By NHI Mgmt Group Editorial TeamPublished 2026-06-05Domain: Governance & RiskSource: IS Decisions

TL;DR: African financial institutions are being pushed toward stronger authentication and auditable access controls while many still depend on on-prem Active Directory for core systems, according to IS Decisions. The underlying issue is not cloud reluctance but the mismatch between legacy IAM capabilities and modern compliance demands, especially where MFA, session control, and visibility are now expected.


At a glance

What this is: This article argues that African financial institutions still running on-prem Active Directory need additional MFA and access controls to meet rising regulatory and insurer expectations.

Why it matters: For IAM teams, the practical question is how to strengthen authentication and session governance without forcing a disruptive identity migration.

👉 Read IS Decisions' article on on-prem MFA for Active Directory banks


Context

On-prem Active Directory remains a core identity platform in many financial institutions, but it was never designed to satisfy today’s expectations for modern MFA, session control, and auditability. In regulated banking environments, that gap becomes a compliance problem as well as a security problem, especially when core applications cannot simply move to cloud identity platforms.

The article is really about the tension between legacy identity architecture and current regulatory pressure. African banks are being asked to improve authentication assurance, limit risky access patterns, and prove control effectiveness while still supporting older systems, constrained budgets, and data sovereignty requirements.


Key questions

Q: How should banks strengthen Active Directory security without moving to cloud identity?

A: Banks should add compensating controls around the existing directory, starting with MFA, session limits, and contextual access rules for high-risk accounts. The goal is to improve assurance and reduce credential abuse while preserving legacy application support and data sovereignty requirements. Identity migration is not the only route to better control.

Q: Why do legacy Active Directory environments create compliance problems?

A: Legacy AD environments create compliance problems because they were not built with modern authentication assurance, session governance, and audit expectations in mind. Regulators want evidence that access is controlled and observable. When those controls are missing or fragmented, organisations struggle to prove that identity policy is actually being enforced.

Q: What breaks when MFA is not native to the identity platform?

A: When MFA is not native to the identity platform, enforcement often becomes uneven across applications, user groups, and access paths. That inconsistency creates audit gaps and leaves privileged or remote sessions exposed to credential theft. Security teams then have to prove control effectiveness across multiple layers instead of one authoritative policy plane.

Q: Who is accountable for authentication control in on-prem banking environments?

A: Accountability usually sits with the identity, infrastructure, and security functions together, because authentication control spans directory configuration, access policy, and regulatory evidence. In on-prem banking environments, the organisation cannot outsource that responsibility to the cloud platform. The control owner must be able to show enforcement, not just intent.


Technical breakdown

Why Active Directory MFA is still a control gap

Active Directory provides directory services and access policy foundations, but it does not natively deliver modern MFA in the way regulated environments now expect. That matters because password-based access alone leaves banks exposed to credential theft, replay, and weak assurance for high-risk logons. When MFA is added through a separate layer, the design challenge becomes whether that layer is actually enforced everywhere that matters, including remote, privileged, and concurrent access paths. In banking, the issue is not just authentication strength. It is whether the control is consistent enough to satisfy auditors and reduce account takeover risk.

Practical implication: map every privileged and remote AD access path to a mandatory MFA control and verify enforcement, not just deployment.

Concurrent sessions and contextual access in on-prem IAM

Static directory controls do not handle risk that changes by user, device, time, or connection context. That is why concurrent session limits, network-based access conditions, and time-based restrictions matter in on-prem identity estates. If a user can maintain multiple active sessions or authenticate from untrusted contexts without additional checks, the attacker’s window widens after initial compromise. For financial institutions, contextual access control is less about convenience and more about reducing the chances that a stolen credential can be reused broadly across an internal network. This is especially relevant where cloud-native conditional access is not available.

Practical implication: enforce session limits and contextual rules for higher-risk users before you rely on directory permissions alone.

Why auditability matters in legacy AD estates

A control that cannot be observed is difficult to defend in a regulatory review. The article points to AD’s lack of native visibility into endpoint compliance and user interaction patterns, which makes it harder to prove whether access rules are being followed. In a compliance-heavy environment, that is a material weakness because auditors and insurers increasingly want evidence of enforcement, not just policy intent. Real-time visibility on how users are interacting with AD can close part of that gap, but only if the organisation also treats the visibility data as an operational control signal rather than a reporting artefact.

Practical implication: treat visibility and audit logs as control evidence, then test whether they show actual enforcement across critical accounts.


NHI Mgmt Group analysis

Legacy Active Directory becomes a governance liability when modern compliance expectations outgrow its native control model. The article is not about whether AD still has value. It is about the fact that banks can no longer treat AD as complete security architecture on its own when regulators expect MFA, contextual access, and session governance. The implication is that IAM teams must judge legacy identity platforms by control coverage, not historical familiarity.

On-prem MFA for financial institutions is a compliance control, not a convenience feature. In regulated banking, password-only access is no longer an acceptable baseline for systems that anchor customer data, payment operations, or internal administration. Where cloud migration is impractical, the governance question becomes how to enforce stronger authentication without changing the core operating model. Practitioners should treat MFA as a minimum control for audit survival, not a layered enhancement.

Session governance is the missing middle layer in many AD environments. The article shows why concurrent session limits and contextual access controls matter alongside MFA. Without them, a stolen credential can remain useful across multiple active sessions and risky network contexts. IAM teams need to recognise that authentication strength alone does not contain post-login abuse.

Identity security in African financial institutions is being shaped as much by sovereignty and legacy economics as by threat pressure. The article explains why some banks cannot simply move to cloud identity services. That constraint changes the control strategy: governance must improve inside the existing directory estate, not assume replacement. The practical conclusion is that architecture choices are now inseparable from regulatory posture.

Machine-readable visibility is becoming part of identity assurance in legacy estates. If administrators cannot see how users, endpoints, and sessions behave inside AD, they cannot demonstrate control effectiveness to regulators or insurers. This is not just monitoring. It is evidence of whether access policy is actually being enforced. Teams should treat visibility as a governance requirement, not an optional reporting layer.

From our research:

  • 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
  • Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
  • That pattern reinforces the need to separate identity policy by actor type, which is why the Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs is the right next reference point for governance design.

What this signals

Identity assurance is becoming a control-plane issue, not just an authentication issue. As organisations introduce more complex access patterns, the governance burden shifts toward proving who can log in, from where, and under what conditions. For regulated banks, that means session-level enforcement and evidence matter as much as the initial factor check.

With 67% of organisations still relying heavily on static credentials despite the risks they pose to agentic AI deployments, per the 2026 Infrastructure Identity Survey, the wider lesson is that old credential models tend to survive longer than programme roadmaps. Financial institutions should expect similar inertia in legacy AD estates and plan compensating controls accordingly.


For practitioners

  • Enforce MFA across all high-risk AD access paths Start with privileged users, remote logins, and any workflow that touches regulated data or administrative systems. Make sure MFA is enforced centrally rather than added inconsistently by business unit or application.
  • Add session controls to reduce credential reuse risk Limit concurrent sessions, apply context-aware access rules, and block high-risk connections where the authentication context does not match policy. This helps contain the value of a stolen password after initial compromise.
  • Treat AD auditability as evidence, not just logging Use visibility into user interaction, endpoint posture, and policy enforcement to prove that access controls are working. Build reports that answer what was enforced, where it failed, and which accounts remain outside expected control.
  • Prioritise control overlays before identity migration If cloud migration is not realistic, strengthen the existing directory with compensating controls first. That approach reduces exposure while preserving core applications and avoids tying compliance progress to a long infrastructure change programme.

Key takeaways

  • The core problem is a mismatch between legacy Active Directory capabilities and modern banking compliance expectations.
  • Session control, MFA enforcement, and auditability are the controls that turn directory access into defensible identity governance.
  • Where cloud migration is unrealistic, banks need compensating controls inside the existing estate before regulators or insurers force the issue.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Access control enforcement is central to the AD MFA and session governance problem.
NIST SP 800-63Digital identity assurance is relevant where banks need stronger authentication evidence.
NIST Zero Trust (SP 800-207)SC-7Contextual access and session limits align with zero trust network enforcement.

Map AD authentication and session rules to PR.AC-4 and verify they are enforced consistently.


Key terms

  • Active Directory: Microsoft directory service used to store identities, group membership, and access policies for many enterprise environments. In legacy banking estates, it often remains the authoritative identity store, which makes its control gaps directly relevant to authentication, auditability, and privilege management.
  • Contextual Access Control: Access decisions that change based on conditions such as location, device, time, or connection risk. For on-prem identity programmes, contextual control helps reduce the value of stolen credentials by making access harder to reuse outside expected operating patterns.
  • Concurrent Session Control: A restriction that limits how many active sessions a user can maintain at once. It is useful in regulated identity environments because it reduces the chance that one compromised account can be used repeatedly or from multiple places without detection.

What's in the full article

IS Decisions' full article covers the operational detail this post intentionally leaves for the source:

  • Examples of how African banks are applying MFA and access controls directly onto existing Active Directory estates
  • Use cases from a private bank, a credit institution, and a Finance Ministry that show different compliance drivers
  • The article's explanation of how on-prem overlays can add concurrent session control and contextual network restrictions without a cloud migration
  • The specific way UserLock is positioned as an AD security layer for organisations that must stay on premises

👉 IS Decisions' full article covers the compliance drivers, deployment examples, and AD control gaps in more detail

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org