TL;DR: Active Directory remains the control plane for authentication, authorisation and auditing in Windows estates, and the article argues that security depends on accurately assessing effective permissions, not just listing ACLs. That matters because privilege escalation paths and system-wide compromise still arise when organisations cannot map who can actually do what.
NHIMG editorial — based on content published by Paramount Defenses: Active Directory is Foundational
By the numbers:
- At 85% of organizations worldwide, all organizational user accounts and passwords are stored, protected and managed in Active Directory and almost all organizational computers are joined to, secured by and managed from Active Directory.
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: What breaks when Active Directory access reviews stop at ACLs?
A: They miss the access that matters in practice.
Q: Why do Active Directory privilege paths create enterprise-wide risk?
A: Because Active Directory controls authentication and authorisation for much of the Windows environment.
Q: How do security teams know whether Active Directory governance is working?
A: They should be able to show who can actually perform privileged actions on critical objects after inheritance and delegation are resolved.
Practitioner guidance
- Map effective permissions across high-value objects Analyse the cumulative rights on domain controllers, privileged groups, admin workstations, and sensitive OUs.
- Prioritise remediation of escalation paths, not just risky accounts Remove or constrain permissions that let ordinary identities reset passwords, change group membership, link policy, or alter organisational units.
- Review trust and delegation boundaries as security controls Treat trust relationships, backup access, and administrative workstation rights as part of the identity perimeter.
What's in the full article
Paramount Defenses' full article covers the operational detail this post intentionally leaves for the source:
- Detailed explanation of how effective permissions are calculated across ACLs, nesting, and inheritance
- The article’s five-measure Active Directory hardening model, including which controls it treats as easiest to implement
- Examples of the AD objects and trust relationships that create escalation paths in Windows estates
- Paramount Defenses' step-by-step view of why Active Directory compromise can become system-wide compromise
👉 Read Paramount Defenses' analysis of Active Directory effective permissions and security →
Effective permissions in Active Directory: what IAM teams miss?
Explore further
Effective permissions are the real security boundary in Active Directory. The article is right to shift attention away from raw ACL counts and toward what access remains after nesting, inheritance, and delegation are resolved. That is the point where IAM governance becomes real, because nominal permission review often misses the rights that matter. For practitioners, the lesson is that exposure lives in the resolved access model, not the visible list of entries.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who is accountable when Active Directory privilege escalation is possible?
A: Accountability sits with the organisation operating the directory, because effective permissions reflect local governance decisions. Frameworks such as NIST CSF and zero trust expect access to be understood and controlled, not assumed safe because it is documented somewhere.
👉 Read our full editorial: Active Directory security depends on effective permissions, not ACL counts