Public sector hybrid identity security shifts toward contract access

At a glance

What this is: Semperis’ contract addition with Carahsoft broadens public sector access to hybrid identity resilience tooling and recovery services.

Why it matters: For IAM teams, it underscores that public sector identity programmes now have to align procurement, Zero Trust, and recovery design around hybrid identity systems, not just authentication controls.

By the numbers:

• Hybrid identity systems are used by more than 90% of organizations and remain prime targets for nation-state-sponsored threat groups.
• 1, ore than 1,200 organizations rely on Semperis, which is headquartered in Hoboken, N.J., and serves customers in more than 40 countries.

👉 Read Semperis' update on public sector access to identity resilience solutions

Context

Hybrid identity security is the control problem that appears when Active Directory, cloud directories, and adjacent identity services must be governed as one attack surface. In public sector environments, that matters because identity compromise can halt access to mission systems, slow restoration, and extend operational disruption beyond the initial incident.

This announcement is about procurement access, but the underlying issue is programme maturity: agencies need contracts that support identity threat detection, response, and recovery together. The starting position described here is typical, not unusual, because most large organisations still treat identity recovery as a separate exercise from identity defence.

Key questions

Q: How should public sector teams govern hybrid identity security across cloud and on-prem systems?

A: They should treat hybrid identity as one governed attack surface, not separate cloud and directory silos. That means aligning procurement, hardening, detection, forensics, and recovery around the same identity trust relationships. In government environments, the key question is whether the programme can restore a clean identity state quickly enough to protect mission continuity.

Q: Why do hybrid identity systems create outsized recovery risk?

A: Because attackers often persist inside directory trust, privileged roles, or configuration changes that survive endpoint cleanup. If restoration only brings systems back online without verifying identity state, the compromise can return immediately. Hybrid identity therefore creates recovery risk that is both technical and operational.

Q: What breaks when identity recovery is treated separately from identity defence?

A: The programme restores availability but not trust. A directory can be back online while poisoned credentials, stale privileges, or malicious trust paths remain in place. That creates a false recovery signal and leaves agencies exposed to reinfection and repeated access abuse.

Q: Who is accountable when a compromised identity system disrupts public services?

A: Accountability sits with the teams that own identity governance, incident response, and continuity planning together, because identity compromise crosses all three domains. Public sector frameworks such as Zero Trust and the NIST Cybersecurity Framework expect recovery and resilience to be part of the control design, not an afterthought.

How it works in practice

Hybrid identity security in government procurement

Hybrid identity security in this context means protecting and recovering identity infrastructure that spans on-premises and cloud directories, including Active Directory, Entra ID, and Okta. The technical challenge is that compromise often propagates through identity trust relationships, not just endpoints. If attackers can persist in directory services, they can re-enter through delegated access, stale privileges, or poisoned trust paths even after perimeter systems are restored. For public sector agencies, procurement vehicles shape how quickly those controls can be acquired and operationalised.

Practical implication: Agencies need contract language that supports identity detection, hardening, and recovery as one operational stack, not separate purchases.

Identity threat detection and response for low-and-slow abuse

Identity threat detection and response focuses on spotting abuse patterns that do not look like obvious malware outbreaks, such as abnormal directory changes, privilege escalation, or lateral movement through identity systems. Low-and-slow abuse is hard to catch because it blends into administrative activity and may not trigger endpoint-centric controls. In hybrid environments, the control surface includes authentication events, directory modifications, trust changes, and recovery actions, all of which need correlation to show when identity is being used as the initial foothold or persistence layer.

Practical implication: Teams should correlate directory telemetry with privileged change monitoring so identity abuse is visible before recovery becomes a crisis.

Rapid identity recovery after compromise

Rapid identity recovery is the ability to restore a clean identity state after compromise without reintroducing the same malicious changes. In practice, this depends on malware-free backups, immutable storage, and well-rehearsed restoration procedures for directory services and linked identity components. The key architectural point is that identity recovery is not just data restoration. It is the re-establishment of trust in authentication, authorization, and administrative control after an attacker has tampered with those layers.

Practical implication: Recovery plans should define how to restore identity systems to a verified clean state, not merely bring them back online.

NHI Mgmt Group analysis

Public sector identity resilience is now a procurement and operations problem, not just a product category. Adding hybrid identity security to government contract vehicles lowers the friction of buying controls, but it does not lower the underlying burden of governing identity attack paths. Agencies still have to connect detection, hardening, forensics, and recovery across multiple identity planes. The practical conclusion is that buying access to tooling is not the same as closing the identity resilience gap.

Hybrid identity systems are the control plane that attackers use when mission continuity depends on directory trust. When more than 90% of organisations rely on hybrid identity, the blast radius of a directory compromise becomes a service-delivery problem as much as a security problem. That makes Zero Trust and ICAM programmes inseparable from restoration design. The implication for practitioners is to treat identity infrastructure as critical recovery infrastructure, not just an authentication service.

Identity resilience is the named concept this market is converging on, and it is broader than recovery alone. The article defines it as coverage before, during, and after attack, which is the right framing for hybrid environments where old trust relationships can survive long after the initial incident. That means posture controls, detection, clean recovery, and post-attack forensics belong in one governance model. Practitioners should judge solutions by how completely they cover the identity lifecycle under attack.

The public sector is signalling that identity recovery must be operationalised with the same seriousness as incident response. If agencies can only recover identity systems in days or weeks, then the business continuity gap becomes part of the attacker's objective. This shifts the governance conversation from isolated hardening efforts to measurable recovery readiness. The practitioner takeaway is to align procurement, ICAM, and CSF mapping around recoverability, not only prevention.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why identity recovery often begins from incomplete knowledge.
• That visibility gap is explored further in Top 10 NHI Issues, which is useful when agencies are deciding where to prioritise remediation and offboarding work next.

What this signals

Public sector identity programmes should expect procurement pressure to move toward bundled detection, hardening, and recovery capabilities rather than point controls. With 79% of organisations reporting secrets leaks and 77% of those incidents causing tangible damage, identity resilience is no longer a niche recovery concern but a governance requirement.

Identity blast radius: the practical measure of how far a compromised directory or credential can reach before recovery. For agencies, the question is not only whether identity systems are protected, but how much mission failure they can absorb before restoration begins. That makes recovery time, clean-state validation, and trust-path removal central to programme design.

A useful reference point is the 52 NHI Breaches Analysis, which shows how identity compromise repeatedly turns into broader operational disruption. Public sector teams should use that pattern to sharpen their own recovery exercises and procurement requirements.

For practitioners

• Map identity resilience to mission continuity requirements Define which government services fail if Active Directory, Entra ID, or Okta are compromised, then tie those dependencies to recovery objectives and incident priorities. Use that mapping to justify procurement and restoration requirements in the same control conversation.
• Require clean recovery evidence in identity contracts Ask vendors to show how malware-free backups, immutable storage, and identity forensics support restoration to a verified clean state. Include proof points for directory rollback, trust validation, and post-incident re-entry prevention.
• Correlate directory changes with privileged access events Build detection around identity modifications, trust changes, and administrator actions so low-and-slow abuse is visible before it becomes persistence. This is especially important in hybrid environments where the same actor can touch multiple identity layers.
• Test restoration under adversarial conditions Run recovery exercises that assume the identity plane is tampered with, not merely unavailable. Measure how quickly teams can restore clean authentication and authorization without reintroducing stale trust paths or compromised administrative state.

Key takeaways

• Hybrid identity security is now inseparable from government continuity planning because identity compromise can disrupt mission systems directly.
• The evidence points to a structural recovery gap, with most organisations still exposed to valid secrets and limited visibility into service accounts.
• Agencies should evaluate tools by whether they restore a verified clean identity state, not just whether they can detect compromise.

Key terms

• Hybrid Identity: Hybrid identity is an identity environment that spans on-premises and cloud systems, usually including directory services, federation, and connected SaaS identities. The security problem is that trust, administration, and recovery all cross boundaries, so compromise in one layer can affect the whole identity plane.
• Identity Resilience: Identity resilience is the ability to prevent, detect, respond to, and recover from identity compromise while preserving trust in the identity plane. It goes beyond protection controls by including clean recovery, forensics, and continuity so restored systems do not reintroduce the same attack path.
• Identity Threat Detection And Response: Identity threat detection and response is the practice of finding suspicious activity inside directories, privilege assignments, and identity trust relationships, then containing it quickly. In hybrid environments, the aim is to detect abuse that looks like normal administration before it becomes persistence or lateral movement.
• Clean Identity Recovery: Clean identity recovery means restoring directory and identity services to a verified trustworthy state after compromise. The key distinction is between bringing systems back online and restoring confidence in authentication, authorization, and administrative control without reusing tainted changes or stale trust paths.

Deepen your knowledge

Hybrid identity security and identity recovery are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a government identity resilience programme from a similar starting point, it is worth exploring.

This post draws on content published by Semperis: Contract addition expands availability of hybrid identity security solutions for public sector agencies. Read the original.