Hybrid identity security scores expose persistent assessment gaps

At a glance

What this is: Semperis’ 2025 Purple Knight Report shows hybrid identity environments still have material security gaps, with a 61-point average score and the weakest results in midsized organisations.

Why it matters: IAM teams should treat hybrid identity assessment as a standing control because visibility gaps, remediation lag, and fragmented ownership can expose human and non-human identities alike.

By the numbers:

• The average score of 61 out of 100 is 11 points lower than the average score of 72 in the 2023 report.
• Organizations with between 2,001 and 5,000 employees averaged a score of 52, the worst overall.

👉 Read Semperis' 2025 Purple Knight Report on hybrid identity security scores

Context

Hybrid identity security is the discipline of managing access, exposure, and misconfiguration across directories and federation systems that do not share a single control plane. In this report, the primary keyword is hybrid identity security, and the core finding is that organisations still cannot consistently see or remediate the risks spread across Active Directory, Entra ID, and Okta.

That matters because assessment gaps in hybrid identity are not abstract hygiene issues. They determine whether identity teams can find exposed privilege, weak configuration, and broken trust relationships before those weaknesses become an incident, especially in environments where human, service, and federated identities overlap.

Key questions

Q: How should security teams assess hybrid identity environments across AD, Entra ID, and Okta?

A: They should assess hybrid identity as one governed estate, not as separate tools. That means scanning directories, trust paths, account security, and policy inheritance together, then assigning remediation owners by control area. Point-in-time checks are not enough when exposure can move between on-premises and cloud identity layers.

Q: Why do midsized organisations often struggle more with hybrid identity security?

A: Midsized organisations often sit in the worst position because they have enough complexity to accumulate identity debt but not enough specialist capacity to clear it quickly. That leaves delegated administration, permissions structure, and trust settings under-reviewed. The result is slower remediation and more unmanaged exposure.

Q: What signals show that hybrid identity remediation is actually working?

A: The strongest signal is sustained improvement across multiple assessment cycles, not a one-time score jump. Teams should look for shrinking exposure in AD infrastructure, account security, and trust categories, plus documented ownership for each fix. If scores rise but recurring issues stay the same, the programme is only partially working.

Q: How do identity teams turn assessment results into governance action?

A: They turn results into governance action by converting findings into tracked remediation tickets, validating the fix after implementation, and revisiting the affected control in the next cycle. That approach prevents assessment from becoming a reporting exercise and makes the score a measure of operational follow-through.

Technical breakdown

Why hybrid identity assessment breaks down across directories and federation

Hybrid identity environments combine on-premises directories, cloud identity services, and federated access paths. Each layer creates a different security surface, so a single score or control view can miss exposure in trust relationships, account security, group policy, or directory permissions. Purple Knight’s category spread reflects that reality: weaknesses rarely sit in one place, and attackers often move through the least visible layer first. The technical problem is not simply misconfiguration, but fragmented evidence across systems that were never designed to be assessed as one identity estate. Practical implication: teams need repeatable assessment across all identity planes, not periodic spot checks in only one directory.

Practical implication: teams need repeatable assessment across all identity planes, not periodic spot checks in only one directory.

Why AD infrastructure and account security remain the hardest control areas

AD infrastructure and account security tend to score poorly because they combine legacy dependencies with broad privilege inheritance. Domain structure, delegated administration, stale accounts, and Kerberos trust settings can turn into persistent exposure when ownership is unclear. In practice, these areas are hard to fix because the technical debt is structural, not cosmetic: a control may exist in policy, but not in every forest, tenant, or admin path. Hybrid identity also amplifies the problem because remediation in one layer can break another if dependencies are not mapped first. Practical implication: identity teams should prioritise control mapping before remediation, especially where multiple forests or cloud tenants are in play.

Practical implication: identity teams should prioritise control mapping before remediation, especially where multiple forests or cloud tenants are in play.

How remediation guidance changes score, but not the underlying governance burden

The report’s score improvement after applying remediation guidance shows that assessment can be operationalised quickly when the gaps are visible. But score lift is only a proxy for governance maturity. A higher score does not automatically mean the environment is simpler, only that the team has a clearer path to close known weaknesses. In hybrid identity, remediation works best when it is tied to ownership, change windows, and validation after each fix. Without that, security teams can improve a score while leaving recurring identity debt untouched. Practical implication: treat assessment results as a remediation queue with owners and deadlines, not as a one-time benchmark.

Practical implication: treat assessment results as a remediation queue with owners and deadlines, not as a one-time benchmark.

NHI Mgmt Group analysis

Hybrid identity security has become a visibility problem before it is a tooling problem. The report’s average score of 61 shows that many organisations still cannot see their identity estate well enough to govern it consistently. That matters because attackers rarely need a perfect environment to succeed, only one hidden path through AD, Entra ID, or Okta. The practitioner conclusion is that assessment maturity now defines identity security maturity.

Identity infrastructure complexity is now the dominant control failure in midsized organisations. The 2,001 to 5,000 employee band scored worst at 52, which is the classic profile of high process load and limited specialist capacity. That combination creates governance blind spots in delegated administration, trust relationships, and remediation ownership. The practitioner conclusion is that midsized enterprises need identity control prioritisation, not broad but shallow hygiene drives.

Score improvement proves remediation guidance works only when identity ownership is explicit. An average 21-point gain after applying guidance is useful, but it also shows that many organisations already had fixable issues waiting in the queue. The bigger lesson is that identity risk is not just technical exposure, it is governance latency. The practitioner conclusion is to attach remediation to accountable owners, not to periodic assessment alone.

Hybrid identity assessment should be treated as a continuous control, not an annual exercise. The report ties low initial scores to complexity across AD, Entra ID, and Okta, which means drift can accumulate faster than point-in-time reviews can catch it. NIST Cybersecurity Framework 2.0 and Zero Trust both assume ongoing verification, which aligns with this finding. The practitioner conclusion is to build identity assessment into steady-state operations.

Named concept: identity visibility debt. This report illustrates the cost of not being able to see the full hybrid identity estate, which delays remediation and hides privilege exposure. The debt grows when ownership, assessment cadence, and directory scope are fragmented. The practitioner conclusion is to treat visibility as a measurable governance asset, not a background expectation.

From our research:

• NHIs outnumber human identities by 25x to 50x in modern enterprises, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows why assessment gaps persist even when teams believe coverage is adequate.
• For a deeper control lens, the Top 10 NHI Issues resource helps teams prioritise the failure modes most likely to create hidden identity exposure.

What this signals

Identity visibility debt: hybrid identity programmes often accumulate hidden exposure faster than teams can validate it, so the next planning cycle should prioritise continuous assessment coverage over one-off scoring exercises. Link remediation ownership to change management and use the NIST Cybersecurity Framework 2.0 to anchor ongoing identity controls.

The practical signal for practitioners is that score improvement alone is not the finish line. If the same control families keep scoring low, the organisation has a repeatability problem, not just a technical issue, and that calls for tighter governance around AD, Entra ID, and Okta change execution.

For teams running large identity estates, the right next step is to connect assessment output to lifecycle processes and privileged access oversight. The 52 NHI Breaches Analysis is useful for comparing how hidden identity exposure turns into real-world compromise.

For practitioners

• Map hybrid identity ownership end to end Assign clear owners for Active Directory, Entra ID, and Okta controls so remediation does not stall between teams or tool boundaries.
• Run recurring identity assessments across every identity plane Schedule repeated scanning and review for directory, account, and trust settings instead of relying on a single baseline score.
• Prioritise high-friction control areas first Tackle AD infrastructure and account security before lower-risk tuning because those categories usually hide the most persistent exposure.
• Convert score findings into tracked remediation work Attach each exposed issue to a fix owner, validation step, and closure date so assessment output becomes operational change.

Key takeaways

• Hybrid identity security remains uneven because organisations still lack consistent visibility across directories, cloud identity, and trust relationships.
• A 61-point average score, and a 52-point trough in midsized organisations, shows that assessment and remediation gaps are concentrated where complexity meets limited specialist capacity.
• The practical response is to turn assessment into a governed remediation loop with named owners, validation, and repeated measurement.

Key terms

• Hybrid Identity: A hybrid identity environment combines on-premises identity infrastructure with cloud identity services and federated access paths. Security teams must govern it as one estate even though the controls, telemetry, and ownership often sit in different systems and teams.
• Identity Visibility Debt: Identity visibility debt is the accumulation of unmanaged or partially seen identity risk that grows because teams cannot fully map accounts, privileges, or trust relationships. It becomes operational debt when remediation depends on manual discovery instead of repeatable assessment.
• Remediation Lift: Remediation lift is the measurable improvement in posture after a team applies assessment guidance and closes identified gaps. In practice, it only has value if the change is validated and the affected control stays governed across future review cycles.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Semperis: the 2025 Purple Knight Report on hybrid identity security risks and remediation. Read the original.