Notifications
Clear all
Topic starter
06/06/2026 2:00 am
TL;DR: Service accounts on-premises often remain fragmented across spreadsheets, dashboards, and CMDBs, leaving ownership, privilege, and usage unclear while manual tracking degrades over time, according to Oasis Security. For IAM and NHI teams, the issue is not discovery alone, but whether lifecycle governance can keep pace with mixed cloud and on-prem identity sprawl.
NHIMG editorial — what this means for NHI practitioners
By the numbers:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps.
Questions worth separating out
Q: What breaks when service accounts in Active Directory are not clearly owned?
A: Lifecycle governance breaks first, because no one can confidently attest, rotate, or decommission the account.
Q: Why do service accounts in Active Directory create more NHI risk than teams expect?
A: They create risk because AD can make an account look orderly while the operational context sits elsewhere.
Q: How do security teams know if AD-based NHI governance is actually working?
A: Look for evidence that every service account can be tied to a current owner, a real consumer application, and a justified privilege set.
Practitioner guidance
- Classify AD service accounts as NHI assets Separate human and non-human identities in your directory governance model, then tag service accounts with owner, consumer application, and business purpose so they can be reviewed as NHI, not as generic accounts.
- Correlate directory objects with external truth sources Join AD data to CMDB, ticket history, and application inventories so attestation teams can validate whether each account is still needed and who is accountable for it.
- Prioritise privileged and unsynced identities first Review accounts with elevated rights, accounts not synced to cloud identity, and accounts whose usage patterns do not match their declared purpose; these are the most likely governance gaps in hybrid estates.
What's in the full announcement
Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:
- The specific integration modes for on-prem Active Directory and Azure Entra ID environments.
- The operational context fields the platform uses to map service account usage, permissions, owners, and consumers.
- The example workflows for identifying inactive on-prem accounts that are still active in the cloud.
- The remediation outputs available after inventories, privilege tagging, and ownership assignment.
👉 Read Oasis Security's blog on Active Directory integration for NHI visibility →
Active Directory NHI visibility: what IAM teams still miss?
Explore further
06/06/2026 3:25 am
Active Directory has become an NHI governance surface, not just a human identity directory. The article correctly treats AD as a place where service accounts, owners, consumers, and privilege relationships all collide. That matters because the governance question is no longer whether AD can authenticate identities, but whether it can support trustworthy lifecycle decisions for non-human access. Practitioners should treat AD coverage as part of NHI governance architecture, not a separate legacy exception.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- A separate finding from the same research shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 47% reporting only partial visibility.
A question worth separating out:
Q: Who should be accountable for stale or unowned service accounts in AD?
A: Accountability should sit with the business or application owner who benefits from the account, with identity and infrastructure teams enforcing the lifecycle process. If that ownership cannot be assigned, the account should be treated as an unresolved governance exception, not a routine directory object.
👉 Read our full editorial: Microsoft Active Directory integration exposes the NHI visibility gap
