Police forces handle some of the most sensitive data in UK public life. Identity hygiene — who has access, what they can reach, and whether accounts are properly governed — is the first line of defence against insider threat and external attack.
UK forces operate complex, multi-domain IT estates under PSN obligations while managing high staff turnover, vetting processes, and third-party contractor access — each creating distinct identity risk.
Officers retire, resign, transfer between forces, and move to secondment. Civilian staff change frequently. Each departure carries a PSN account lifecycle SLA. Manual leavers processes fail under volume, leaving enabled accounts — some with access to force-wide systems — weeks or months after departure.
Digital forensics contractors, IT managed service providers, and NPoCC programme staff all require domain accounts. Vetting levels expire. Contracts end without triggering account disablement. These accounts persist in Active Directory, often retaining access scoped during the original engagement.
CAD systems, HR integrations, and legacy cross-domain trusts from NPoCC migration programmes leave service accounts with passwords unchanged for years. These accounts are frequently Kerberoastable, over-privileged, and invisible to manual quarterly reviews. The blast radius of a single compromised account can reach domain-wide.
Assessments map findings directly to the policing-specific frameworks that PSN health checks, force accreditors, and HMICFRS inspectors reference.
Access to the Public Services Network requires demonstrable identity controls. Forces must evidence individual accountability, named admin accounts, MFA on all remote access, and a leavers process that removes access within agreed SLA. PSN health checks regularly identify stale and shared accounts as compliance failures.
The National Police Chiefs' Council Policing Cyber Strategy sets expectations for cyber resilience across all 45 UK forces. Identity and access management — particularly privileged access governance and third-party account management — is a core element of the strategy's technical baseline.
Forces processing Home Office Official Sensitive information must maintain individual access attribution, protect against insider threat through access review disciplines, and evidence timely leavers processes for officers and civilian staff alike.
Forces designated as operators of essential services are subject to CAF assessment. Objective B2 (Identity & Access Control) requires individually named accounts, MFA, privileged access governance, and access reviews — all directly supported by IdentityFirst output.
Representative findings from a police force identity assessment — the kind of risk present in most force Active Directory estates and invisible to manual quarterly review.
s.pemberton@northshire-police.pnn.police.uk
Resigned officer. Account active 61 days post-resignation. PSN account lifecycle SLA breach. Retained access to force intranet, HR system, and shared evidence management folder. Insider threat surface.
Blast Radius: Critical — active domain account with access to force intranet and HR system 61 days post-resignation.
svc_cad_dispatch
Computer Aided Despatch integration account. Member of Domain Admins (unnecessary — CAD only needs read access to specific OUs). Password last set 2016. Kerberoastable (RC4-HMAC). Blast radius: full domain.
Blast Radius: Critical — Domain Admin membership and RC4-HMAC SPN make offline TGS cracking trivial from any domain-joined host.
d.fletcher.forensics
Digital forensics contractor. Contract ended 4 months ago. Account not disabled. NPPV vetting expired. Still member of Digital_Forensics_Share_ReadWrite. PSN CoCo violation.
Compliance Gap: PSN CoCo — enabled account with active share access 4 months after contract end. NPPV vetting expired.
23 named officer accounts
23 named officer accounts exempt from VPN MFA policy via legacy Conditional Access exclusion group. Exclusion was temporary (COVID remote working). Never removed. Home Office Official Sensitive handling requirement for authenticated individual access at risk.
Compliance Gap: Home Office Official Sensitive handling — 23 officer accounts with unauthenticated VPN access due to unreviewed MFA exemption.
northshire.pnn.police.uk ↔ northshire-legacy.local
Kerberos trust between northshire.pnn.police.uk and legacy northshire-legacy.local (pre-NPoCC migration). Trust not reviewed in 4 years. Allows lateral movement across boundary. No current business justification on record.
Blast Radius: High — unreviewed cross-domain Kerberos trust provides lateral movement path with no documented business justification.
A four-stage read-only pipeline requiring no agents, no production changes, and no access to any policing operational system.
Read-only LDAP and API connectors attach to force Active Directory, Entra ID, and PAM identity stores. No agents installed. No production changes. No access to PSN-connected operational systems, policing databases, or case management systems at any stage.
IdentityMRI™ enumerates every identity, group membership, privilege assignment, and delegation scope across the force estate. 40+ risk checks applied across officers, civilian staff, contractors, and service accounts. Nothing sampled.
Each finding is scored by blast radius and mapped to PSN CoCo, NPCC Cyber Strategy, Home Office Official Sensitive handling, and NCSC CAF Objective B2 obligations. Leavers SLA breaches are calculated automatically.
Board-ready PDF delivered within 48 hours. Named findings, timestamps, severity classifications, remediation playbooks, and a dedicated PSN compliance evidence pack structured for health check submissions and accreditation review.
IdentityFirst does not access the PNC, PND, HOLMES2, COMPACT, intelligence systems, case management systems, body-worn video storage, or any policing operational data. All connectors operate read-only against Active Directory, Entra ID, and PAM identity stores only.
IdentityFirst connects to: Active Directory (read-only LDAP), Entra ID (read-only Graph API), and PAM identity stores (read-only API). Nothing else.
Straight answers to the questions force ICT security leads, PSN accreditors, and procurement teams ask most often.
No. IdentityFirst operates exclusively via read-only connectors against Active Directory, Entra ID, and PAM identity stores. It does not access, connect to, or request access to the Police National Computer, Police National Database, HOLMES2, COMPACT, intelligence systems, case management systems, body-worn video storage, or any operational policing system at any point during the assessment.
The read-only connectors require only a domain service account with LDAP read permissions, or equivalent read-only API credentials for Entra ID and PAM tools. No domain administrator credentials are needed.
The PSN Code of Connection requires forces to evidence individual account accountability, named admin accounts, MFA on all remote access, and a timely leavers process. IdentityFirst surfaces every stale account, shared account, MFA exemption, and leavers SLA breach across the force Active Directory and Entra ID estate, mapped directly to the relevant CoCo requirement.
The output is structured to support PSN health check submissions and accreditation reviews, providing the timestamped, named-account evidence that PSN assessors require to close identity-related compliance findings.
Yes. Findings produced by IdentityFirst map directly to the NPCC Policing Cyber Strategy technical baseline for privileged access governance and third-party account management. Forces can use the assessment output to demonstrate alignment with the strategy's identity and access management expectations and to identify gaps ahead of self-assessment or peer review.
The assessment covers the full spectrum of the strategy's identity-related technical controls: named admin accounts, MFA coverage, contractor account lifecycle, service account hygiene, and legacy trust review.
IdentityFirst enumerates Active Directory and Entra ID accounts regardless of the user type behind them. Findings cover warranted officers, civilian staff, contractors, and service accounts equally. Where account naming conventions or OU structure allows differentiation between user types, the assessment report groups and labels findings accordingly.
This is particularly relevant for PSN CoCo compliance, where the leavers SLA applies equally to officers leaving the force, civilian staff leaving employment, and contractors whose engagement has ended.
IdentityFirst calculates a per-finding blast radius for every account assessed. For shared privileged service accounts — such as CAD integration accounts, legacy directory sync accounts, or HR system service accounts — blast radius typically reaches multiple systems across the force estate.
Where an account holds Domain Admin group membership or carries Kerberoastable SPNs with weak (RC4-HMAC) encryption, the blast radius calculation reflects full domain compromise as a credible outcome. For police force environments with PSN connectivity, the downstream implications extend to PSN-connected systems and shared infrastructure.
Book a live demo to see how IdentityFirst maps your force’s identity estate against PSN CoCo, NPCC Cyber Strategy, and NCSC CAF Objective B2 obligations — or explore a sample report now.
Read-only • No agents • Findings in 24 hours • No access to policing systems • UK-hosted & ICO registered