Think back to your last identity audit. You probably had lists. Lists of privileged accounts. Lists of misconfigurations. Lists of findings to remediate. Yet according to the Identity Defined Security Alliance’s 2025 report, 91 percent of organizations experienced at least one identity-related incident in the past year. The audit passed. The breach happened anyway.
The problem is not effort. It is perspective. Traditional audits examine permissions in isolation. Attackers see relationships. They chain together seemingly low-risk access rights to reach your most critical assets. This post covers seven identity risks that most security audits overlook, and explains why graph-based analysis finds what list-based approaches miss.
“Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.”
John Lambert, Microsoft Threat Intelligence Center
1. Indirect Attack Paths Through Nested Groups (Best Tip)
Most audits check direct group memberships. Who belongs to Domain Admins? Who has write access to critical OUs? But attackers do not need direct membership. They need a path. Research shows that 100 percent of environments have an attack path to Tier Zero, with over 70 percent of users having at least one path to complete enterprise control.
The risk comes from nested relationships. A user belongs to Group A. Group A belongs to Group B. Group B has write access to a GPO that applies to Domain Controllers. None of these individual relationships look alarming. Together, they create a privilege escalation path that audits miss because they examine each permission separately.
Consider a real scenario. A help desk technician belongs to a support group. That support group was added to a software deployment group years ago for a one-time project. The deployment group has GenericWrite on certain computer objects. One of those computer objects is a jump server that administrators use. The technician, through this chain, can compromise the jump server and capture admin credentials. No single audit finding would flag this. Graph analysis would.
What to do: Map group memberships recursively across your entire environment. Identify users who can reach privileged accounts through any chain of relationships, not just direct membership. Focus remediation on chokepoints where fixing one misconfiguration eliminates thousands of paths.
2. Service Account Privilege Accumulation
Service accounts run critical applications, but years of configuration changes leave them with permissions far beyond what they need. According to joint guidance from CISA, NSA, and Five Eyes partners, organizations should implement strict controls on service accounts as they are prime targets for attackers seeking to escalate privileges and move laterally through environments.
The challenge is visibility. Service accounts cannot use MFA. Their passwords rarely rotate. When they do, teams skip rotation to avoid breaking production systems. According to Canadian Centre for Cyber Security guidance, organizations should ensure all service accounts are provided access based on the principle of least privilege, use managed service accounts where possible, and prevent service accounts from being used for interactive logons.
These accounts become attractive targets. An attacker who compromises a service account often gains persistent access that survives password resets for regular users. The account runs unattended, so unusual activity goes unnoticed. And because service accounts frequently have elevated permissions for their applications, compromising one can provide lateral movement opportunities across the environment.
| Service Account Risk | Why Audits Miss It | Attack Technique Enabled |
|---|---|---|
| Kerberoastable SPNs | SPN presence checked, password strength not assessed | Offline credential cracking |
| Unconstrained delegation | Delegation setting exists, trust context not mapped | TGT theft and impersonation |
| Stale accounts with broad permissions | No usage monitoring in standard audits | Credential reuse attacks |
| Hard-coded credentials in scripts | Code repositories outside audit scope | Credential exposure |
What to do: Discover all service accounts, including those created outside standard processes. Identify which accounts have SPNs that make them vulnerable to Kerberoasting. Map delegation rights to understand where compromised accounts can impersonate users.
3. ADCS Certificate Template Misconfigurations
Active Directory Certificate Services (ADCS) misconfigurations can give any authenticated user a path to Domain Admin. Mandiant highlighted that ADCS has become a prime target for attackers because misconfigurations are common and exploitation grants persistent access.
The most dangerous issues involve certificate templates that allow subject name specification combined with authentication EKUs. An attacker with enrollment rights can request a certificate for any user, including Domain Admins. BeyondTrust research notes these misconfigurations are easy to make due to the complex nature of ADCS, and they regularly find at least one ADCS issue in customer engagements.
ADCS attacks are particularly dangerous because certificates provide long-lived credentials. Even if you reset a compromised account’s password, an attacker with a valid certificate can continue authenticating. Security researchers have catalogued 16 distinct attack patterns, from ESC1 through ESC16, each exploiting different template or configuration weaknesses.
What to do: Audit certificate templates for ESC1 through ESC13 vulnerability patterns. Check which users have enrollment rights on templates that permit flexible subject names. Disable the “Enrollee Supplies Subject” flag where possible and require manager approval for sensitive templates.
4. Kerberos Delegation Abuse Paths
Kerberos delegation allows services to impersonate users when accessing other services. It is necessary for many applications. It is also dangerous when misconfigured. Horizon3.ai research shows that attackers can execute reconnaissance and credential access steps within minutes, before traditional detection kicks in.
Unconstrained delegation is the most severe risk. Any service with this setting can capture Kerberos tickets from connecting users and reuse them to access any resource in the domain. Constrained delegation limits target services but still enables impersonation if the configured services include sensitive systems.
Resource-Based Constrained Delegation (RBCD) introduced a new attack surface. Attackers who can modify the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on a computer object can configure delegation to that system. Microsoft’s 2025 security guidance emphasizes implementing tiered administration and least privilege to limit delegation rights and administrative access.
What to do: Enumerate all delegation configurations. Identify unconstrained delegation outside Domain Controllers. Review constrained delegation targets for sensitive services. Consider RBCD for new implementations, but monitor for RBCD abuse paths as well.
5. Shadow Admin Accounts
Shadow admins are accounts that have administrative capabilities without direct membership in privileged groups. They gain power through ACL-based permissions like GenericAll, WriteDACL, or ownership of privileged objects. AD Security research documents how attackers chain these permissions to reach Domain Admin without ever being in the Domain Admins group.
Traditional audits check group membership. They often ignore object-level ACLs because the volume is overwhelming. A single Active Directory environment can have millions of access control entries. Without graph analysis, identifying which combinations create privilege escalation paths is nearly impossible.
The danger of shadow admins is stealth. Security teams focus on protecting known admin accounts. Shadow admins fly under the radar because they do not appear in the obvious privileged groups. An attacker who identifies a shadow admin path gains administrative access while evading the monitoring typically applied to Domain Admins and similar groups.
What to do: Map ACL-based permissions across all AD objects. Identify accounts with write access to privileged objects or the ability to modify group memberships. Pay special attention to permissions inherited through containers and organizational units.
6. Cross-Domain Trust Exploitation
Multi-domain and multi-forest environments multiply attack paths. Research from GBHackers shows that attackers exploit site-based ACLs and trust relationships to move between domains without triggering traditional security alerts. Even organizations with segmentation controls may remain vulnerable.
Forest trusts, external trusts, and parent-child relationships each introduce different risks. SID History attacks can bypass SID filtering under certain conditions. Trust misconfigurations can allow attackers to escalate from a compromised child domain to compromise the entire forest. The TrustedSec Golden gMSA research demonstrated new techniques for exploiting trust relationships through Group Managed Service Accounts.
Organizations often acquire companies or merge divisions without fully integrating identity infrastructure. These environments end up with trust relationships that made sense during the transition but create permanent attack paths. Audits rarely examine cross-domain paths with the same rigor applied to single-domain permissions.
What to do: Document all trust relationships and their configurations. Verify SID filtering is enabled on external trusts. Assess whether any accounts in trusted domains have excessive permissions in your environment. Map attack paths that cross trust boundaries.
7. Hybrid Identity Gaps Between AD and Entra ID
Most organizations now operate hybrid environments with on-premises Active Directory synchronized to Microsoft Entra ID (formerly Azure AD). This creates new attack surfaces. According to SpyCloud’s 2025 Identity Threat Report, 85 percent of organizations were affected by ransomware in the past year, and hybrid environments often have inconsistent security controls between on-prem and cloud.
The risks include password hash synchronization exposures, Azure AD Connect server compromise, and Conditional Access policy gaps. An attacker who compromises an on-prem account may find that the same credentials work in cloud applications. Separate audit processes for AD and Entra ID often miss these connection points.
Azure AD Connect servers deserve special attention. These systems have the permissions to read password hashes from AD and write them to the cloud. Microsoft security guidance recommends treating these servers as Tier 0 assets, yet many organizations leave them with standard server protections.
What to do: Map identity synchronization flows. Identify which on-prem accounts sync to cloud and what permissions they have in both environments. Harden Azure AD Connect servers as Tier 0 assets. Ensure Conditional Access policies apply consistently across access methods.
The Audit Gap Summarized
The common thread across all seven risks is that they involve relationships, not just configurations. Traditional audits check settings in isolation. Attackers find paths that connect those settings.
| Risk Category | What Audits Check | What Attackers Exploit |
|---|---|---|
| Nested groups | Direct membership | Transitive paths to privilege |
| Service accounts | Account existence | Accumulated permissions over time |
| ADCS templates | Template settings individually | Combinations enabling impersonation |
| Kerberos delegation | Delegation enabled flag | Impersonation scope and targets |
| Shadow admins | Privileged group membership | ACL-based control chains |
| Trust relationships | Trust existence | Cross-boundary privilege paths |
| Hybrid identity | AD and cloud separately | Connection points between environments |
Closing the Gap
The statistics are clear. Cisco Talos reports that identity-based attacks accounted for 60 percent of all incident response cases in 2024. The SpyCloud 2025 Identity Threat Report found that 85 percent of organizations were affected by ransomware attacks. Traditional audits are not stopping these attacks.
Graph-based analysis changes the equation. Instead of examining each permission in isolation, it maps all identity relationships and traces how attackers can chain access together. This approach surfaces the indirect paths, the nested groups, and the toxic permission combinations that list-based audits miss.
Which of these seven risks exists in your environment? The only way to know is to look at identity the way attackers do.
Frequently Asked Questions
Why do traditional security audits miss identity attack paths?
Traditional audits check permissions in isolation rather than mapping how they chain together. An account with limited direct privileges might reach Domain Admin through nested group memberships, delegation rights, or certificate template access. Graph-based analysis reveals these indirect paths that list-based audits cannot see.
What is the difference between list-based and graph-based security analysis?
List-based analysis examines individual permissions and configurations one at a time. Graph-based analysis maps all identity relationships and traces how access can chain together across the environment. Attackers think in graphs, finding paths that connect separate vulnerabilities into complete attack chains.
How many attack paths exist in a typical enterprise environment?
Large enterprises routinely have millions or even billions of identity attack paths. Most organizations are unaware of this scale because traditional auditing tools cannot map indirect relationships. Graph-based platforms can discover and prioritize these paths automatically, focusing remediation on the chokepoints that matter most.
What is a chokepoint in identity security?
A chokepoint is a single misconfiguration or permission that enables multiple attack paths. Fixing one chokepoint can eliminate thousands or millions of paths at once. Identifying chokepoints allows security teams to prioritize remediations for maximum impact rather than fixing issues one at a time.
How often should organizations assess their identity attack surface?
Continuous monitoring is ideal because Active Directory environments change constantly. New accounts, group memberships, and delegations can create attack paths within minutes. Point-in-time audits miss vulnerabilities that emerge between assessments, leaving gaps attackers can exploit.
What percentage of breaches involve identity-based attacks?
According to industry research, over 90 percent of organizations experienced identity-related incidents in 2024, and 57 percent of cyberattacks begin with compromised identities. Identity has become the primary attack vector for threat actors because credentials provide the access needed to move laterally toward high-value targets.