Notifications
Clear all
Topic starter
25/06/2026 3:13 pm
TL;DR: Manual Active Directory access reviews still break down in hybrid and multi-domain environments because spreadsheets, delayed decisions, and nested groups obscure who actually has access, according to SecurEnds. The core issue is governance drift: reviews that cannot see transitive entitlements or enforce timely revocation leave organisations with audit gaps and unnecessary privilege exposure.
NHIMG editorial — based on content published by SecurEnds: Active Directory access reviews in hybrid estates
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
Questions worth separating out
Q: What breaks when Active Directory access reviews are run from spreadsheets?
A: Spreadsheet-based reviews break down because they capture a static snapshot of a directory that is still changing.
Q: Why do nested AD groups make access certification harder?
A: Nested groups hide transitive access, which means the visible membership list is not the same as the effective permission set.
Q: How do you know if an access review programme is actually working?
A: A review programme is working when approved removals are executed quickly, unapproved access is escalated automatically, and audit evidence shows the decision changed the live entitlement state.
Practitioner guidance
- Flatten nested group inheritance before certification Resolve transitive permissions into a single review view so managers see the full effective entitlement set, not just the top-level group membership.
- Bind approvals to revocation workflows Make every unapproved entitlement flow directly into removal, exception handling, or escalation so decisions change access state immediately.
- Replace exported spreadsheets with live review campaigns Keep the review connected to Active Directory and Azure AD during the campaign so the evidence set stays aligned to current access.
What's in the full article
SecurEnds' full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step AD and Azure AD campaign setup for access certification.
- Workflow details for notifying reviewers, escalating missed decisions, and exporting audit logs.
- Configuration guidance for scoping by OU, role, group, and application.
- Example reporting patterns for hybrid and multi-forest access reviews.
👉 Read SecurEnds' guide to Active Directory access reviews in hybrid estates →
Active Directory access reviews in hybrid estates: what teams miss?
Explore further
25/06/2026 4:36 pm
Manual access review was built for a slower identity model. The article shows that spreadsheet-driven certification assumes access state is easy to capture, stable while reviewers decide, and simple to prove later. That assumption fails in hybrid AD estates because entitlements move faster than email workflows and nested groups hide the real privilege set. The implication is that certification quality is now limited by state drift, not reviewer intent.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: Who should be accountable when access remains after a failed review?
A: Accountability should be shared across the manager, the app owner, and the identity team, because each owns a different part of the decision and enforcement chain. The key test is whether the programme can prove who approved the access, who executed the revocation, and where the exception was tracked.
👉 Read our full editorial: Active Directory access reviews are still failing in hybrid estates
