TL;DR: Active Directory remains embedded in hybrid environments because most organisations still need on-premises control, application compatibility, and cost predictability, while Microsoft survey data shows 93% of respondents describe their estates as hybrid and 54% still run workloads on-premise with AD. The practical issue is not whether cloud wins, but how identity governance adapts to a multi-polar operating model.
NHIMG editorial — based on content published by IS Decisions: Active Directory's hybrid future and what it means for IAM
By the numbers:
- 93% described themselves as "hybrid"
- 54% still run workloads on-premise with Active Directory
- 36% believe their organizations will never be cloud-only
Questions worth separating out
Q: How should security teams govern identity in hybrid Active Directory and cloud environments?
A: Security teams should govern hybrid identity as one estate with multiple control planes.
Q: Why do organisations keep Active Directory even after moving heavily to the cloud?
A: Organisations keep Active Directory because many applications, control requirements, and cost structures still depend on it.
Q: What breaks when access reviews are run separately for cloud and Active Directory?
A: Separate reviews usually miss the full privilege picture.
Practitioner guidance
- Map the real hybrid identity estate Inventory where authentication, authorisation, and privileged administration actually occur across AD, cloud identity, and integrated applications.
- Extend governance to both identity planes Run access reviews, privileged access checks, and lifecycle controls against AD and cloud identity together so entitlements are assessed as one programme rather than two disconnected ones.
- Harden Active Directory as a continuing control plane Apply MFA, contextual access controls, session monitoring, and policy enforcement around AD instead of treating it as a legacy exception that will soon disappear.
What's in the full article
IS Decisions' full article covers the operational detail this post intentionally leaves for the source:
- The survey breakdown behind the 93% hybrid figure and what respondents said about long-term cloud-only timelines.
- The specific reasons organisations gave for staying on-premises, including application fit, control, cost, and availability concerns.
- The article's AD modernisation argument, including how the vendor frames Group Policy and layered security in practice.
- The contextual discussion of why some sectors are likely to remain hybrid or on-premises for much longer than cloud migration narratives suggest.
👉 Read IS Decisions' analysis of Active Directory's hybrid future →
Active Directory and hybrid IAM: what practitioners should expect?
Explore further
Hybrid identity is now the structural baseline, not a transition state. The article's data supports what many IAM teams already see in practice: most enterprises are living with both AD and cloud identity rather than moving cleanly from one to the other. That means identity strategy must be built for coexistence, policy consistency, and long migration horizons. Practitioners should stop treating hybrid as a temporary exception.
A few things that frame the scale:
- 35.6% of organisations cite managing consistent access across hybrid and multi-cloud environments as their top NHI security challenge, according to The 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities.
A question worth separating out:
Q: Who is accountable for hybrid identity risk when control is split between platforms?
A: Accountability sits with the organisation, not the platform. Hybrid identity risk becomes a governance issue when no single team owns the combined access model across cloud and on-premises systems. Security, IAM, and infrastructure leaders need shared responsibility for policy, review, and remediation across the full identity estate.
👉 Read our full editorial: Active Directory's hybrid future reshapes IAM and cloud identity