Subscribe to the Non-Human & AI Identity Journal

How should security teams assess identity risk before an acquisition closes?

They should compare documented access with live entitlements across human, privileged, and non-human identities. The goal is to find orphaned accounts, stale exceptions, and hidden trust paths before the deal is approved, because inheritance is the point at which acquisition risk becomes permanent.

Why This Matters for Security Teams

Acquisition reviews often focus on systems, contracts, and compliance artifacts, but identity is where inherited access becomes durable. Once a deal closes, hidden service accounts, dormant admin grants, and third-party OAuth paths can move from temporary exposure to permanent organisational risk. That is especially true for non-human identities, where ownership is often unclear and monitoring is weaker than for employees. NHI Management Group’s Ultimate Guide to NHIs notes that only 5.7% of organisations have full visibility into service accounts.

For M&A teams, the practical question is not whether access exists, but whether it is documented, justified, and revocable before integration. The review should compare directory records, privileged access stores, cloud entitlements, application tokens, and machine-to-machine trust paths. NIST’s Cybersecurity Framework 2.0 reinforces that governance and asset visibility are prerequisites for risk treatment, not post-close cleanup items. In practice, many security teams discover the most consequential identity gaps only after systems have already been merged and exceptions have become inherited access.

How It Works in Practice

A pre-close identity assessment should start with a complete inventory of human, privileged, and non-human identities, then reconcile that inventory against live entitlements in cloud, SaaS, on-prem, CI/CD, and partner integrations. The objective is to identify mismatches before the acquisition becomes binding: orphaned accounts, stale break-glass access, shared service credentials, unmanaged API keys, and externally granted OAuth permissions. The Ultimate Guide to NHIs highlights that 97% of NHIs carry excessive privileges, which makes entitlement reconciliation more than a hygiene exercise.

Security teams should validate each access path using owner, purpose, last-use, expiration, and business criticality. For NHIs, also verify rotation status, vault location, and whether the credential is tied to a named system, pipeline, or vendor contract. Where possible, use evidence from SIEM, cloud audit logs, IAM exports, secret managers, and application registration APIs rather than relying on spreadsheets alone. The 52 NHI Breaches Analysis is useful here because it shows how often compromise follows weak ownership and poor credential lifecycle control.

  • Map all identity stores, then deduplicate accounts across acquired and acquiring environments.
  • Flag dormant, shared, and over-privileged identities for immediate review.
  • Confirm whether machine credentials are vaulted, rotated, and assigned to a business owner.
  • Test whether third-party and partner access can be revoked without breaking critical workflows.

Current guidance suggests identity due diligence should feed deal-risk decisions, not just post-merger remediation. These controls tend to break down when the target uses shadow IT, unmanaged SaaS apps, or contractor-run automation because entitlement data is incomplete and ownership cannot be proven quickly enough.

Common Variations and Edge Cases

Tighter identity review often increases deal friction, requiring organisations to balance transaction speed against certainty about inherited access. That tradeoff is unavoidable when the target has weak IAM maturity, but best practice is evolving toward risk-tiered review rather than a single binary approval.

For regulated environments, the bar is higher if the acquisition introduces payment data, critical infrastructure, or cross-border processing. In those cases, teams should treat unresolved privileged access as a closing condition, not a clean-up ticket. Where the target relies heavily on agentic automation or service-to-service orchestration, the review should also check for chained permissions and hidden trust between workloads, because a single token can represent broad downstream reach. Industry consensus is not complete on the exact minimum evidence set for NHI diligence, but there is broad agreement that relying on human account reviews alone is insufficient.

If the target cannot produce authoritative identity ownership records, current guidance suggests compensating controls such as immediate JIT access, temporary isolation of integrations, and accelerated post-close remediation. That approach reduces exposure, but it does not remove the underlying risk. The hard cases are acquisitions with outsourced operations or acquired subsidiaries that have been running independently for years, because identity sprawl is often embedded in how the business actually functions.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Pre-close reviews must find exposed and over-privileged non-human identities.
NIST CSF 2.0 ID.AM-01 Asset and identity inventory is the basis for acquisition risk assessment.
NIST AI RMF GOVERN Governance is needed to assign accountability for inherited AI and automation identities.

Inventory every NHI, confirm ownership, and remove or contain excessive access before closing.

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.