Identity security roadmap: what changes for AD and Entra ID

At a glance

What this is: This is a Netwrix on-demand roadmap session on identity security for Active Directory, Entra ID, PingCastle, and AD CS, with a focus on faster risk detection and more actionable assessment output.

Why it matters: It matters because identity teams need one operating model for human, workload, and privileged directory access when attack paths span directories, certificates, and governance workflows.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 73% of vaults are misconfigured, leading to unauthorised access and exposure of sensitive data.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

👉 Watch Netwrix's on-demand session on the identity security roadmap for AD and Entra ID

Context

Identity security roadmap work becomes necessary when directory risk is no longer confined to passwords and group membership. In this session, the vendor frames Active Directory, Entra ID, PingCastle, and AD CS as part of a single control plane for reducing identity-based attacks and improving resilience.

For IAM teams, the practical issue is not whether posture management exists, but whether it produces decisions fast enough to stop attack paths before they become incidents. Certificate services, governance, and risk assessment all need to resolve into actionable control changes, especially where identity sprawl crosses both human and non-human access patterns.

Key questions

Q: How should teams reduce identity-based attack paths in Active Directory and Entra ID?

A: Teams should identify where directory trust, delegated administration, and stale group membership create reachable escalation paths, then remove the shortest routes first. The goal is not only to find misconfigurations but to reduce the number of places where a single compromised identity can pivot into broader access. Continuous attack-path review is more useful than periodic inventory alone.

Q: Why does Active Directory Certificate Services increase identity risk?

A: AD CS increases identity risk because certificates can remain trusted after passwords change, which allows access to persist if certificate templates or enrollment rights are too broad. That makes certificate governance part of identity security, not a side topic. Teams should review who can issue, enroll, and renew certificates as a privilege question.

Q: What do security teams get wrong about risk assessment in identity programmes?

A: They often treat assessment output as the goal rather than the start of remediation. If findings do not map to an owner, a control, and a closure condition, the programme produces visibility without reduction in exposure. Identity risk needs operational follow-through, especially when the issue involves certificates, delegated access, or privileged directories.

Q: How can IAM teams decide whether a roadmap feature will reduce real risk?

A: Look for whether the feature changes a control decision, not just the dashboard. A useful capability shortens the path from finding to action across access, certificates, or governance state. If it cannot show which identity condition changed and who must act, it is unlikely to lower attack potential.

Background and context

Identity-based attack paths in Active Directory and Entra ID

Identity-based attacks usually succeed by chaining directory trust, stale privileges, and weak visibility rather than by breaking encryption. Active Directory and Entra ID are high-value because they govern authentication, authorization, and delegated access across large enterprise estates. When those controls are fragmented, attackers can move from initial foothold to privilege abuse through ordinary identity mechanisms. PingCastle-style assessment matters here because it helps surface structural weakness in directory configuration before exploitation. The technical question is less about a single exploit and more about whether the directory model still contains hidden paths to elevated access.

Practical implication: map and test directory attack paths continuously, not only after posture reviews or incident findings.

AD CS exposure and certificate attack paths

Active Directory Certificate Services is a high-impact identity trust layer because certificates can outlive password resets and are often treated as durable proof of identity. If issuance, enrollment, or template permissions are misaligned, attackers can turn certificate authority trust into persistent access. That makes AD CS a distinct attack surface, not just another Windows component. The challenge is that certificate-based trust can remain valid even when user passwords, group memberships, or endpoint posture changes, which means exposure can persist unless certificate governance is explicit and lifecycle-aware.

Practical implication: review certificate templates, enrollment rights, and certificate lifecycle controls as part of the identity threat model.

Risk assessment redesign and posture management

A redesigned risk assessment experience only matters if it shortens the path from finding to action. In identity governance, posture data is useful when it translates into clear remediation priorities across accounts, groups, certificates, and delegated access. Otherwise, teams get more dashboards but not less risk. The architectural issue is how to merge detection, governance, and remediation into one workflow that security and IAM teams can both act on. Without that bridge, identity risk stays visible but operationally unresolved.

Practical implication: tie every identity risk finding to an owner, a control, and a remediation path before the next review cycle.

NHI Mgmt Group analysis

Identity security is moving from visibility to executable governance. A roadmap that links real-time detection, posture management, and certificate-path reduction reflects a broader shift in the market: identity teams now need control loops, not just reports. The old model of periodic review cannot keep pace with attack paths that span Active Directory, Entra ID, and AD CS. Practitioners should treat identity risk as a workflow problem as much as a tooling problem.

Active Directory Certificate Services remains one of the most under-governed trust layers in enterprise identity. Certificates can preserve access across password resets and account changes, which means the risk is persistence, not just misconfiguration. When certificate templates, enrollment permissions, and authority boundaries are unclear, identity attack paths become durable. Teams should re-examine certificate governance as a core identity control surface, not a niche infrastructure concern.

Identity blast radius: the real metric is how far one compromised directory or certificate control can extend across the enterprise. That concept matters because governance maturity is no longer measured by how many identities are inventoried, but by how quickly an organisation can collapse an attacker’s path once trust is abused. The practitioner takeaway is to measure containment across AD, Entra ID, and certificate services as one integrated security domain.

Redesigned risk assessments are valuable only when they change decisions, not just presentation. Faster or more actionable insights should be judged by whether they reduce time-to-remediation for the exact identity condition that created exposure. If the output does not change access, certificate, or privilege state, it is still just documentation. Practitioners should insist that identity risk scoring directly drives governance action.

Human IAM and NHI governance are converging at the directory layer. This roadmap sits in a space where human accounts, service identities, and privileged directory objects increasingly share the same trust fabric. That means directory hardening, certificate hygiene, and lifecycle governance can no longer be treated as separate programmes. IAM leaders should align control ownership across identity types before attackers exploit the seams.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• For a deeper control model, see The 52 NHI breaches Report, which shows how visibility gaps become breach paths.

What this signals

Identity programmes that still separate directory governance from NHI oversight are already behind the operating model attackers use. When AD, Entra ID, certificate services, and service accounts are managed in different queues, the result is slower containment and weaker accountability. The governance gap is not just technical, it is organisational, and that is where most risk persists.

With 90% of IT leaders saying proper NHI management is essential to zero trust, the control model is clearly expanding beyond human identity alone. A roadmap that links posture, governance, and real-time attack-path reduction fits that direction, but only if teams convert findings into access and certificate changes. Use the redesign as a prompt to merge identity review workflows across human and non-human estates.

If your programme cannot answer who owns directory drift, certificate exposure, and delegated access cleanup, the risk assessment is only a report. Mature identity operations now require one remediation queue that spans human IAM, NHI governance, and directory trust.

For practitioners

• Map identity attack paths across directory and certificate trust layers Trace how Active Directory, Entra ID, and AD CS permissions combine into reachable privilege paths. Prioritise templates, delegated admin rights, and stale group membership that create hidden escalation routes.
• Review AD CS as a persistence control, not only a service Inventory certificate templates, enrollment permissions, and authority relationships that can outlive password resets or account changes. Treat certificate lifecycle governance as part of identity threat reduction.
• Tie every risk assessment result to an owner and a remediation state Require each finding to map to a named remediation owner, a specific control, and a closure condition. If a risk cannot be turned into an access, certificate, or privilege action, it will not reduce exposure.
• Bring NHI and human identity oversight into the same directory review model Use the same governance lens for service accounts, privileged directory objects, and human identities where they share trust dependencies. This reduces gaps between inventory, access reviews, and escalation containment.

Key takeaways

• Identity attack-path reduction is becoming the practical centre of modern identity security, not an optional add-on.
• Certificate services and directory trust remain high-risk because access can persist even when passwords and account state change.
• Teams need identity findings that change access decisions, not just dashboards that show where the risk lives.

Key terms

• Identity Attack Path: A sequence of trust relationships and privileges that lets an attacker move from one compromised identity to broader access. In practice, it is the shortest route from weak configuration to meaningful control, often spanning directory permissions, delegated administration, and certificate trust.
• Active Directory Certificate Services: Microsoft infrastructure for issuing and managing certificates inside an enterprise directory environment. It becomes a security concern when certificate templates, enrollment permissions, or authority boundaries create durable access that survives password resets and account changes.
• Risk Assessment Experience: The workflow and presentation layer that turns identity findings into action. It is effective only when it changes ownership, remediation priority, or access state, rather than merely showing risk scores or configuration issues on a dashboard.
• Identity Blast Radius: The amount of access an attacker can reach after compromising one identity control, account, or trust layer. It is a useful governance measure because it focuses attention on containment, not just on whether a weakness exists.

Deepen your knowledge

Identity attack-path reduction and certificate governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is trying to connect directory trust, service accounts, and governance into one model, it is worth exploring.

This post draws on content published by Netwrix: Identity security roadmap: Reduce risk and stop identity-based attacks. Read the original.