Compromised credentials are involved in over 80% of breaches. Identity and Access Management is the most impactful security control most organisations underinvest in.
The Least Privilege Problem
The least-privilege principle — every user and system should have only the access required for their specific role — is widely understood and almost universally under-implemented. Auditing access in an Active Directory environment that has operated for five or more years typically reveals: service accounts with domain admin rights because it was easier at setup, user accounts with local administrator rights on workstations that have never been reviewed, and group memberships that were added for a specific project and never removed. The gap between the principle and the implementation is where attackers live.
Privileged Identity Management
Admin accounts should not be used for day-to-day work. Privileged Identity Management (PIM) — available natively in Azure AD / Entra ID and in tools like CyberArk and BeyondTrust — provides just-in-time privileged access. When a sysadmin needs domain admin rights to perform a specific task, they request them, receive them for a defined window (typically 1-4 hours), and the rights automatically expire. All privileged access is logged. This eliminates the standing-privilege attack surface that makes compromised admin accounts so dangerous.
Service Account Management
Service accounts — accounts used by applications and automated processes — are among the most vulnerable objects in an Active Directory environment because they are frequently over-privileged, rarely rotated, and often shared across multiple services. Group Managed Service Accounts (gMSAs) in Active Directory eliminate the password rotation problem for Windows services. For non-Windows services, a secrets manager (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) provides automated credential rotation without storing passwords in configuration files.
Regular Access Reviews
Access creep — the accumulation of unnecessary access over time — is the natural state of any identity system without active governance. Quarterly access reviews for privileged accounts and annual reviews for standard users are the minimum for most compliance frameworks. Azure AD Access Reviews automates this process for M365 and Azure resources. For on-premises Active Directory, a scripted export of group memberships reviewed by department managers quarterly is achievable without tooling investment. Make managers accountable for the access under their reports — not IT.
- Access audits in organisations without active IAM governance consistently reveal over-privileged service accounts and stale group memberships
- Privileged Identity Management (PIM/PAM) eliminates standing admin privileges — just-in-time access is the correct model
- Group Managed Service Accounts (gMSAs) and secrets managers eliminate the service account password problem
- Quarterly privileged access reviews and annual standard user reviews are the minimum baseline for most compliance frameworks