By NHI Mgmt Group Editorial TeamPublished 2026-02-11Domain: Cyber SecuritySource: JupiterOne

TL;DR: Hybrid environments are now the steady state, yet cloud-native security stacks still miss on-prem Active Directory, legacy databases, air-gapped systems and other behind-the-firewall assets, according to JupiterOne. That makes visibility a governance problem, not just a tooling problem, because identity, compliance and risk controls fail where data is incomplete.


At a glance

What this is: JupiterOne argues that a security graph is only as useful as the on-prem and hybrid data it can actually ingest.

Why it matters: For IAM and security teams, the gap matters because identity risk, access review and compliance validation break down when Active Directory and other local systems sit outside the graph.

By the numbers:

👉 Read JupiterOne's blog on bringing on-prem visibility into the security graph


Context

Hybrid infrastructure is no longer an edge case. It is the normal operating model, which means any security platform that only sees cloud workloads will produce a partial control picture rather than a complete one. The identity issue is especially sharp where Active Directory, on-prem service accounts and legacy systems remain central to access decisions.

JupiterOne's point is that visibility has become a governance control. If the graph cannot ingest on-prem metadata, compliance checks, access reviews and relationship mapping across cloud and local systems will always be incomplete. That is a familiar pattern in mature hybrid programmes, not an unusual deployment mistake.


Key questions

Q: How should security teams close visibility gaps in hybrid environments?

A: Security teams should make on-prem data part of the same control model as cloud data, otherwise access review and risk analysis remain incomplete. The practical move is to identify which systems hold authoritative identity or infrastructure context, then ensure they feed the security graph or equivalent control plane in a governed way.

Q: Why do hybrid environments complicate identity governance?

A: Hybrid environments complicate identity governance because identity relationships are split across cloud IAM, Active Directory, legacy applications and local infrastructure. If those relationships cannot be correlated, teams can miss privileged access, misjudge exposure and produce compliance evidence that looks complete but is actually partial.

Q: What breaks when on-prem assets are missing from a security graph?

A: When on-prem assets are missing, the graph cannot reliably connect users, roles, devices and applications across the full environment. That breaks access review, control validation and dependency analysis, especially where administrative authority still lives behind the firewall.

Q: Who is accountable for hybrid visibility gaps?

A: Accountability usually sits with the teams that own identity governance, security architecture and control assurance, because the gap affects all three. If a platform cannot see a system, the organisation still remains responsible for that system's access and compliance posture.


Technical breakdown

How a collector extends graph visibility into on-prem systems

The collector pattern works by running a lightweight component inside the customer environment so it can reach internal sources that SaaS platforms cannot directly access. In this model, the platform sends a request, the collector retrieves data from sources such as Active Directory or device inventories, normalizes the records, and syncs only metadata back to the graph. The security value is not raw data movement, but the ability to unify internal and external assets in one query model. That lets teams analyse relationships across environments without opening inbound access to sensitive systems.

Practical implication: teams should verify which internal sources are reachable through a collector before assuming their graph covers hybrid infrastructure.

Why hybrid identity relationships disappear when data stays siloed

Hybrid identity governance depends on linking users, roles, devices and applications across boundaries. When Active Directory remains outside the main security graph, those links become invisible even if each environment is independently well managed. The result is broken context, where a cloud role may look low risk in isolation while the same user has administrative power on-prem. Graph-based security models only work when the identity layer is complete enough to preserve those relationships end to end.

Practical implication: map identity joins across cloud and on-prem systems first, then decide where graph ingestion is missing critical context.

What continuous controls monitoring changes in hybrid environments

Continuous controls monitoring becomes more useful when the same policy framework can evaluate cloud and on-prem assets together. In practice, that means the control is no longer a point-in-time spreadsheet review but an ongoing check against live metadata. For identity programmes, this is especially relevant to access review, privileged access and compliance evidence. If the collector feeds are accurate, the platform can surface failing controls by asset type, ownership or access path instead of treating the hybrid estate as separate risk domains.

Practical implication: define one control framework for hybrid identity evidence and measure whether on-prem assets are actually participating in it.


NHI Mgmt Group analysis

Visibility gap: hybrid security is failing at the data layer. The article is not really about a collector, it is about the cost of incomplete telemetry in hybrid environments. When on-prem identity and infrastructure assets are missing from the same control plane as cloud resources, security teams lose the ability to reason about exposure, privilege and compliance in one place. That is a governance failure as much as a tooling one, and the practical conclusion is that visibility architecture now determines control quality.

Hybrid identity is where graph-based security either proves itself or breaks down. A security graph can only support access review, asset correlation and risk analysis if the identity relationships are actually present. Active Directory users, cloud IAM roles and device posture are tightly connected in real environments, so partial ingestion creates false confidence. Teams should treat graph completeness as an identity control requirement, not a data integration preference.

Continuous controls monitoring is only continuous if on-prem data is in scope. The article shows how compliance evidence and prioritisation improve once metadata from local systems enters the same framework as cloud workloads. That matters because many organisations still run hybrid estates where critical access paths are anchored outside SaaS tooling. The control lesson is simple: if the asset is outside the graph, the control is outside the system.

Hybrid visibility debt is now a named governance problem. The central concept here is the visibility gap, but in practice it is better understood as visibility debt, the accumulation of uncaptured infrastructure and identity relationships that weakens every downstream control. The more hybrid layers a programme accumulates, the more expensive it becomes to restore a trustworthy source of truth. Practitioners should treat that debt as a measurable programme risk, not an abstract architecture flaw.

On-prem identity coverage should be judged by decision quality, not connector count. Adding more integrations matters only if it changes what the organisation can decide about privilege, compliance and risk. A platform that can query across cloud and on-prem systems gives teams a stronger basis for control validation, but only if the underlying model preserves identity context. The practitioner conclusion is to test whether the graph changes decisions, not just whether it ingests data.

What this signals

Visibility debt will become a recurring governance issue as hybrid estates expand faster than evidence pipelines. Teams that cannot ingest on-prem identity and infrastructure data into their control systems will keep producing audit-ready reports that are operationally incomplete.

The next programme question is not whether the platform can connect to another source, but whether the added data changes decisions about privilege, ownership and remediation. That is why hybrid visibility should be tracked as a control outcome, not an integration milestone.


For practitioners

  • Inventory hybrid identity dependencies List every access path that still depends on Active Directory, legacy databases, physical devices or other on-prem systems. Prioritise the identity sources that influence admin rights, compliance evidence and cross-environment correlation.
  • Validate graph completeness for privileged access Test whether cloud IAM roles can be linked to on-prem users, devices and applications in one workflow. If those relationships break, your access review and risk scoring are incomplete even if each system is individually monitored.
  • Extend continuous controls monitoring to local assets Build one control set for hybrid estates and require on-prem assets to participate in the same evidence stream as cloud resources. Use failing controls by asset type and ownership to identify the highest-risk blind spots first.
  • Check collector security boundaries before rollout Confirm that the collector only transmits normalized metadata, that proxy traversal is constrained, and that TLS is enabled where required. Treat the collector as part of the trust boundary, not as a passive connector.

Key takeaways

  • The core issue is not cloud coverage, it is incomplete control over the hybrid estate.
  • When on-prem identity data sits outside the graph, access review and compliance evidence lose reliability.
  • Practitioners should measure whether hybrid ingestion improves decisions about privilege, ownership and control failure.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Hybrid identity visibility supports least-privilege access management across environments.
NIST SP 800-53 Rev 5AC-6The article centers on controlling and validating privileged access across cloud and on-prem systems.
CIS Controls v8CIS-5 , Account ManagementAccount management must span Active Directory and cloud identities to avoid blind spots.
ISO/IEC 27001:2022A.5.15Access control policy needs to cover systems outside cloud-native tooling.

Map hybrid access paths to PR.AC-4 and confirm on-prem identities are included in reviews.


Key terms

  • Hybrid Visibility Gap: The hybrid visibility gap is the difference between the infrastructure an organisation operates and the infrastructure its security tools can actually see. In practice, it appears when on-prem systems, legacy applications or air-gapped assets remain outside the control plane that governs cloud resources and identities.
  • Security Graph: A security graph is a data model that connects assets, identities and relationships so teams can query risk across the environment. Its value depends on complete, trusted ingestion, because missing sources create incomplete relationships that distort access analysis, compliance checks and prioritisation.
  • Continuous Controls Monitoring: Continuous controls monitoring is the ongoing validation of security and compliance controls against live data rather than periodic snapshots. In hybrid environments, it only works when both cloud and on-prem assets feed the same evidence stream, otherwise the monitoring loop is inherently partial.

What's in the full article

JupiterOne's full blog covers the operational detail this post intentionally leaves for the source:

  • Collector deployment steps for on-prem environments, including the container-based setup flow and runtime behaviour.
  • Supported internal source types such as Active Directory, Device42 and self-hosted container registries, with guidance on where each fits.
  • Metadata handling, proxy traversal and TLS options that matter when security teams are assessing trust boundaries.
  • Examples of graph queries and compliance frameworks that can be built once on-prem data is in the platform.

👉 JupiterOne's full post covers collector setup, supported integrations and hybrid compliance use cases.

Deepen your knowledge

NHI Mgmt Group's NHI Foundation Level course covers NHI governance, machine identity security and secrets management through the industry's only accredited NHI security programme. It is designed for practitioners who need to connect identity controls to broader security operations and governance.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-02-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org