TL;DR: Active Directory remains the backbone of enterprise identity, but attackers can compromise it in as little as 16 hours after initial access, while outages can cost up to $730,000 per hour, according to Enzoic and Forrester. Continuous credential defense matters because password complexity, forced resets, and periodic audits no longer match how modern credential abuse unfolds.
NHIMG editorial — based on content published by Enzoic: Building a Cyber Strong America with Active Directory Security
By the numbers:
- Attackers can compromise Active Directory in as little as 16 hours after initial access.
Questions worth separating out
Q: How should security teams handle compromised Active Directory passwords in practice?
A: They should treat compromised passwords as active identity incidents, not routine hygiene issues.
Q: Why do periodic password resets fail against modern credential attacks?
A: Because they assume compromise is slow and predictable.
Q: What breaks when Active Directory accounts are still trusted after exposure?
A: The identity programme loses the distinction between a legitimate account and a compromised one.
Practitioner guidance
- Deploy continuous exposure screening for AD passwords Check new and existing credentials against live breach intelligence instead of relying on scheduled resets or periodic audits.
- Inventory privileged and forgotten AD accounts Identify dormant users, delegated admin paths, and legacy service accounts that can still authenticate.
- Tie reset workflows to live compromise signals Trigger credential resets when a password appears in breach data or infostealer feeds, and validate that downstream access is re-authenticated before the account can be reused.
What's in the full article
Enzoic's full article covers the operational detail this post intentionally leaves for the source:
- How its continuous password protection checks passwords against current breach data before acceptance in Active Directory.
- What live remediation looks like when exposed credentials are detected in active accounts.
- The evaluation questions for password monitoring vendors, including privacy handling and update cadence.
- Why the article argues that password complexity and scheduled resets no longer match attacker timelines.
👉 Read Enzoic's analysis of Active Directory continuous password protection →
Active Directory credential protection: are your controls keeping up?
Explore further
Continuous password defence is now an identity governance control, not a hygiene add-on. AD credential compromise works because the directory still treats many passwords as durable trust tokens. Once those credentials appear in infostealer dumps or breach corpora, attackers do not need to break the directory, they can simply authenticate into it. The practitioner conclusion is that continuous exposure checking belongs in the same governance conversation as privileged access and recertification.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- A separate finding shows only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, which reinforces how exposure-driven identity risk still outpaces governance maturity.
A question worth separating out:
Q: Who is accountable when compromised directory credentials affect business systems?
A: Accountability sits with the identity, security, and system owners together. Directory controls, privileged access governance, and application recovery processes all depend on the same trust layer, so the failure is shared. Frameworks such as NIST SP 800-63B and NIST CSF make clear that credential protections and monitoring are governance responsibilities, not optional operations.
👉 Read our full editorial: Active Directory credential defense is still the identity control gap