Summary: Ignoring legacy on-premises infrastructure creates massive security blind spots, leaving stale service accounts and unreviewed hybrid permissions vulnerable to exploitation. Integrating Oleria Trustfusion, an AI-native identity security platform, bridges this structural gap by deploying a lightweight, read-only agent that pulls on-premises Active Directory objects into the exact same access graph as your cloud infrastructure.
Active Directory at most enterprises holds tens of thousands of user accounts, thousands of service accounts, hundreds of OUs, and multi-domain forests with trust relationships. The "we'll move off AD" plan has been on the roadmap for years; the migration is still partial. Meanwhile, AD authenticates production workloads, governs file shares, and hosts services that won't be cloud-native any time soon.
Cloud-first identity platforms that skip AD aren't being modern - they're ignoring where the identities actually are. The result is a split governance model: cloud identities in the IGA platform, AD identities managed separately through scripts, spreadsheets, or not at all. The on-prem service accounts nobody reviews. The accounts from the acquisition two years ago that never got cleaned up. The PasswordNeverExpires accounts that have been running production workloads since before the current security team started.
AD doesn't have a cloud-native API, so getting AD into the access graph requires an agent. Oleria is explicit about this: where the architecture requires an agent, we use one. The agent is read-only, lightweight, and purpose-built for the legacy environments most identity platforms abandon.
Oleria deploys a read-only agent in the AD environment and ingests users, service accounts, groups, OUs, and event logs. Those identities flow into the same access graph as your cloud stack - not a separate pane, not a legacy tab. Active Directory cloud identity graph integration is complete the same day the agent deploys, without waiting for a multi-year migration project to finish.
Entra Connect-synced identities surface as one unified record across AD and Entra. The hybrid identity is a single object in the Oleria graph - one review, one lifecycle, not two separate things to reconcile.
No. The agent is strictly read-only. LDAP queries for discovery, event log ingestion for activity. Deprovisioning actions through AD use a separate write-back mechanism that requires explicit authorization per workflow.
Azure AD DS surfaces via the Entra connector plus the AD agent for domain services workloads. Other directory services such as OpenLDAP connect through separate connectors.
AD doesn't have a cloud-native API. Any platform claiming to ingest AD without an agent is either using a cloud sync proxy (which is an agent with a different name) or skipping AD entirely. Where the architecture requires an agent, we use one. Where cloud APIs are available, we use those. The agent is read-only, lightweight, and purpose-built for on-prem AD environments.
