....has very little unique passwords. All of our locations use generic passwords and everyone shares logins. We have no individual logins for AD or anything.........upper level management does not want to change our current credential policy because it's "convenient to share passwords".....
That's not going to pass.
Convenience != Security
Mitigating factor will be having the current situation documented in terms of all users and all systems. Having a documented plan for remediatation and resolution will be required.