Why do service accounts and delegation settings create so much risk in Active Directory?
A: Service accounts often run with persistent privileges and weak password practices, while delegation settings can let an attacker reuse authentication material or impersonate trusted systems. Together, they create low-noise paths to escalation that do not depend on malware. The risk is not the account name itself, but the effective access it can provide if abused.
Q: How do security teams know if Active Directory hardening is actually working?
A: Look for measurable reductions in privileged logon paths, unconstrained delegation, risky SPN accounts, and shadow administrative rights. If those conditions remain present, the control set is only documented, not effective. Real progress shows up when effective permissions shrink, privileged identities are tiered correctly, and remediation closes issues before they become incident paths.
Q: What should teams do first when they find high-risk Active Directory exposure?
A: Contain the highest-blast-radius identities first, especially domain admins, service accounts with SPNs, and systems using unconstrained delegation. Then remove inherited privilege, reset or rotate exposed credentials, and verify that no lower-trust system holds higher-tier credentials. The first 24 to 72 hours should focus on stopping credential replay and privilege spread.
Technical breakdown
Why Active Directory misconfigurations become domain compromise
Active Directory attacks often succeed without malware or zero-days because the directory exposes powerful identity primitives through legacy protocols and inherited permissions. Kerberos service tickets, ACL-based rights, unconstrained delegation, and nested group membership can all create paths to administrative control without obvious privilege-group membership. That is why attackers focus on service accounts, delegation flags, and object permissions rather than trying to break the directory itself. Once an attacker can influence authentication or resolve effective permissions, they can often move from standard user access to domain-level impact through legitimate protocol behavior.
Practical implication: Treat effective permissions and delegation as attack paths, not just directory metadata.
How the tiered administration model limits identity blast radius
The tiered administration model separates high-value identity assets from lower-trust systems. Tier 0 covers domain controllers, PKI, and similar control-plane assets. Tier 1 includes servers and applications, while Tier 2 covers workstations. The security goal is to prevent credentials from higher tiers from ever being exposed on lower tiers, because a workstation login can place privileged material into memory and make it extractable. Protected sessions, dedicated admin workstations, and siloed authentication policies exist to enforce that boundary rather than rely on user discipline.
Practical implication: Map privileged workflows to tiers and block cross-tier logons where credential exposure would expand blast radius.
Why PAM is necessary but not sufficient for AD governance
PAM governs enrolled privileged accounts and sessions, but Active Directory risk also comes from identities outside the vault, including service accounts, local admin accounts, legacy accounts, and nested group entitlements. Those identities can gain high privilege silently between access reviews, which means the control gap lives in the period between governance events. Continuous identity security posture management closes that gap by discovering effective permissions, highlighting risky configurations, and prioritising remediation based on exploitability and blast radius rather than simple inventory completeness.
Practical implication: Use PAM for enrolled privilege, then add continuous discovery to catch identities PAM never sees.
Threat narrative
Attacker objective: The attacker objective is to gain durable domain-level control by abusing Active Directory trust paths and identity misconfigurations.
- Entry occurs through ordinary authenticated access, often by abusing weak service-account passwords, exposed tickets, or delegated credentials rather than exploiting a vulnerability.
- Escalation follows when attackers use Kerberoasting, shadow administrator rights, or unconstrained delegation to obtain domain-relevant control without obvious membership changes.
- Impact is full domain takeover, including credential extraction, lateral movement, and persistent control of the identity infrastructure.
Breaches seen in the wild
- Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Active Directory risk is now a continuous identity governance problem, not a directory hygiene problem. The attack surface changes as service accounts, delegation rules, and nested groups drift across hybrid estates. Quarterly review cycles cannot reliably capture that movement, which is why the control model has to shift from periodic approval to continuous visibility and blast-radius reduction. Practitioners should treat AD as living identity infrastructure, not static configuration.
Identity blast radius is the right way to frame AD security failures. A single weak service account, shadow administrator, or delegation mistake can extend far beyond the object where it appears. That is why the most useful control question is not whether an account exists, but how far it can move if abused. Practitioners should prioritize controls that shrink effective reach rather than only closing isolated gaps.
PAM remains necessary, but AD exposes the shadow estate that PAM cannot govern on its own. Vaulted credentials are only one slice of the risk because many high-impact identities were never enrolled, were inherited through acquisition, or accumulated privilege silently. The governance model therefore has to combine enrollment-based controls with continuous discovery and risk scoring. Practitioners should not confuse vault coverage with actual privilege coverage.
Legacy protocol support is a security cost, not just an operational convenience. Kerberos, NTLM, LDAP, and delegation features exist because enterprise compatibility demands them, but each one expands the ways attackers can turn authentication into control. The practical answer is not to pretend those protocols disappear, but to constrain where they operate and what they can reach. Practitioners should align hardening work to protocol exposure, not to directory administration habits.
Named concept: identity blast radius. This is the effective scope of damage an attacker can cause after compromising one AD object, service account, or delegation path. The concept is useful because it links visibility, privilege tiering, and remediation priority into one decision model. Practitioners should measure every change against how much blast radius it creates or reduces.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which is why dormant identity risk persists long after owners think it is closed.
- That governance gap aligns with 52 NHI Breaches Analysis, where repeated control failures show that discovery without revocation leaves the same attack paths in place.
What this signals
Identity blast radius is becoming the practical metric for hybrid IAM programmes. As Active Directory, cloud directories, and service accounts continue to intersect, teams need to measure how far one compromised identity can move rather than whether a control exists on paper. That shift maps naturally to Zero Trust Architecture because access decisions have to reflect current risk, not inherited trust, and to NIST Cybersecurity Framework 2.0 because governance, protect, detect, respond, and recover all depend on identity visibility.
The control lesson for practitioners is straightforward: AD hardening cannot sit in a separate Windows team lane. Privilege tiering, delegation review, and service-account governance need to sit inside the broader NHI programme because the same identity failures that affect human admins also affect machine and service identities. The operational signal to watch is whether risky identities are reduced before they become incident paths.
With 97% of NHIs carrying excessive privileges, according to the Ultimate Guide to NHIs, the governance challenge is no longer whether organisations have enough policy. It is whether they can continuously see and reduce the identities that create hidden reach across hybrid infrastructure.
For practitioners
- Separate admin tiers immediately Enforce the tiered administration model so Tier 0 credentials never touch workstation environments, and require dedicated privileged access workstations for domain-level administration.
- Replace risky service accounts with managed identities Prioritize Group Managed Service Accounts for SPN-based services so passwords are auto-rotated and offline cracking becomes far harder than with user-based service accounts.
- Eliminate unconstrained delegation outside domain controllers Inventory all TRUSTED_FOR_DELEGATION systems, migrate them to Resource-Based Constrained Delegation, and treat any new unconstrained delegation flag as a critical finding.
- Audit effective permissions, not just group membership Review AdminSDHolder, direct ACL assignments, and nested group inheritance so shadow administrators and hidden privilege paths are visible before attackers find them.
Key takeaways
- Active Directory still matters because hybrid identity designs leave it as the control plane attackers can abuse through ordinary misconfigurations.
- The real risk is identity blast radius, where one weak service account or delegation path can expand into domain-wide compromise.
- Continuous discovery, privilege tiering, and managed service identities are the controls that reduce AD exposure faster than quarterly governance cycles.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | AD tiering and delegated privilege map directly to access control governance. |
| NIST Zero Trust (SP 800-207) | AD risk here is a trust-boundary problem that Zero Trust should continuously verify. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Service-account rotation and standing privilege are central NHI control failures. |
Review service-account lifecycle controls against NHI-03 and automate rotation and offboarding.
Key terms
- Identity Blast Radius: Identity blast radius is the amount of damage a compromised identity can create across systems, privileges, and data. In hybrid environments, it depends on effective permissions, delegation, tiering, and how far credentials can move after initial access.
- Shadow Administrator: A shadow administrator is an account that can perform administrative actions without appearing in a normal privileged group. The rights usually come from direct ACL assignments, inherited permissions, or nested group paths, which makes the account easy to miss in standard reviews.
- Resource-Based Constrained Delegation: Resource-Based Constrained Delegation is a delegation model that limits which systems can act on behalf of others. It reduces the abuse potential of older delegation settings by making the target resource control the trust relationship rather than the delegating account.
- Group Managed Service Account: A Group Managed Service Account is a service identity designed for automated password management in Windows environments. It is used for workloads that need a persistent identity, but it removes the weak, manually handled password patterns that make traditional service accounts easy to crack.
Deepen your knowledge
Active Directory hardening and identity blast-radius reduction are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a hybrid governance model from a similar starting point, it is worth exploring.
This post draws on content published by Delinea: Five security controls that can reduce your AD risk. Read the original.
Published by the NHIMG editorial team on 2026-04-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
