Notifications
Clear all
Topic starter
09/06/2026 11:34 pm
TL;DR: Active Directory visibility, misconfiguration detection, and governance workflows still need to catch up with sprawl and hidden trust paths, even as Netwrix folds PingCastle into its portfolio to extend AD scanning, including discovery of known and shadow domains and misconfigurations, according to the company.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should teams govern unknown or shadow Active Directory domains?
A: Treat unknown AD domains as unmanaged identity assets until they have an owner, a trust-map, and a review cycle.
Q: Why do Active Directory misconfigurations create identity governance risk?
A: Because misconfigurations usually change who can reach what, often by widening delegation, inheritance, or administrative paths.
Practitioner guidance
- Map every discovered domain to an owner Build a registry that ties each known and shadow domain to a business owner, technical custodian, and review cadence.
- Feed directory findings into access review workflows Route misconfiguration and trust-path findings into recertification, exception management, and remediation queues so identity governance can act on them instead of storing them in a separate report.
- Prioritise privilege-reducing remediations Focus first on overbroad delegation, stale admin paths, and inherited rights that expand blast radius, then track whether each fix materially shrinks the reachable access graph.
What to expect at the briefing
Netwrix's full webinar covers the operational detail this post intentionally leaves for the source:
- A live product demo showing how PingCastle scans known and unknown AD domains for underlying security vulnerabilities.
- Product leadership commentary on how PingCastle fits alongside Netwrix's AD-centric cybersecurity tooling.
- A 45-minute training format with audience questions that can clarify implementation and workflow details.
- The source webinar context around why PingCastle was added to the portfolio and what that means for the product surface.
👉 Watch Netwrix's on-demand webinar on PingCastle and AD security →
PingCastle and AD security governance: what should teams re-evaluate?
Explore further
10/06/2026 1:57 am
Directory visibility is now an identity governance requirement, not just an AD administration task. The acquisition reinforces a pattern NHIMG sees repeatedly: organisations treat directory discovery as a technical scan when the real issue is whether the identity programme can govern what it cannot yet see. Unknown domains, stale trusts, and unmanaged delegation paths expand the attack surface outside normal lifecycle control. Practitioners should treat directory inventory as a governance input, not a one-time assessment.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% having no or low visibility and 47% having only partial visibility, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
A question worth separating out:
Q: How do organisations know if AD security tooling is actually working?
A: It is working when the findings lead to measurable reductions in exposed privileges, unresolved trusts, and unowned domains. If the output only increases alert volume or produces a static report, the tool is improving visibility without changing the control posture.
👉 Read our full editorial: Netwrix PingCastle acquisition and what it changes for AD security
