They often assume the main challenge is directory migration, when the bigger problem is inherited trust inconsistency. If authentication remains uneven and admin sprawl stays intact, centralisation becomes a reporting layer rather than a real control improvement.
Why This Matters for Security Teams
After acquisitions, centralised identity governance is often treated as a directory consolidation exercise, but the real risk is inherited trust inconsistency. Different authentication strengths, stale privileged accounts, and duplicated admin pathways can survive long after the merger paperwork is done. NIST Cybersecurity Framework 2.0 emphasises governance and access control as operational functions, not just inventory tasks, which is why reporting alone does not reduce exposure.
NHIMG’s Ultimate Guide to NHIs frames identity lifecycle control as a security discipline, not an admin cleanup project, and the same logic applies after acquisitions. If the acquired environment keeps its own exception culture, central governance simply documents divergence instead of removing it. The result is a false sense of control, especially where privileged access, service accounts, and orphaned entitlements were never standardised in the first place. In practice, many security teams encounter identity “centralisation” only after lateral movement or privilege abuse has already exposed the gaps.
How It Works in Practice
Effective post-acquisition identity governance starts by mapping trust relationships, not just directories. Teams need to identify which accounts authenticate where, which privileged paths still bypass central policy, and where local admin rights were inherited as a convenience during integration. NHIMG’s Top 10 NHI Issues is relevant here because the same patterns that create NHI sprawl also create acquisition sprawl: weak lifecycle control, poor visibility, and inconsistent rotation or revocation.
Practically, that means:
- Establishing a common trust baseline before directory migration, including MFA strength, joiner-mover-leaver controls, and privileged account review.
- Separating authentication standardisation from authorisation cleanup so hidden admin rights do not survive behind a unified login layer.
- Revalidating service accounts, API keys, and other secrets that were never subject to the acquiring organisation’s rotation or ownership rules.
- Using access analytics to find dormant entitlements, local break-glass accounts, and vendor-linked pathways that bypass central review.
The evidence base supports this caution. According to The 2024 State of Secrets Management Survey, 43% of organisations cite lack of central management as a driver of dissatisfaction, which mirrors what happens when acquisitions unify reporting without unifying enforcement. For implementation guidance, NIST Cybersecurity Framework 2.0 provides the control-oriented language teams need to connect identity governance to measurable access outcomes. These controls tend to break down when acquired subsidiaries keep separate admin domains, because central policy cannot remove permissions it never truly controls.
Common Variations and Edge Cases
Tighter central governance often increases integration effort, requiring organisations to balance speed of merger execution against the cost of remediating legacy trust. That tradeoff is especially sharp when the acquired company runs separate cloud tenants, managed service providers, or regulated business units with different privilege models.
Best practice is evolving around whether identity should be unified before or after workload migration. There is no universal standard for this yet, but current guidance suggests prioritising high-risk privileges and externally exposed identities first, then working outward to lower-risk populations. This is particularly important where non-human identities are embedded in CI/CD pipelines or third-party integrations, because those credentials are easy to overlook during human-centric merger work.
NHIMG’s 52 NHI Breaches Analysis shows how often hidden trust and credential sprawl create breach pathways that central dashboards miss. External authorities such as NIST Cybersecurity Framework 2.0 help define the governance target, but acquisition teams still need environment-specific exception handling for legal holds, carve-outs, and shared operations. The practical lesson is simple: if a merger preserves inherited exceptions for too long, central identity governance becomes a record-keeping function rather than a control boundary.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Post-acquisition access control must be standardized, not just documented. |
| NIST CSF 2.0 | GV.OC-1 | Governance must define the risk outcomes of identity integration after M&A. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Acquisitions often leave non-human identities unmanaged across inherited systems. |
Define merger identity objectives and ownership so centralization improves control, not just reporting.
