Can brute-force attacks bypass AD protections if an application’s internal brute-force defense is not enforced?

Can brute-force attacks bypass AD protections if an application’s internal brute-force defense is not enforced?

I was informed by an entity that their hospital information system relies on AD for user authentication, with AD configured to detect brute-force attempts. However, the administrator mentioned that the application itself has no additional internal measures to prevent brute-force attacks. Is it still possible for an attacker to perform brute-force attacks directly against the application, bypassing the AD protections?