Notifications
Clear all
Topic starter
09/06/2026 11:29 pm
TL;DR: Identity teams must treat directory risk, certificate paths, and governance workflow speed as one control plane, not separate projects, as Netwrix’s on-demand session outlines roadmap changes for Active Directory, Entra ID, PingCastle, and AD CS, focusing on real-time identity attack detection, posture management, governance, and a redesigned risk assessment experience, according to Netwrix.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 73% of vaults are misconfigured, leading to unauthorised access and exposure of sensitive data.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should teams reduce identity-based attack paths in Active Directory and Entra ID?
A: Teams should identify where directory trust, delegated administration, and stale group membership create reachable escalation paths, then remove the shortest routes first.
Q: Why does Active Directory Certificate Services increase identity risk?
A: AD CS increases identity risk because certificates can remain trusted after passwords change, which allows access to persist if certificate templates or enrollment rights are too broad.
Practitioner guidance
- Map identity attack paths across directory and certificate trust layers Trace how Active Directory, Entra ID, and AD CS permissions combine into reachable privilege paths.
- Review AD CS as a persistence control, not only a service Inventory certificate templates, enrollment permissions, and authority relationships that can outlive password resets or account changes.
- Tie every risk assessment result to an owner and a remediation state Require each finding to map to a named remediation owner, a specific control, and a closure condition.
What to expect at the briefing
Netwrix's full on-demand webinar covers the operational detail this post intentionally leaves for the source:
- A closer look at the roadmap changes for Active Directory, Entra ID, and PingCastle that are only previewed here.
- Protection capabilities for Active Directory Certificate Services, including the identity attack paths they are meant to address.
- A redesigned risk assessment experience with the workflow details practitioners would need to evaluate implementation.
- Speaker-led discussion of how the roadmap is intended to support faster, more actionable identity remediation.
👉 Watch Netwrix's on-demand session on the identity security roadmap for AD and Entra ID →
AD and Entra ID identity security roadmap: what should teams watch?
Explore further
10/06/2026 1:50 am
Identity security is moving from visibility to executable governance. A roadmap that links real-time detection, posture management, and certificate-path reduction reflects a broader shift in the market: identity teams now need control loops, not just reports. The old model of periodic review cannot keep pace with attack paths that span Active Directory, Entra ID, and AD CS. Practitioners should treat identity risk as a workflow problem as much as a tooling problem.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: How can IAM teams decide whether a roadmap feature will reduce real risk?
A: Look for whether the feature changes a control decision, not just the dashboard. A useful capability shortens the path from finding to action across access, certificates, or governance state. If it cannot show which identity condition changed and who must act, it is unlikely to lower attack potential.
👉 Read our full editorial: Identity security roadmap: what changes for AD and Entra ID
