The first break is usually visibility, followed by inconsistent provisioning and delayed revocation. When two identity estates are merged without a shared model, duplicate accounts, misclassified roles, and stale privileges persist. That creates operational friction and makes it much harder to prove who should have access to what across the combined environment.
Why This Matters for Security Teams
M&A exposes the hardest identity problem first: two governance models that were never designed to coexist. When access rules, approval paths, naming conventions, and offboarding triggers differ across acquired and acquiring environments, the result is not just admin friction. It is prolonged overexposure, unclear ownership, and weak evidence for audit and incident response. NIST’s NIST Cybersecurity Framework 2.0 treats identity as a core governance function, but merger activity often breaks the operating assumptions underneath it.
The same pattern shows up in NHI governance. The Ultimate Guide to NHIs notes that only 5.7% of organisations have full visibility into their service accounts, which is exactly the kind of blind spot that becomes more dangerous during integration. In a combined estate, hidden service accounts, duplicated roles, and stale secrets can persist long after human users have been migrated. In practice, many security teams encounter the real blast radius only after a post-close access review or incident, rather than through intentional merger planning.
How It Works in Practice
Identity governance breaks during M&A because provisioning and revocation are usually treated as system tasks instead of enterprise control decisions. If each environment uses different identity sources, joiner-mover-leaver logic, or role taxonomies, then the merged organisation inherits conflicting truths about who is entitled to what. That is especially risky when non-human identities are involved, because service accounts, API keys, and integrations often outlive employee transitions and are rarely mapped cleanly during acquisition.
Practitioners should expect four failure points. First, duplicate identities appear when the same person or workload exists in both directories. Second, access reviews become unreliable because role definitions do not translate one-to-one. Third, revocation slows down because no single team owns every entitlement path. Fourth, audit evidence fragments across tools, making it hard to show a defensible access model. NHIMG’s State of Non-Human Identity Security reports that only 1.5 out of 10 organisations are highly confident in securing NHIs, which is consistent with the control gap created when M&A teams fail to unify identity governance early.
- Inventory all identities, including service accounts, tokens, API keys, and federated app connections.
- Map legacy roles to a shared access model before enabling cross-tenant trust.
- Revalidate high-risk privileges after each migration wave, not only at the end of the program.
- Automate revocation for accounts and secrets that no longer have a clear owner.
These controls tend to break down when the transaction closes before identity rationalisation, because access is stabilised operationally while governance remains split.
Common Variations and Edge Cases
Tighter access control during M&A often increases migration overhead, requiring organisations to balance speed against assurance. That tradeoff is real: business teams want continuity, while security teams need proof that inherited access is valid. Best practice is evolving, but current guidance suggests treating identity consolidation as a parallel workstream, not a post-integration cleanup.
Some edge cases need special handling. Shared admin groups may look efficient but can hide excessive privilege across legal entities. Third-party integrations inherited in the deal may continue running on dormant tokens if nobody rekeys them. Cross-border acquisitions can also introduce policy differences that prevent a simple merge of approval chains or retention rules. For that reason, the Lifecycle Processes for Managing NHIs guidance is especially useful when acquisitions expose ownership gaps in workloads that must be offboarded, reissued, or reclassified.
Where teams get stuck is assuming a single target-state directory will solve the problem by itself. It will not, unless entitlement recertification, secret rotation, and application ownership are resolved at the same time. Top 10 NHI Issues is a useful reference for spotting the control failures that often accelerate during merger activity.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA | M&A breaks identity assurance and access governance across merged estates. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Merged estates often expose unmanaged service accounts and stale secrets. |
| CSA MAESTRO | GOV-02 | Agent and workload governance must stay aligned during integration. |
Establish shared governance for identities, secrets, and lifecycle controls before enabling trust.
