Banks should add compensating controls around the existing directory, starting with MFA, session limits, and contextual access rules for high-risk accounts. The goal is to improve assurance and reduce credential abuse while preserving legacy application support and data sovereignty requirements. Identity migration is not the only route to better control.
Why This Matters for Security Teams
Banks do not need to replace Active Directory to improve identity assurance, but they do need to stop treating it like a static trust store. Legacy directory controls often assume users and service accounts behave predictably, yet credential theft, lateral movement, and over-privileged service accounts routinely break that assumption. The risk is not only login compromise. It is also session abuse, token replay, and misuse of long-lived directory privileges across critical banking workloads.
That is why compensating controls matter. MFA, privileged session boundaries, and contextual checks reduce the blast radius while preserving legacy application support and data sovereignty requirements. Guidance from the NIST Cybersecurity Framework 2.0 reinforces the need for stronger identity assurance and continuous risk handling rather than one-time authentication alone. NHIMG’s Ultimate Guide to NHIs notes that NHIs outnumber human identities by 25x to 50x in modern enterprises, which helps explain why directory abuse becomes systemic fast when service accounts and secrets are left unmanaged.
In practice, many security teams discover the weakness only after a domain admin path or service account abuse has already been used to move laterally across the environment.
How It Works in Practice
The practical approach is to harden the directory around its highest-risk paths instead of attempting a full identity migration. For banks, that usually means building layered controls around privileged users, service accounts, and administrative workflows that touch core systems, SWIFT-connected environments, or regulated data zones.
- Require phishing-resistant MFA for all privileged access, with stricter rules for domain admins and accounts that can reset passwords or modify group membership.
- Use contextual access decisions based on device health, location, time, and risk score, rather than allowing standing access from any trusted network.
- Apply privileged access management for just-in-time elevation and session recording so elevated rights are time-bound and reviewable.
- Shorten session lifetimes and re-authenticate before sensitive actions such as directory replication, GPO changes, and Tier 0 administration.
- Inventory service accounts, remove interactive login where possible, and rotate secrets on a defined schedule with vault-backed storage.
For the NHI side of this problem, NHIMG’s Top 10 NHI Issues highlights how often excessive privilege and weak rotation turn directory-linked accounts into high-value targets. That is consistent with the operational direction in NIST SP 800-207 Zero Trust Architecture, where access is continuously evaluated rather than granted once and assumed safe. In a banking environment, the most effective control plane is usually a mix of PAM, conditional access, tight session governance, and monitored break-glass procedures that still work when the directory itself is under pressure.
These controls tend to break down when old applications require shared service credentials or when vendor-managed systems cannot support modern authentication without breaking production workflows.
Common Variations and Edge Cases
Tighter directory controls often increase operational overhead, so banks have to balance stronger assurance against application fragility and regulatory constraints. That tradeoff is real: some legacy mainframe, batch, and middleware integrations cannot tolerate frequent reauthentication or modern MFA without redesign.
Current guidance suggests prioritising the highest-risk identities first. Domain admins, enterprise admins, backup operators, and service accounts with broad write access should be wrapped in the strongest controls, while lower-risk users can move through phased improvements. Where no direct MFA support exists, compensating controls such as network segmentation, privileged jump hosts, and strict command approvals become more important than forcing a brittle policy.
There is also no universal standard for every service account scenario yet. Banks often need separate treatment for human admin accounts, application accounts, and machine-to-machine identities. NHIMG’s 52 NHI Breaches Analysis shows why this distinction matters: attackers frequently target the least monitored account path, not the most obvious user login. The practical test is simple. If the control cannot reduce standing privilege, limit token lifetime, or improve accountability, it is probably not doing enough for AD security.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Directory-linked secrets and rotation are central to AD hardening. |
| CSA MAESTRO | M1 | Contextual, runtime access decisions fit MAESTRO's agent and workload governance model. |
| NIST AI RMF | GOVERN | Governance of high-risk identities aligns with AI RMF-style accountability and oversight. |
Inventory AD-linked secrets, rotate them on schedule, and remove standing credentials where possible.
Related resources from NHI Mgmt Group
- Why do Active Directory service accounts complicate zero trust programs?
- What breaks when identity teams try to clean up Active Directory without dependency mapping?
- Why do Active Directory controls matter so much for identity security?
- How should security teams govern identity across acquired Active Directory environments?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org