Protecting Government Services from Modern Identity Threats: Why Identity Is Now Critical to AI, Compliance, and Service Continuity

“When identity is compromised, services are at risk.” This line from Public Sector Network's recent live discussion with Quest Software and Australian Signals Directorate captures a shift many Australian government leaders are now feeling in practice: identity has moved from a technical control to a form of critical infrastructure. It underpins service continuity, digital transformation programmes, and the credibility of public-facing services.

“ASD now calls identity compromise a systemic risk. Because when identity goes down, it's not just IT that's affected. It's service delivery, it's continuity, and it's ability for agencies to operate.”
- Richard Kulkarni, Head of APAC, Quest Software

This is not a new problem. The ASD-led guidance Detecting and Mitigating Microsoft Active Directory Compromises (last updated January 2025) details how widely-used identity services are routinely targeted and why compromise can be so disruptive. The update in March 2026 is that the environment has become more hybrid, more automated, and more time-sensitive, which changes the operational consequences when identity is attacked.

What’s changed since the last major guidance update

Since early 2025, most agencies have not reduced reliance on Active Directory (AD). If anything, dependence has deepened through hybrid identity patterns, cloud app adoption, and ongoing integration of identity into everything from SaaS onboarding to security tooling. As one panellist put it, “Active Directory… is really the keys to the kingdom.”

At the same time, the identity threat chain is accelerating:

• Hybrid sprawl is now the norm. AD, Entra ID, Entra Connect, and cloud app trust relationships often form a single identity fabric. That fabric can be resilient, but it can also create unexpected pathways for attackers.
• AI is increasing attacker speed and precision. The panel’s view was consistent: reconnaissance, social engineering, and privilege pathfinding can be executed faster and with higher success rates when AI is used to tailor lures, automate testing, and map the quickest route to privileged control.
• Tolerance for extended outages is shrinking. Executive expectations have tightened around “time to restore” when identity systems are impacted. The recovery window that might once have been treated as an IT issue is increasingly viewed as a service delivery failure.

Taken together, these changes push identity risk out of the “security team” lane and into leadership accountability for continuity and trust.

Identity compromise remains the shortest route to systemic disruption

The ASD paper makes the case that AD is a valuable target because it sits at the centre of authentication and authorisation, and because permissive defaults and complex relationships expand the attack surface. The webinar discussion added a practical framing: identity compromise is “a shortcut” that can undermine other controls once attackers reach privileged identity.

“If you can compromise identity, it is a shortcut. It is the quickest path to compromising an environment.”
- James Duncan, Technical Director Government Uplift, Australian Signals Directorate

In operational terms, identity is where “local” incidents become systemic. The panel described how attackers increasingly look for early identity signals such as abnormal logins, privilege changes, and policy modifications before any obvious infrastructure failure. One speaker observed that many organisations only realise identity was the root issue after something else breaks, such as ransomware, data exfiltration, or critical applications going offline.

This is why leaders focused on continuity should treat identity not as an internal IT dependency, but as an enabling layer for all services.

Why “secure by default” is still not enough

A recurring theme was that AD is often assumed safe because it “just works” in the background. That assumption is risky. “Out of the box, Active Directory is an insecure environment,” one panellist noted, and many environments carry years of technical debt: legacy delegation, group policy drift, overly permissive trusts, and service accounts that gradually accumulated privilege.

The result is a gap between what agencies believe their identity posture is and what the environment actually allows. And in hybrid environments, weaknesses in on-prem foundations can become cloud compromises if identity dependencies and synchronisation pathways are not treated as Tier 0.

A useful analogy from the webinar: organisations often invest in “roof and upper floors” security controls, but if the foundation (AD and Entra ID) is weak, those investments can be bypassed.

Modern identity defence in 2026: three practical capabilities

The panel converged on a pragmatic model that translates well for executive sponsorship. It is not about buying “more security.” It is about building three capabilities that reduce systemic risk.

“The key to protecting your environment against modern identity threats… can really be broken down to three distinct categories. Number one is visibility… Secondly, auditing… and thirdly, protection.”
- Craig Lawrence, Principal Consultant, NTT Data

1) Visibility and assurance across AD and Entra ID

“You can’t protect what you don’t know.” Visibility was the dominant theme, but it was described as more than log collection. It means having timely insight into:

• Privileged group membership and privilege changes
• Group policy changes and configuration drift
• Trust relationships and identity dependencies across hybrid environments
• Authentication patterns that indicate early compromise activity

The ASD guidance supports this direction by highlighting that many AD techniques mirror legitimate behaviour and require centralised logging and careful analysis. In 2026, the leadership implication is that identity visibility needs to produce decision-grade signals, not just telemetry.

2) Reducing privilege pathways, not just managing admin lists

Modern defence is not only “who has admin rights.” It is “how easy is it for someone to become an admin.” The panel described legacy delegations and accumulated permissions as the real risk surface. The ASD guidance aligns, detailing how common techniques exploit misconfigurations, permissive settings, and service account privilege.

This is where sustained effort matters: simplifying privilege structures, removing legacy permissions, and reducing attack paths can force adversaries into riskier techniques that are more detectable and less reliable.

3) Recovery readiness as a core control

A key update in the live discussion was the uncompromising recovery reality. James Duncan underscored that Microsoft’s guidance can effectively amount to “rebuild” in some scenarios, and “no one wants to rebuild Active Directory from scratch.”

For leaders, this reframes identity recovery as an essential part of resilience planning. Recovery needs to be rehearsed, timed, and designed for pressure, with clarity on what can be restored quickly, what requires validation, and what decisions must be pre-agreed to avoid paralysis when identity is impacted.

AI changes the pace of identity compromise, and introduces a new risk: AI as an identity

On AI, the panel’s discussion was clear: AI is amplifying reconnaissance, phishing effectiveness, and lateral movement. The “update” for 2026 is not simply that attackers use AI, but that defenders are also deploying AI-enabled workflows and agents. Those agents are identities too. They authenticate, inherit permissions, and can become high-impact targets.

The critical connection is this: if identity assurance is weak, AI can become an accelerator for both disruption and data exposure. In other words, identity is now a prerequisite for safely scaling AI, not a parallel workstream.

Where expertise intersects: defence, visibility, and recovery

For organisations looking to operationalise these capabilities, the strongest alignment point is with solutions and services that help teams:

• Improve visibility across hybrid identity estates
• Identify and reduce privileged access pathways
• Rehearse and accelerate identity recovery, including targeted restoration rather than broad rebuild approaches

This intersection matters because identity incidents do not fail on “knowing what to do.” They fail on time, complexity, and the inability to execute under pressure.

Closing: identity is now a service continuity discipline

Identity compromise is not a niche security topic. It is increasingly the fastest route to service disruption, compliance exposure, and loss of public trust. In March 2026, the question is less “is AD still relevant?” and more “is the identity foundation resilient enough for the services and AI-enabled initiatives being built on top of it?”

The practical takeaway from the webinar was concise: understand the environment, tighten privileged pathways, and have a realistic plan to recover identity when something goes wrong. When identity is treated as critical infrastructure, other resilience efforts become more effective, and the risk of a small incident turning into a whole-of-service event is materially reduced.

Explore the Quest Marketplace profile to see practical capabilities that support government identity assurance, monitoring, and recovery readiness across AD and Entra ID.