Notifications
Clear all
Topic starter
25/06/2026 3:19 pm
TL;DR: Organisations still struggle to identify and remediate vulnerabilities across Active Directory, Entra ID, and Okta, with an average score of 61 out of 100, 11 points below 2023 and midsized environments faring worst, according to Semperis’ 2025 Purple Knight Report. Low visibility and uneven remediation remain the central problem, not lack of tooling.
NHIMG editorial — based on content published by Semperis: the 2025 Purple Knight Report on hybrid identity security risks and remediation
By the numbers:
- The average score of 61 out of 100 is 11 points lower than the average score of 72 in the 2023 report.
- Organizations with between 2,001 and 5,000 employees averaged a score of 52, the worst overall.
Questions worth separating out
Q: How should security teams assess hybrid identity environments across AD, Entra ID, and Okta?
A: They should assess hybrid identity as one governed estate, not as separate tools.
Q: Why do midsized organisations often struggle more with hybrid identity security?
A: Midsized organisations often sit in the worst position because they have enough complexity to accumulate identity debt but not enough specialist capacity to clear it quickly.
Q: What signals show that hybrid identity remediation is actually working?
A: The strongest signal is sustained improvement across multiple assessment cycles, not a one-time score jump.
Practitioner guidance
- Map hybrid identity ownership end to end Assign clear owners for Active Directory, Entra ID, and Okta controls so remediation does not stall between teams or tool boundaries.
- Run recurring identity assessments across every identity plane Schedule repeated scanning and review for directory, account, and trust settings instead of relying on a single baseline score.
- Prioritise high-friction control areas first Tackle AD infrastructure and account security before lower-risk tuning because those categories usually hide the most persistent exposure.
What's in the full report
Semperis's full report covers the operational detail this post intentionally leaves for the source:
- Category-by-category scoring across AD Infrastructure, Account Security, Kerberos, Group Policy, Entra ID, and Okta
- Examples from practitioners describing how Purple Knight helped them surface permissions and trust issues in real environments
- Download and usage context for the 185+ security indicators of exposure or compromise included in the assessment
- The vendor's remediation guidance that explains how users achieved average score gains after scanning
👉 Read Semperis' 2025 Purple Knight Report on hybrid identity security scores →
Hybrid identity score gaps: what IAM teams need to fix now?
Explore further
25/06/2026 4:46 pm
Hybrid identity security has become a visibility problem before it is a tooling problem. The report’s average score of 61 shows that many organisations still cannot see their identity estate well enough to govern it consistently. That matters because attackers rarely need a perfect environment to succeed, only one hidden path through AD, Entra ID, or Okta. The practitioner conclusion is that assessment maturity now defines identity security maturity.
A few things that frame the scale:
- NHIs outnumber human identities by 25x to 50x in modern enterprises, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows why assessment gaps persist even when teams believe coverage is adequate.
A question worth separating out:
Q: How do identity teams turn assessment results into governance action?
A: They turn results into governance action by converting findings into tracked remediation tickets, validating the fix after implementation, and revisiting the affected control in the next cycle. That approach prevents assessment from becoming a reporting exercise and makes the score a measure of operational follow-through.
👉 Read our full editorial: Hybrid identity security scores expose persistent assessment gaps
