TL;DR: African financial institutions are being pushed toward stronger authentication and auditable access controls while many still depend on on-prem Active Directory for core systems, according to IS Decisions. The underlying issue is not cloud reluctance but the mismatch between legacy IAM capabilities and modern compliance demands, especially where MFA, session control, and visibility are now expected.
NHIMG editorial — based on content published by IS Decisions: on-prem MFA for Active Directory banks facing compliance pressure
Questions worth separating out
Q: How should banks strengthen Active Directory security without moving to cloud identity?
A: Banks should add compensating controls around the existing directory, starting with MFA, session limits, and contextual access rules for high-risk accounts.
Q: Why do legacy Active Directory environments create compliance problems?
A: Legacy AD environments create compliance problems because they were not built with modern authentication assurance, session governance, and audit expectations in mind.
Q: What breaks when MFA is not native to the identity platform?
A: When MFA is not native to the identity platform, enforcement often becomes uneven across applications, user groups, and access paths.
Practitioner guidance
- Enforce MFA across all high-risk AD access paths Start with privileged users, remote logins, and any workflow that touches regulated data or administrative systems.
- Add session controls to reduce credential reuse risk Limit concurrent sessions, apply context-aware access rules, and block high-risk connections where the authentication context does not match policy.
- Treat AD auditability as evidence, not just logging Use visibility into user interaction, endpoint posture, and policy enforcement to prove that access controls are working.
What's in the full article
IS Decisions' full article covers the operational detail this post intentionally leaves for the source:
- Examples of how African banks are applying MFA and access controls directly onto existing Active Directory estates
- Use cases from a private bank, a credit institution, and a Finance Ministry that show different compliance drivers
- The article's explanation of how on-prem overlays can add concurrent session control and contextual network restrictions without a cloud migration
- The specific way UserLock is positioned as an AD security layer for organisations that must stay on premises
👉 Read IS Decisions' article on on-prem MFA for Active Directory banks →
Active Directory MFA in banks: what changes for compliance teams?
Explore further
Legacy Active Directory becomes a governance liability when modern compliance expectations outgrow its native control model. The article is not about whether AD still has value. It is about the fact that banks can no longer treat AD as complete security architecture on its own when regulators expect MFA, contextual access, and session governance. The implication is that IAM teams must judge legacy identity platforms by control coverage, not historical familiarity.
Identity assurance is becoming a control-plane issue, not just an authentication issue. As organisations introduce more complex access patterns, the governance burden shifts toward proving who can log in, from where, and under what conditions. For regulated banks, that means session-level enforcement and evidence matter as much as the initial factor check.
A question worth separating out:
Q: Who is accountable for authentication control in on-prem banking environments?
A: Accountability usually sits with the identity, infrastructure, and security functions together, because authentication control spans directory configuration, access policy, and regulatory evidence. In on-prem banking environments, the organisation cannot outsource that responsibility to the cloud platform. The control owner must be able to show enforcement, not just intent.
👉 Read our full editorial: On-prem MFA for Active Directory banks faces rising compliance pressure