Notifications
Clear all
Topic starter
06/06/2026 2:05 am
TL;DR: Active Directory hygiene is now an NHI governance issue because stale accounts, nested groups, and fragmented visibility can leave critical cloud apps exposed or offline, according to Oasis Security and Gartner. The operational problem is not just cleanup. It is that hybrid identity assumptions break when service accounts outlive their owners and dependencies are no longer obvious.
NHIMG editorial — based on content published by Oasis Security: Why should Active Directory hygiene be part of your NHI security program?
By the numbers:
- Machine identities outnumber human ones by 20 to 1 in hybrid environments.
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: What breaks when active directory hygiene is not in place for non-human identities?
A: When AD hygiene breaks down, service accounts, nested groups, and sync links can preserve access long after the business need disappears.
Q: Why do service accounts make hybrid identity governance harder?
A: Service accounts are harder to govern because they rarely follow human lifecycle patterns and often support multiple systems at once.
Q: How do security teams know if directory cleanup is actually working?
A: Directory cleanup is working only when teams can prove three things: every identity has an owner, every dependency is mapped, and every high-risk account is reviewed against real usage rather than directory status alone.
Practitioner guidance
- Map AD-linked service account dependencies Inventory every service account, the apps it supports, and whether Entra sync or nested groups depend on it before any cleanup activity.
- Assign accountable owners to machine identities Use directory attributes and CMDB data to identify a named owner for each service account, API credential, or automation identity, then block attestation until ownership is confirmed.
- Review nested groups for effective access Expand group membership recursively to calculate the real permissions assigned to each identity, then remove inherited access that is no longer justified by business need.
What's in the full article
Oasis Security's full blog covers the operational detail this post intentionally leaves for the source:
- How the vendor maps account usage and dependencies across AD and Entra.
- How it assigns ownership and attestation using directory attributes.
- How lifecycle automation is applied to privilege tagging and syncing in practice.
- What the retail customer example looked like before cleanup risk was identified.
👉 Read Oasis Security's analysis of why Active Directory hygiene matters for NHI security →
Active Directory hygiene and NHI sprawl: what IAM teams need to know?
Explore further
06/06/2026 3:33 am
AD hygiene is now an NHI control surface, not a background admin task. The article is right to treat directory hygiene as part of NHI security because service accounts and sync relationships now carry production authority across hybrid estates. Once machine identities outnumber humans, directory drift becomes governance drift, and governance drift becomes access risk. Practitioners should stop separating AD clean-up from identity security architecture.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should be accountable for stale service accounts and nested group access?
A: Accountability should sit with the business or technical owner of the application, not with the directory team alone. Directory administrators can enforce the control, but they cannot determine whether an account is still required. The right model ties ownership, review, and revocation to the service that consumes the identity.
👉 Read our full editorial: Active Directory hygiene is now core to NHI security governance
