By NHI Mgmt Group Editorial TeamPublished 2026-05-29Domain: AnnouncementsSource: Token Security

TL;DR: A persistent NHI problem in hybrid estates is that organisations still struggle to discover on-premises non-human accounts, map ownership, and manage lifecycle gaps across AD and Entra ID, according to Token Security. That matters because visibility, permissions, and offboarding remain the control points that decide whether service-account sprawl becomes breach surface.


At a glance

What this is: This is a vendor announcement about an Active Directory integration aimed at improving discovery, visibility, and lifecycle management for on-premises non-human identities.

Why it matters: It matters because AD still anchors many service-account and hybrid identity workflows, so missing visibility there leaves IAM, IGA, and PAM teams blind to privilege, ownership, and offboarding risk.

By the numbers:

👉 Read Token Security's Active Directory integration post for NHI visibility details


Context

Active Directory remains one of the most important identity control planes in hybrid enterprises because it governs users, groups, computers, and service accounts in the same directory structure. The security problem is not AD itself, but the governance gap that appears when non-human identities are managed like human accounts and their ownership, privilege, and usage drift over time.

For IAM, IGA, and PAM teams, the issue is practical: if service accounts in AD cannot be discovered, classified, and tied back to accountable owners, lifecycle control becomes guesswork. That is why AD visibility is still a core NHI governance problem, not just an infrastructure integration task.


Key questions

Q: How should security teams inventory Active Directory service accounts for governance?

A: Start by identifying every account that is used by an application, workload, integration, or administrative process rather than a person. Then map each one to an owner, a maintainer, an application dependency, and a privilege profile. If any of those fields are missing, the account is not governed well enough for normal production use.

Q: Why do service accounts in Active Directory create so much risk?

A: Service accounts often accumulate permissions, outlive their original purpose, and remain invisible to the teams that depend on them. In AD, that risk grows because inheritance, nested groups, and shared usage can hide excessive privilege until the account is exposed or misused.

Q: What do security teams get wrong about hybrid Active Directory governance?

A: They often treat on-premises AD and cloud identity as separate problems, even when the same account is synchronised across both. That split view causes ownership gaps, inconsistent lifecycle decisions, and missed privilege drift. Governance has to follow the identity across both environments.

Q: How can IAM teams reduce blast radius from overprivileged directory accounts?

A: Reduce the number of accounts with broad group membership, review inherited access paths, and remove shared service identities where possible. The goal is not just smaller privilege sets but shorter exposure windows, clearer accountability, and fewer paths for lateral movement if an account is compromised.


How it works in practice

Why Active Directory obscures non-human identity ownership

Active Directory stores identity objects, group membership, and permissions in a way that is powerful but difficult to interpret at scale. Service accounts often sit alongside human users, while nested groups and inherited ACLs make it hard to see who can do what, where, and why. The result is that ownership, intended use, and privilege scope can be lost unless another layer maps the directory into operational context. That context problem is the real control gap: the directory may hold the data, but it does not explain the governance state.

Practical implication: build an inventory layer that classifies AD service accounts, owners, and entitlements before you attempt lifecycle or privilege cleanup.

How hybrid AD and Entra ID relationships complicate NHI governance

Hybrid identity introduces a second source of drift because on-premises AD objects may sync into cloud identity systems while retaining local permissions, local ownership, or local secret handling. That means the same service account can have one lifecycle story on-premises and another in the cloud, which makes access reviews and offboarding inconsistent unless the relationship is continuously reconciled. In practice, hybrid visibility is not just about listing objects. It is about understanding whether the authoritative source, usage pattern, and privilege boundary still match the way the account is actually operating.

Practical implication: reconcile AD and Entra ID ownership, privileges, and usage records before certification cycles start.

Why AD permissions analysis is hard without identity graph context

AD permissions are object-centric, so a simple user-to-resource lookup misses the real path of access. ACLs, group nesting, and inheritance create layered entitlement chains that can hide excessive privilege or stale access. An identity graph is useful because it turns those scattered relationships into a navigable model of ownership, usage, and exposure. Without that graph, teams may know an account exists but still fail to answer the more important question: why it still has access and whether that access is still justified.

Practical implication: use graph-based entitlement analysis to find inherited access, nested groups, and stale service-account privilege that manual reviews miss.


NHI Mgmt Group analysis

Active Directory visibility is now an NHI governance baseline, not an optional enhancement. The article is really describing a common control failure: organisations cannot govern what they cannot reliably enumerate. Service accounts hidden inside AD often lack clear ownership, usage context, and lifecycle status, which makes discovery the first governance milestone. The practitioner conclusion is straightforward: if AD identities are not fully visible, every downstream control is weakened.

Hybrid identity makes service-account accountability materially harder. When AD objects sync into cloud directories, accountability can split across teams, tools, and administrative domains. That creates a governance gap where the account exists, but no one can say with confidence who provisions it, who uses it, and who can retire it. The practitioner conclusion is that hybrid identity cannot be certified from a single system of record.

Object-centric permission models create identity blast radius when privilege is not continuously mapped. AD ACLs and nested groups can hide the true reach of a service account, especially when multiple applications reuse the same identity. The named concept here is identity blast radius: the full extent of damage an over-permissioned or reused identity can create once compromised. The practitioner conclusion is to treat directory entitlements as attack surface, not administrative metadata.

Lifecycle management for AD service accounts fails when ownership and usage are not tied together. The article highlights exactly the problem lifecycle programmes are meant to solve, but the control only works when ownership, provisioner, maintainer, and usage pattern are all visible at the same time. Where that linkage is missing, offboarding and recertification become performative rather than preventive. The practitioner conclusion is that lifecycle governance must be evidence-led, not spreadsheet-led.

This is a classic NHI control-plane problem, not a narrow product-integration story. AD remains one of the most important places where machine identity, human identity, and privilege governance intersect. The broader lesson is that security teams still rely on directory hygiene assumptions that break down once service accounts accumulate, drift, and outlive their original purpose. The practitioner conclusion is to evaluate AD as a governance surface, not just an authentication service.

From our research:

  • 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
  • For a deeper baseline on lifecycle control, see NHI Lifecycle Management Guide for the provisioning and offboarding practices that close the ownership gap.

What this signals

Identity blast radius: AD service-account risk is no longer just about whether an account exists, but about how far that account can reach through nested groups, inherited ACLs, and hybrid sync paths. Teams that cannot trace those reach paths quickly will struggle to prove least privilege or support meaningful recertification.

With only 5.7% of organisations reporting full visibility into service accounts, most IAM programmes are still operating with partial directory intelligence. That means remediation will continue to lag discovery until ownership data, entitlement mapping, and lifecycle records are joined up.

The practical shift is toward continuous governance across directory and cloud boundaries, not periodic cleanup after an audit finding. Organisations should expect AD-based service-account control to become a board-level resilience question wherever identity still underpins application uptime and administrative trust.


For practitioners

  • Map every AD service account to an accountable owner Create an inventory that links each account to a business owner, technical maintainer, and primary application dependency. Exclude any account that cannot be tied to a current owner from production use until ownership is resolved.
  • Reconcile AD and cloud identity records on a fixed cadence Compare AD service accounts, synced cloud identities, and group memberships on a recurring basis so hybrid drift is visible before certification windows. Prioritise accounts that span both on-premises and Entra ID because they are the hardest to retire cleanly.
  • Review nested groups and inherited ACLs for excessive reach Analyse AD permissions from the object level upward so inherited access, nested group membership, and shared service identities are all captured in the same review. Remove direct or inherited privilege that is not required for a documented application dependency.
  • Treat stale or unrotated credentials as lifecycle defects Flag service accounts that keep the same credential across multiple systems or survive long after their original provisioning event. Tie rotation and revocation to ownership, not to ad hoc admin schedules, so dead accounts do not remain usable.

Key takeaways

  • Active Directory becomes a governance problem when service accounts cannot be reliably discovered, owned, and retired.
  • The risk is amplified by hybrid sync, nested permissions, and the reuse of identities across multiple applications.
  • IAM teams need inventory, entitlement mapping, and lifecycle linkage before AD visibility gaps turn into privilege drift.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Inventory and ownership gaps are central to this Active Directory NHI visibility problem.
NIST CSF 2.0PR.AC-4Least-privilege access management is directly implicated by overbroad AD permissions.
NIST Zero Trust (SP 800-207)Hybrid AD identity depends on continuous verification across trust boundaries.

Review AD entitlements for excess privilege and remove inherited access that no longer serves a business need.


Key terms

  • Service Account: A service account is a non-human identity used by applications, integrations, scripts, or background jobs to authenticate and act without a person present. In Active Directory, these accounts often carry long-lived permissions and need tighter ownership, rotation, and offboarding discipline than human accounts.
  • Identity Graph: An identity graph is a relationship model that connects accounts, owners, permissions, applications, and usage patterns into one view. It helps teams see how access is inherited, where privilege concentrates, and which identities have drifted away from their intended purpose.
  • Hybrid Identity: Hybrid identity is an environment where the same identity may exist across on-premises and cloud systems, with synchronisation linking the two. This increases governance complexity because ownership, entitlements, and lifecycle actions must remain consistent across both control planes.

What's in the full announcement

Token Security's full blog covers the operational detail this post intentionally leaves for the source:

  • The integration workflow for discovering AD service accounts and comparing them with Entra ID records
  • Screenshots and identity graph views showing ownership, usage patterns, and permission context
  • The remediation features the vendor says can help close stale-account and excess-privilege gaps
  • The article's walkthrough of AD permission complexity, including nested groups and ACL inheritance

👉 Token Security's full blog shows the identity graph, remediation context, and hybrid visibility workflow in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-05-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org