The security of identity infrastructure is under pressure like never before. As attackers increasingly target the systems that govern access, organizations are discovering they have less control than they assumed. Complex hybrid environments, aging configurations, and limited visibility have left gaps that attackers are quick to exploit.
Semperis’ 2025 Purple Knight Report, compiled from real-world assessments across nearly 100 organizations, sheds new light on just how vulnerable identity environments have become. From hidden misconfigurations to overlooked services, the findings show why many organizations are flying blind, and why regular assessment is now a critical part of cyber defense.
The Hybrid Identity Landscape
Identity infrastructure remains a high-value target for threat actors, and tools like Active Directory, Entra ID, and Okta continue to draw attention from both cybercriminals and state-sponsored groups. These platforms are deeply embedded in enterprise environments, managing access to critical systems, data, and applications. When misconfigured or unpatched, they can become entry points for lateral movement, privilege escalation, and long-term persistence.
Recent alerts from the Five Eyes Alliance have called attention to the growing risks tied to identity management systems. The guidance warns that attackers are increasingly focused on compromising identity-related infrastructure to gain access. These risks are amplified in hybrid environments, where complexity and overlap between platforms can create visibility gaps that make it easier for threats to stay hidden.
Failing Scores and Hidden Vulnerabilities
The Purple Knight assessments exposed measurable gaps across hybrid identity environments. On average, organizations scored just 61 percent – a failing grade that points to deeper structural issues in how identity platforms are configured and maintained. Even teams with well-established security practices were often surprised by what the scans uncovered.
The weakest results came from two critical areas: Active Directory infrastructure and account security. Both categories contain controls that, when mismanaged, can lead to privilege escalation, persistence, or total domain compromise. In many cases, these gaps exist for years without detection.
One recurring issue is AD Certificate Services, which continues to be a soft target. It has been repeatedly exploited in real-world intrusions, including the Midnight Blizzard campaign. Despite years of warnings, many environments still lack proper controls around this feature.
The Middle is Most at Risk: Midsized Firms and Governments Lag Behind
While no group scored especially well in the 2025 Purple Knight Report, midsized companies and government agencies performed worst overall. Organizations in the government sector averaged just 46 percent, well below the overall average of 61 percent. Many of these environments depend heavily on Active Directory and Entra ID but lack the dedicated resources or specialized staff to manage them securely.
Midsized businesses face similar challenges. They are often too large for basic security tools but too small to afford fully staffed security teams needed to support their identity platforms effectively. Their hybrid identity environments are frequently inherited, extended, or loosely documented. This creates uncertainty about what is in place and what needs to be fixed.
Without clear visibility and expert oversight, identity risks go unaddressed. These gaps are rarely intentional. They emerge over time through growth, integration, or turnover, and can be difficult to correct without sustained attention and support.
Real-World Reactions
The Purple Knight tool continues to surprise even seasoned IT professionals. Many enter the assessment confident in their setup, only to discover critical issues that have gone unnoticed for years. Misconfigurations in account permissions, delegation, and certificate services are especially common.
Sean Deuby, Principal Technologist at Semperis, observed, “Hybrid identity complexity is outpacing most teams’ ability to secure it. Visibility into common issues, not intention, is the biggest gap.” For teams without dedicated AD specialists, the results often become a wake-up call. Tools like Purple Knight are not just revealing problems, they are helping organizations see what they have been missing.
Transformation through Transparency
For many organizations, Purple Knight is more than a diagnostic tool. It acts as a starting point for focused remediation, allowing IT and security teams to prioritize issues based on real exposure. The tool’s assessments give technical staff a structured view of where identity systems are vulnerable and which changes can deliver the greatest risk reduction.
Regular assessments also play a strategic role. Purple Knight’s visual reporting helps security leaders present findings to executive teams and boards in a way that is both clear and actionable. These visuals have helped many teams secure support for long-deferred upgrades or staffing requests by showing measurable risk instead of theoretical concern.
Path to Progress: From D-Minus to Passing Grades
Organizations that acted on Purple Knight’s remediation guidance saw clear progress. On average, scores improved by 21 points, with some assessments showing even larger gains. In the most significant cases, environments that began with severe misconfigurations improved substantially after fixing delegation issues, tightening account controls, or reconfiguring neglected services.
These improvements are not just technical wins. They help create a security culture rooted in visibility and accountability. When teams see progress from their efforts, it builds momentum. Purple Knight’s findings can also be mapped directly to policy changes, audit goals, and compliance requirements, which makes the fixes meaningful beyond IT.
You Can’t Defend What You Can’t See
Identity systems form the backbone of access in today’s environments. Yet many organizations operate with partial or outdated views of their AD, Entra ID, and Okta configurations. That lack of visibility opens the door to persistent threats, especially in hybrid environments where complexity can conceal risk.
Despite these challenges, organizations are not powerless. By taking targeted steps to assess and fix known weaknesses, they can make meaningful progress toward securing their identity infrastructure.
“Unfortunately, too many organizations, particularly midmarket enterprises and those in the public sector, are still struggling to get ahead of weaknesses in Active Directory and Entra ID,” said Deuby. “My advice is to start with a thorough scan of their AD and Entra ID environment and prioritize the issues that expose the highest-value assets. Even small improvements, such as fixing delegation or adjusting account permissions, can significantly reduce risk.”
