Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Why do organisations keep Active Directory even after…
Governance, Ownership & Risk

Why do organisations keep Active Directory even after moving heavily to the cloud?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 8, 2026 Domain: Governance, Ownership & Risk

Organisations keep Active Directory because many applications, control requirements, and cost structures still depend on it. Cloud adoption rarely removes those dependencies at the same speed that new services are introduced. For many enterprises, AD remains a necessary part of access governance, especially where local control and regulatory constraints matter.

Why This Matters for Security Teams

active directory persists because it is still the control plane for legacy applications, domain-joined endpoints, on-premise integrations, and many identity-dependent workflows that were not rebuilt for the cloud. The operational risk is not just technical debt. It is the hidden coupling between old trust assumptions and new cloud services, which can leave security teams with overlapping policies, duplicate identities, and inconsistent enforcement. That is why identity governance often becomes harder, not easier, during migration. The NIST Cybersecurity Framework 2.0 still fits here because it treats identity as a core risk function, regardless of where the workload runs. NHIMG research also shows how quickly identity sprawl becomes exploitable in real environments, including the Cisco Active Directory credentials breach, where credential exposure became a broader access problem.

For security teams, the real question is not whether AD is obsolete, but whether it remains the most reliable place to enforce authentication, authorization, and lifecycle controls while cloud identity matures. In practice, many security teams encounter the weaknesses of hybrid identity only after an investigation shows how a single directory foothold can bridge old and new environments.

How It Works in Practice

Most organisations keep AD because it still does several jobs at once: authenticating users and systems, supporting Group Policy, issuing Kerberos tickets, serving as the source of truth for many privilege assignments, and synchronizing identities into Entra ID or other cloud directories. In a hybrid model, AD is often the authoritative record for employee lifecycle events, while cloud identity handles SaaS, remote access, and modern conditional access. That split can work, but only if the ownership boundaries are explicit.

Current guidance suggests treating AD as one control plane in a broader identity architecture, not as a legacy island to be ignored. Security teams usually need to:

  • Define which applications still depend on AD and which can move to cloud-native identity.
  • Reduce standing privilege in domain admin groups and replace broad access with tiered administration.
  • Synchronize identities carefully so that disabled accounts, role changes, and privileged access removals propagate quickly.
  • Monitor authentication pathways across AD, federation services, and cloud access logs as one chain of trust.

That approach matters because hybrid compromise often starts with one weak credential set and then expands through trust relationships. NHIMG case analysis on the Snowflake breach shows how credential handling and identity boundaries can become the real attack surface, while the 230M AWS environment compromise illustrates the scale of damage when access governance lags behind infrastructure change. The practical rule is simple: keep AD only where it still enforces a necessary control, and make every retained dependency visible, owned, and time-bound. These controls tend to break down when AD is left in place without a decommission roadmap, because shadow dependencies keep reappearing through old applications and sync jobs.

Common Variations and Edge Cases

Tighter identity consolidation often increases migration cost and operational risk, so organisations must balance simplification against service disruption and compliance constraints. There is no universal standard for replacing AD outright, and best practice is evolving by workload type and regulatory environment.

Some organisations keep AD for a long time because they run domain-joined desktops, OT-adjacent systems, file services, or packaged software that cannot yet authenticate cleanly with cloud identity. Others retain it because regional data residency or internal audit requirements demand local control over authentication data and privileged group management. In those cases, the goal is not immediate removal but controlled reduction.

The edge case is when AD survives only as a dependency nobody owns. That is where risk grows fastest, especially when synced identities, service accounts, and stale group memberships remain active long after the migration project ends. NHIMG research on the Azure Key Vault privilege escalation exposure is a reminder that migration-era assumptions can create new privilege paths even when the original system looks stable. The cleanest approach is to keep AD only for named business dependencies, review those dependencies on a schedule, and retire the directory as soon as the last critical workload can be governed elsewhere.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Hybrid AD governance depends on managing access permissions consistently.
OWASP Non-Human Identity Top 10NHI-01AD-backed service accounts are non-human identities that often outlive their purpose.
NIST AI RMFIdentity governance must account for autonomous systems that may inherit AD trust.

Assign ownership and monitoring for any AI or automated workload that uses AD-bound access.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org