Hybrid identity gaps remain the weak point in enterprise resilience

At a glance

What this is: This is a partner announcement focused on closing hybrid identity infrastructure gaps in Active Directory and Entra ID environments.

Why it matters: It matters because hybrid identity remains a common control plane for NHI, human access, and recovery, so weaknesses there can cascade into enterprise-wide compromise.

By the numbers:

• In 90% of ransomware attacks, threat actors compromise an organization's identity system, usually Active Directory, frequently resulting in data theft and massive business disruptions.
• Semperis says its technology protects over 100 million identities from cyberattacks, data breaches, and operational errors.

👉 Read Semperis' announcement on hybrid identity resilience with ADAPTIT

Context

Hybrid identity is the layer that connects on-premises directories, cloud identity, and the access paths that tie them together. When that layer is weak, attackers do not need to compromise every system individually because identity becomes the route to broad control.

For IAM teams, the problem is not just authentication. It is the resilience of the directory, the monitoring around it, and the speed of recovery when an attacker abuses identity trust across Active Directory and Entra ID.

The article frames this as a regional partnership, but the underlying issue is universal: hybrid identity gaps are operational risks, not just security findings. That makes them relevant to human IAM, machine identity, and recovery governance at the same time.

Key questions

Q: How should security teams reduce the impact of a hybrid identity compromise?

A: They should focus on limiting blast radius, not just preventing initial access. That means mapping directory dependencies, isolating privileged paths, and making sure identity recovery can restore trust before dependent systems are brought back online. If the directory remains untrusted, the environment is still exposed even if individual hosts are cleaned.

Q: Why do hybrid identity systems create such large enterprise risk?

A: Because they often control both authentication and authorization across users, workloads, and admin workflows. A compromise in Active Directory or Entra ID can therefore affect multiple services at once, making identity a control plane rather than a single application dependency. That is why recovery and monitoring matter so much.

Q: What should organisations look for in continuous identity monitoring?

A: They should look for abnormal privileged changes, federation anomalies, and account activity that does not match normal administrative behavior. The goal is to detect identity abuse early enough to stop lateral movement before the attacker reaches directory-level control. Monitoring must cover both on-premises and cloud identity events.

Q: Who is accountable when identity compromise causes operational disruption?

A: Accountability typically sits with the teams responsible for identity governance, infrastructure resilience, and incident response, because the failure spans all three disciplines. In hybrid estates, restoring endpoints is not enough if the identity layer is still compromised. Governance must define who owns trust restoration and recovery validation.

Technical breakdown

Why hybrid identity becomes the control plane attackers target

Hybrid identity binds together directory services, cloud sign-in, and application authorization. In practice, that means a compromise of Active Directory or a related trust path can give an attacker far more leverage than a single account theft. The architectural issue is centralization: the same identity fabric often governs users, service accounts, and administrative workflows. If visibility is poor or recovery is slow, the attacker can move from credential access to environment-wide control without needing to defeat separate security stacks one by one.

Practical implication: treat directory resilience as a core control-plane requirement, not an infrastructure afterthought.

Continuous monitoring in hybrid identity environments

Continuous monitoring in hybrid identity means watching for abuse of privileged identities, abnormal directory changes, and signs that a trusted account or sync path has been manipulated. This is different from periodic review because identity attacks often happen quickly and leave little room for delayed detection. In environments that bridge on-prem and cloud, monitoring must cover both sides of the trust relationship, including high-risk administrative actions and anomalous changes to authentication or federation behavior.

Practical implication: correlate on-prem and cloud identity telemetry so directory abuse cannot hide in one side of the estate.

Rapid recovery after directory compromise

Rapid recovery is the ability to restore identity services to a trusted state after compromise, including clean credentials, corrected configuration, and validated dependencies. In hybrid identity, recovery is difficult because directories often support many downstream systems, and a small compromise can create broad disruption. The technical challenge is not only restoring service but proving that the identity layer is no longer under attacker influence. That makes recovery planning as important as detection and prevention.

Practical implication: test identity restoration procedures as rigorously as backup and disaster-recovery runbooks.

Threat narrative

Attacker objective: The attacker aims to turn identity compromise into broad enterprise control and high-impact disruption.

1. Entry via compromised hybrid identity infrastructure, most often through Active Directory or a related trust path that gives the attacker a foothold in the control plane.
2. Escalation through identity compromise that expands access from a single account or directory component into broader administrative control and lateral movement.
3. Impact in the form of network takeover, operational disruption, and data theft once the identity layer can no longer be trusted.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Hybrid identity resilience is now a control-plane issue, not an IAM subtopic. When Active Directory and Entra ID sit at the center of access, recovery, and trust, compromise of that layer can cascade across users, workloads, and operations. That is why identity protection has to be evaluated as part of business continuity, not only security tooling. The practitioner takeaway is to treat identity as a resilience dependency.

Identity compromise creates a blast radius that outgrows account-level thinking. The article's threat model is not about one stolen credential. It is about a weak trust fabric that lets an attacker move from access to control of the environment. That means privileged directory paths, federation links, and recovery dependencies need governance together. The practitioner takeaway is to assess how far one identity failure can spread.

Identity recovery gap: the assumption that compromise can be contained without restoring the identity layer is too optimistic for hybrid estates. Hybrid environments often restore servers and endpoints faster than they restore trust in directories, certificates, and admin paths. That assumption fails when identity itself is the compromise vector. The implication is that practitioners must rethink what counts as recovered, because the estate is not safe until identity trust is re-established.

Cross-border partnerships are accelerating around hybrid identity because the exposure is structural. The partnership discussed here reflects a broader market pattern: buyers are looking for continuous monitoring and recovery around the directory, not just perimeter controls. That signals a shift toward resilience-led identity programmes. The practitioner takeaway is to align procurement with control-plane risk, not product categories.

For mixed human and machine estates, hybrid identity is the common failure domain. Human access, service accounts, and operational automation all depend on directory trust in many enterprises. When that trust breaks, the failure is shared, even if the triggering account type differs. The practitioner takeaway is to govern hybrid identity as the foundation for both workforce and non-human access.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• From our research: Only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• Hybrid identity teams should pair that remediation gap with the broader breach view in 52 NHI Breaches Analysis, which shows how identity failures translate into real compromise patterns.

What this signals

Identity recovery is becoming a board-level resilience metric. As more services depend on hybrid identity, the question is no longer whether directories can be monitored, but whether they can be restored to a trusted state fast enough to protect operations. That makes recovery validation, not just backup availability, a governance requirement for IAM leaders.

Directory trust debt: the longer hybrid identity dependencies remain undocumented, the larger the blast radius becomes when compromise occurs. Teams should expect more scrutiny of federation links, synchronization paths, and privileged recovery accounts because those are the places where trust is hardest to rebuild.

Practitioners should also separate user access continuity from machine and admin continuity. Human authentication may be easier to re-establish than the trust behind service accounts, directory sync, and recovery privileges, which means identity programmes need different operating models for each layer.

For practitioners

• Map directory trust dependencies end to end Inventory which business services, admin workflows, and non-human accounts depend on Active Directory and Entra ID. Identify where one compromise would affect multiple systems, especially through federation, synchronization, and privileged access paths.
• Correlate identity telemetry across on-prem and cloud Combine directory change logs, authentication events, and privileged activity monitoring so abuse cannot hide between environments. Pay particular attention to unusual admin actions, trust changes, and account takeover indicators.
• Test identity recovery as a live operating procedure Run recovery exercises that restore directory services, privileged accounts, and trust relationships in the order the business actually needs. Validate that the restored environment is trusted before returning dependent workloads to service.
• Review non-human access that depends on hybrid identity Check service accounts, integrations, and automation jobs that authenticate through the same identity fabric as users. Tighten their scope and offboarding steps so a directory compromise does not preserve unnecessary machine access.

Key takeaways

• Hybrid identity compromise is a resilience problem because directory trust sits underneath user access, machine access, and recovery.
• The scale of the issue is large enough that most organisations still struggle with remediation, offboarding, and exposure control.
• Teams should prioritise dependency mapping, cross-environment monitoring, and tested identity recovery before the next directory incident.

Key terms

• Hybrid Identity: A hybrid identity environment connects on-premises identity infrastructure with cloud identity services and shared authentication paths. It is the control layer that lets users, administrators, and systems move across environments while preserving a common trust model. That trust model becomes a major risk if compromise in one domain can propagate into the other.
• Identity Control Plane: The identity control plane is the set of directory, federation, and privileged access components that determine who can reach what. In hybrid environments, it often governs both human and non-human access, which makes it a high-value target. If attackers gain control of it, they can influence many downstream systems at once.
• Recovery Validation: Recovery validation is the process of proving that restored identity services are clean, trusted, and safe to use. In hybrid estates, this goes beyond bringing directories back online because compromised trust paths, credentials, or synchronization links can survive a superficial restore. It is a resilience control, not just a backup task.
• Trust Dependency Mapping: Trust dependency mapping identifies which systems, accounts, and workflows rely on a given identity service or federation path. It helps practitioners understand how far an identity failure could spread and which business processes would be affected first. In hybrid environments, it is essential for prioritising monitoring and recovery.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Semperis: Semperis and ADAPTIT to work jointly to help organisations close hybrid identity infrastructure gaps. Read the original.