Every enterprise carries baggage. In identity, that baggage often lies at the heart of operations: Active Directory, service accounts, outdated and insecure authentication protocols (worried about NTLM, anyone?), and on-prem applications that are critical to business continuity. The systems have been around for decades and are deeply woven into IT ecosystems. They aren’t going away anytime soon, even with cloud transformation initiatives.
Compromised credentials, lateral movement, and ransomware campaigns often begin with AD or unmanaged service accounts because they’re the path of least resistance. In fact, recent research reveals that 94.3% of organizations don’t have full visibility into their service accounts, let alone understand their activity. Attackers know these systems weren’t built for modern threats, just as IAM and security teams know they also weren’t built for modern controls.
I’ve been there, and it’s easy to feel trapped under the weight of all that residual identity risk when the only options for tackling it are two ultimately unsatisfying choices: managing it by onboarding it into traditional IAM tooling or migrating away from it. Both approaches are slow and expensive to implement—and your risk remains unchanged until the job is done.
In my time as Head of IAM for a major retailer, I found there is a third way. The key question for most enterprises is “How can I be sufficiently secure in spite of my legacy?” The nature of today’s threats means every account is a risk and requires protection, so we cannot leave our legacy behind or wait for transformation to happen system-by-system.
Traditional option 1: Manage your identity risk
The first option most organizations consider is to “manage” their identity risk, typically by layering on compensating controls such as Privileged Access Management (PAM). In theory, this allows tighter oversight of high-risk accounts.
In practice, and as most people who have ever been part of a PAM onboarding project will know, the approach is full of obstacles:
- Onboarding is slow and difficult, with progress won account by account.
- The “Fear of Breaking Things” wins: not knowing what identities are meant to do brings risk, which is especially bad for systems that are no longer actively developed.
- It’s fragile: infrastructure migrations and system changes render hard-won controls obsolete.
- To have integrity, it means making changes around the control to prevent them being circumvented (e.g., checkout of PAM managed credentials).
And most importantly, the risk remains unchanged until the project is complete.
For many enterprises, that means years of unmanaged exposure while your team is caught up doing complex, technical, incremental work that barely moves the needle on your actual risk levels. This leads to very difficult executive conversations: “When will the work be done?” “What’s our residual risk?”
By selectively managing risk based on privileged accounts with the mindset that it could keep your entire identity landscape secure is a hope rather than a scalable strategy. This approach just delays the inevitable until you can no longer ignore it.
While ‘tier 0’—your keys to the kingdom of domain controllers, PKI, hypervisors—is necessary to protect, you can’t stop there. The systems running the business must be equally well protected to prevent business interruptions, downtime and reputational damage with your customers.
On-demand webinar
Uncovering and addressing the blind spots in PAM
Join Silverfort's Ron Rasin, Chief Strategy Officer, and Kev Smith, Principal Engineer, as they discuss the blind spots in traditional PAM solutions and dive into the fundamentals of Privileged Access Security (PAS)
Traditional option 2: Migrate away from your risk
The second option I see a lot of enterprises considering is to “migrate” or modernize. This often means replacing static credentials with dynamic ones, adopting passwordless, or moving workloads into cloud environments with built-in identity protection. These are all good things in principle, but the challenges are familiar:
- System changes are required, which risks breaking fragile legacy apps.
- Migration is slow and piecemeal, moving app by app.
- Costs spiral quickly, both in time and resources.
And once again, the risk remains unchanged until the work is done, which could take years.
Don’t get me wrong: modernization is essential for long-term IT strategy. Done properly and done completely, it will give you the chance to finally win the account compromise/identity security battle.
But it’s not a realistic solution for immediate risk reduction, and it risks leaving your legacy systems and apps susceptible to attackers. After all, the strong possibility of breaking a vital process now is more alarming than the risk of account compromise, breach or lateral movement at some point in the future.
From my perspective, modernization must be done from a point of confidence in today. This means containing identity risk in place whilst building for the future. It’s the only responsible strategy given attackers’ focus on identity.
Blog
NOTLogon: How a low-privilege machine can DoS your domain
Silverfort discovers Active Directory Denial-of-Service (DoS) vulnerability, known as NOTLogon (CVE-2025-47978)
The third way: Mastering your identity risk
If managing and migrating aren’t enough, then what’s left? The answer is to master your identity risk.
I’ve talked before about the importance of buying yourself and your team the time and space to modernize your identity landscape while staying in control of risk every step of the way.
Taking this approach means taking ownership of your identity exposure without relying on fragile controls or multi-year migrations. It means applying modern identity security to every part of your environment—legacy systems included, with no exceptions—so you can reduce risk now, not years down the road. In my experience, the best way to do this is to implement broad-spectrum protection that raises your security baseline and strengthens your weakest links. This is what I mean by mastering your identity risk.
Key requirements for mastering identity risk:
- Build understanding broadly, across all identities and systems, their behaviours, and the processes they touch or influence.
- No onboarding: protection shouldn’t hinge on manual account enrolment.
- No system changes: legacy systems stay intact and don’t need to be meddled with.
- Confident controls, ensuring protection doesn’t come at the expense of uptime or with that pervasive fear of breaking things.
What does this look like in practice?
Mastering identity risk means changing the way we think about authentication. Instead of treating it as a business enabler that prioritizes uptime at all costs, we must put security first.
In a security-first model, authentication becomes the frontline control point, enforcing risk-based policies by default and containing threats before they spread. Imagine if these were the ground rules across your entire environment:
- Require MFA for all access to sensitive infrastructure. Every administrator logging into Active Directory. Every developer connecting to a production server. Every service account running a critical batch process. Enforcing strong authentication universally ensures attackers can’t simply walk in with stolen or brute-forced credentials. When MFA is integrated directly into the authentication process, even legacy systems that never supported it natively can benefit from this protection.
- Limit blast radius, despite your access governance maturity. Every non-human account is restricted to only what it does regularly and repeatedly; anything out of the ordinary is blocked. Administrators are allowed to access resources in assigned change records and incidents, and they’re blocked from all others despite their privileges—this is true least privilege. You’re now in control of the guardrails that define what can happen and where, so the blast radius of any account compromise is limited.
- Deny connections that don’t originate from trusted sources.
A login attempt from an unexpected location, a workstation outside of corporate control, or a suspicious IP should never be treated the same as a standard access request. Inline enforcement allows you to challenge, restrict, or outright block such activity in real time. This narrows the blast radius dramatically: even if credentials are stolen, they can’t be used outside the parameters you define.
- Block the use of legacy or insecure protocols. NTLM and other outdated protocols persist because they keep critical legacy systems alive. But attackers rely on these same weak spots to execute pass-the-hash and relay attacks, often on systems that don’t even require them. With modern controls at the point of authentication, you can now contain their usage to where it’s needed only. It’s no longer a binary choice.
By implementing controls like these directly in the IAM infrastructure, inline and without requiring disruptive changes to systems, the environment itself is now designed to contain identity risks. This is identity security in action.
With identity risks mastered in this way, you’re then free to modernize your systems at your own pace—experimenting with ephemeral credentials, moving toward zero standing privilege, or rethinking access models—without leaving your systems exposed and without the pressure of risk reduction driving timescales.
The longer legacy challenges linger, the more they undermine both your current defences and your future progress. But by building security into the fabric of authentication and taking control of your identity risk today rather than waiting years for transformation projects to finish, you’re setting yourself up for success. Do it now, and your future transformations will be faster, stronger, and safer. After all, today’s gold standard will be tomorrow’s legacy.
To learn more about actionable steps to implement this approach, download the Identity Security Playbook.
Free resource
The Identity Security Playbook
This guide is your essential resource for securing every identity across your organization’s expanding digital landscape. You’ll find practical insights and a 5-Step action plan to achieving a sustainable, effective identity security strategy.