Making Least Privilege Real: Previewing Privilege Zones in BloodHound Enterprise

TL;DR Most organizations assume they’ve implemented least privilege, but assumptions don’t stop attackers. Privilege Zones in BloodHound Enterprise lets you define and analyze real-world security boundaries to stop lateral movement and eliminate attack paths across hybrid environments.

Organizations assume they have clear privilege boundaries, but those assumptions rarely match reality. Attack paths exist precisely because assumed security boundaries aren’t enforced.

After we’ve witnessed BloodHound deployed in tens of thousands of environments, I can safely say that assumption can be thrown out the window; there are always attack paths. That’s not anyone’s fault. We’ve been told for decades what we should be doing, but not how. There has never been a technical control to verify least privilege. 

That’s why we’re so excited to preview Privilege Zones, coming to BloodHound Enterprise in July.

Privilege Zones extend BloodHound Enterprise’s attack path analysis and remediation capabilities beyond the traditional Tier Zero focus, enabling teams to define custom security boundaries and enforce least privilege access across their environment. Now you can prevent lateral movement and privilege escalation by defining and enforcing custom zones—whether your environment is on-premise, cloud, or hybrid.

The Illusion of Least Privilege

“Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.”

Jerome Saltzer defined Least Privilege 50 years ago, but we still struggle with implementation. We’ve created policies, naming conventions, and meticulous documentation, but all are insufficient against attackers who exploit the gap between theoretical and actual privilege enforcement. Attack paths represent the crossing of assumed security boundaries—proof that what looks secure on paper often isn’t in practice.

Let’s start with how organizations try to control this today. We focus on controlling individual identities’ access to resources. We do so through the use of Identity Governance and Administration (IGA) tools (e.g., SailPoint) to provision users at scale for what they should access and nothing more. Hopefully…

Bob only has access to Finance, Alice to HR, and Jane to IT. Everything is organized, easy to audit, clean, and woefully incomplete. 

Before I go further, it’s important to note that this is not an IGA problem; these tools are doing exactly what they were designed to do. Provision identities at scale with the permissions they need to do their job. It’s what they’re not doing, and never designed to do, that creates attack paths. 

Take the previous image above. That’s how the auditor sees the environment, but what happens if Alice is both of these users?

This happens ALL. THE. TIME. These access collisions are everywhere. 

This is how the attacker sees the environment:

An attacker doesn’t care what they have access to now. It’s about what they can take. And identity is the ladder they climb. 

These access collisions or shadow entitlements are where effective access and intended access differ, creating attack paths to critical resources in the process. 

Seemingly benign provisioning cascades rapidly across our on-prem, cloud, and hybrid environments:

Complexity continues to grow over time:

And this is what we fall victim to:

Best Practices to Save the Day?

As attack paths became more understood across the industry, we started developing more in-depth guidance and best practices on how to combat this threat. At the time, and largely still today, Active Directory (AD) was the backbone of identity for nearly every company. 

The first guidance came in 2012 with Microsoft’s “Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques” whitepaper, and again in 2014 with version 2. This then evolved into a Tiered Administration Model, which was formally introduced in 2014 and followed up quickly with the Enhanced Security Admin Environment (ESAE) or “Red Forest” model. 

These all provided a great framework on how to structure your environment, but there was one crucial problem: How did you ever know if you did it right?  Organizations spent millions of dollars in the pursuit but faltered and failed hard, leaving only a couple of ESAE environments in active use today.  

Microsoft now recommends the Enterprise Access Model with pretty prescriptive guidance for administrators, but the problem still stands:

Without visibility, implementation is like drawing floor plans for a maze while you’re already lost within. 

People try, very hard, to do the right thing, but these are extremely complex systems. A couple examples….

You name it, we’ve seen it. It affects small companies, large companies, mature companies, new companies, old companies, etc. At this point, when someone tells me they’ve “separated their administrators from their users”, I say back “well, you’d be the first”. 

Again, this isn’t anyone’s fault, and it’s not a Microsoft problem either. Any identity directory will have the same problems.  We’ve seen this as organizations try to move from AD to Entra ID, Okta, AWS, GCP, you name it. The problem manifests again and again. It’s a complexity and visibility problem.

There has never been a technical control to enforce these boundaries. It’s all been best practices, spreadsheets, and intent.

Privilege Zones puts you back in Control

Privilege Zones is a new capability in BloodHound Enterprise that transforms the way organizations define and enforce security boundaries. Built on the same attack graph-based engine that powers visibility in BHE, Privilege Zones extends control beyond Tier Zero and makes attack paths across zones actionable by giving security and identity and access management (IAM) teams a way to sever them with precision.

Privilege Zones give you the power to define logical security boundaries—then enforce them at scale. Whether you’re aligning to Microsoft’s Enterprise Access Model or your internal segmentation strategy, BloodHound Enterprise makes it real.

✅ Define Zones based on tiers, sensitivity, or business function
✅ Prevent escalation or lateral movement between zones
✅ Ensure your secure identity architecture design matches reality

With Privilege Zones, you can establish logical security boundaries based on how your organization works, not just how legacy tier models suggest you should. These zones can represent anything: cloud and on-premises workloads, different trust levels, business units, compliance scopes, or sensitivity tiers.

Once zones are defined, Privilege Zones continuously analyzes identity and permission data to detect and eliminate attack paths that violate those boundaries. That means you can spot and sever unintended links between, say, a developer account in Entra ID and production infrastructure, or between a contractor’s legacy AD account and the domain admin group.

And because it’s all built on the BloodHound Analysis, you’re not flying blind. You see the paths. You understand the risk. And now, for the first time, you can draw the line—and make it stic

Built for Hybrid Identity

The modern enterprise identity landscape is fragmented by design. Most users have multiple accounts tied to the same person—one in AD, another in Entra ID, maybe more in GitHub, or internal systems. These aren’t edge cases—pun intended—they’re the norm.

Identity sprawl creates hidden connections between environments that attackers are quick to exploit. A user with limited access in one system might have privileged access in another. Or worse, their accounts might chain together to form a path to critical assets. These links are rarely documented, let alone governed.

This isn’t just poor hygiene that’s not recommended — it’s a privilege zone violation across systems. But how would you know if you’re violating this and creating Attack Paths? 

Spoiler, you won’t. In reality, everyone has this problem. In an analysis conducted in 2024, we found that 100% of environments were syncing privileged roles and 70% were syncing super admin roles. 

Privilege Zones takes identity sprawl head-on. By mapping and enforcing boundaries across linked identities—regardless of where they live—Privilege Zones eliminate the hidden chains that make sprawl so dangerous. Visualize and stop the risk. 

Enforce the Boundaries Your Policies Assume

Security frameworks and IAM models are only as strong as their enforcement.  I’ll put it another way, attackers don’t care about how carefully you crafted your policies and administrative controls; they use the reality of your identity architecture against you.  

Privilege Zones gives you the first technical control that validates and defends your access model—on-premises, in the cloud, and everywhere in between.

Learn more about Privilege Zones today.