You have more domain admins than you think you do.  Domain admins can come to be through: Misconfigured server permissions allowing an end user to log into a domain controller  AD Groups or Users receiving delegated permissions. Group nesting + toxic combinations + domain trusts  AD / Entra hybrid with misconfigured group / role relationships and write back.   Identity Governance programs (including native MSFT) only review some of these access paths. All it takes is one mistake in configuration to expose your company to significant risk and a very bad day.  Clarity Security creates visibility to changes in sensitive permissions and can control access to them, preventing major attack vectors before they can be exploited, and improving identity security for privileged access in hybrid infrastructures.   TLDR: It sucks to be pwnd. It sucks worse to be pwnd by access you didn’t know existed.