For years, financial institutions have invested heavily in identity security, building layered controls around authentication, access management and threat detection. Yet regulators are increasingly focused on resilience – specifically what happens when those controls fail?
The findings from Quest Software’s recent State of ITDR 2026: prevention and recovery research point to a clear conclusion: while organisations have invested heavily in identity threat prevention and detection, recovery remains the missing resilience element.Quest’s Vice President of Product Management and Marketing, Rakesh Shah, shared insights with RegTech Insight on this critical missing layer – whether organisations can recover their identity infrastructure quickly, consistently and in a way that satisfies growing regulatory expectations around operational continuity and control effectiveness.
Recovery Is the Regulatory Gap
A consistent theme emerging from Quest’s findings is that most organisations are not failing because they lack detection capability. They are failing because they cannot recover. As Shah observes, many firms have invested in preventive controls and monitoring tools, yet “struggle when identity controls fail,” with recovery readiness often remaining “more theoretical than practical.” Quest research indicates that nearly 80% of organisations remain vulnerable to identity-related threats due to inadequate tooling, while 24% never test disaster recovery and 44% test only annually.
Supervisory frameworks require firms to demonstrate that they can withstand and recover from severe but plausible disruption scenarios. Organisations that regularly test identity recovery not only reduce outage duration but limit business impact, with purpose-built recovery tooling enabling restoration up to 90% faster in some cases. In regulatory terms, that translates directly into reduced breach risk against impact tolerances.Identity as the Control Plane
Active Directory (AD) is Microsoft’s on-premises directory service that manages user authentication, authorisation and access to network resources. Microsoft Entra ID (formerly Azure Active Directory) is its cloud-based identity and access management platform providing authentication and access control across cloud and hybrid environments. Together, these systems form the control plane through which access to applications, data and services is governed.
When that control plane fails, the consequences extend far beyond IT. Shah notes that identity resilience is no longer a “behind-the-scenes technical function”; when identity fails, “operations stall, regulators step in, and financial and brand damage follow” . Attackers understand this dynamic. Compromise of a single high-privilege identity can enable rapid lateral movement across systems, partners and customer environments.
For regulators, this elevates identity into the category of systemic dependency. Under EU DORA and similar regulatory frameworks, firms are required to map critical dependencies supporting important business services. Identity infrastructure sits at the centre of that map. Failure to secure and recover it is no longer a contained cyber incident; it is a potential operational resilience breach.
Tier 0 Misclassification
One of the most persistent weaknesses identified in Quest’s research is the misunderstanding of “Tier 0” identities – those with the highest level of control over systems and infrastructure. While most organisations can identify obvious privileged accounts such as Domain Administrators, far fewer recognise what Shah describes as “Tier 0 by consequence” identities. These include backup systems, automation tools, synchronisation services and privileged application registrations that effectively hold equivalent control.
The regulatory implications are significant. If firms fail to correctly identify their most critical identity dependencies, they cannot accurately assess or contain risk. The result is an expanded “blast radius” in the event of compromise, where attackers can disable recovery mechanisms and escalate privileges unchecked. In such scenarios, preventive controls become irrelevant because the underlying control structure has already been undermined.
From a resilience standpoint, this represents a failure of dependency mapping and critical asset identification – both core requirements under modern supervisory regimes.
Signal Overload and Limits of Traditional Controls
Compounding the challenge is the rapid expansion of identity environments. Hybrid architectures spanning on-premises systems, cloud platforms and software-as-a-service (SaaS) applications generate vast volumes of identity-related signals. Security teams suffer alert fatigue, facing millions of events across AD, Entra, Microsoft 365 and other platforms . At the same time, non-human identities – service accounts, bots and machine identities – now outnumber human users by a ratio of 82:1.
Traditional monitoring approaches struggle to distinguish material threats from background noise, while a shortage of deep expertise in identity systems further limits effective oversight. Organisations that successfully modernise ITDR do so by correlating signals across environments, reducing noise and introducing automation to support analysis.
Artificial intelligence (AI) is often presented as the solution, and 79% of respondents in Quest’s research believe AI can improve ITDR effectiveness . Yet this introduces a critical dependency on data quality. As Shah highlights, AI-driven decision-making is only as reliable as the data underpinning it. Without structured, governed and trusted identity data, AI risks amplifying rather than reducing control weaknesses. For regulators, this raises questions about explainability and auditability.
From Security Tool to Resilience Lifecycle
Quest’s research indicates that 78% of organisations still cite proactive threat management as the primary driver for ITDR adoption, but this is increasingly complemented by resilience-oriented capabilities.
Shah frames resilience in practical terms: continuous visibility across identities, clear ownership and accountability, automated access reviews, rapid containment of compromised credentials and segmentation to limit lateral movement. Taken together, these elements form a control framework that closely mirrors those used in regulatory compliance, spanning preventive, detective and corrective controls.
Identity as a Strategic Risk
According to Shah, boards and senior executives are now asking fundamentally different questions: can the organisation continue operating under attack? Are AI initiatives introducing unmanaged risk? Are regulatory expectations being met? These are not technical queries. They are questions of risk, accountability and strategic resilience.
This aligns with broader regulatory trends, including senior management accountability regimes and increasing board oversight of operational resilience. Identity, once considered a technical domain, is now central to these discussions. It sits at the intersection of cybersecurity, operational continuity and emerging AI risk, placing it firmly within the scope of supervisory scrutiny.
Conclusion
The trajectory is clear. ITDR is moving beyond its origins in threat detection towards a more expansive role as a resilience control framework. Identity systems underpin critical business services, and their failure carries direct regulatory consequences. Recovery capability, visibility and governance are no longer optional enhancements; they are core requirements for demonstrating compliance and operational continuity.
Subscribe to our newsletter
