Notifications
Clear all
Topic starter
06/06/2026 2:19 am
TL;DR: Purple Knight now supports Microsoft Government Community Cloud High, letting federal civilian agencies, DoD organizations, and defense contractors assess Entra ID posture in the same cloud environment where many identity controls were previously hard to validate, according to Semperis. For practitioners, the change is less about tooling and more about closing the gap between on-premises AD checks and cloud identity governance.
NHIMG editorial — what this means for NHI practitioners
Questions worth separating out
Q: How should federal IAM teams assess hybrid identity posture across GCC High and on-premises AD?
A: Use the same control baseline across both environments, then compare results for gaps in visibility, scoring, and remediation ownership.
Q: Why does cloud identity coverage matter in federal Zero Trust programmes?
A: Zero Trust depends on continuous verification of identity posture, and that verification loses value if it stops at the data centre.
Q: What breaks when assessment tools do not cover GCC High tenants?
A: Teams lose parity between what they believe they have hardened and what they can actually measure.
Practitioner guidance
- Map assessment coverage to the full hybrid boundary Verify that the same identity posture checks applied to on-premises Active Directory are also executed in GCC High Entra ID tenants, then compare outputs for coverage gaps and inconsistent scoring.
- Reconcile remediation ownership across AD and cloud teams Assign one accountable owner for findings that span both directory environments so issues discovered in GCC High do not stall between infrastructure, IAM, and compliance groups.
- Tie Zero Trust reviews to identity evidence Use assessment output as evidence for Zero Trust validation, then re-test after role changes, configuration updates, and tenant modifications that can reopen exposure paths.
What's in the full announcement
Semperis's full post covers the operational detail this post intentionally leaves for the source:
- How Purple Knight extends assessment coverage into GCC High tenants and where that changes the review boundary.
- Which Active Directory and Entra ID exposure indicators are evaluated in the expanded government-cloud context.
- How the tool maps findings to MITRE ATT&CK and ANSSI frameworks for remediation prioritisation.
- Why the federal compliance context changes the value of continuous posture monitoring after point-in-time scans.
👉 Read Semperis's announcement on Purple Knight support for GCC High →
Purple Knight in GCC High: what it means for federal IAM teams?
Explore further
06/06/2026 3:55 am
Assessment coverage is now the governance issue, not assessment availability. Federal teams do not fail because they lack a tool category. They fail when one part of the hybrid identity estate is measurable and another part is not. Once GCC High is included in the same assessment logic, the real question becomes whether teams are prepared to act on the findings across both AD and cloud identity with one governance model.
A few things that frame the scale:
- NHIs outnumber human identities by 25x to 50x in modern enterprises, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows why partial assessment coverage still leaves material blind spots.
A question worth separating out:
Q: Who should own identity findings that span federal cloud and directory environments?
A: One accountable owner should coordinate remediation across IAM, infrastructure, and compliance teams, because hybrid identity issues rarely fit into a single operational silo. Shared responsibility without a single owner usually leaves findings open while teams debate scope. Clear ownership shortens time to remediation and reduces drift between environments.
👉 Read our full editorial: Purple Knight in GCC High closes a federal identity assessment gap
