jenkins.yaml file in Jenkins home directory contains the following snippet:

jenkins:
 securityRealm:
   activeDirectory:
     bindPassword: "{*************}"
     customDomain: true
     domains:
     - bindName: "*************************"
       bindPassword: "{************************}"
       name: "*********.com"
       tlsConfiguration: TRUST_ALL_CERTIFICATES
     groupLookupStrategy: AUTO
     removeIrrelevantGroups: false
     startTls: true

On startup Jenkins is configured to use local authentication (presumably the default). It is only when the "Reload existing configuration" button is pressed that AD authentication is configured. I set up a logger for io.jenkins.plugins.casc and no issues are shown, including no indication that the AD config is loaded.

Note: I don't believe this is a security issue, but because the ticket includes the word "security", Jira is only allowing me to create it in the "Security issues" project. I believe the issue is either with the JCASC plugin or the Active Directory plugin.