Look for evidence that privileged users are inventoried, logging is retained long enough to support incident reconstruction, and legacy access is being reduced rather than tolerated. If the team cannot quickly explain who has access, why they have it, and when it will be reviewed, the controls are not yet effective.
Why This Matters for Security Teams
After a merger, identity control effectiveness is not proven by policy documents or a completed directory import. It is proven by whether privileged access can be explained, reduced, and reviewed across both inherited environments. That matters because merger activity usually multiplies service accounts, stale entitlements, and duplicate admin paths before teams have time to rationalise them. NIST’s Cybersecurity Framework 2.0 treats governance and access control as operational outcomes, not paper exercises.
NHI risk is especially visible in post-merger environments, where inherited accounts and secrets often outlive the systems that created them. NHIMG’s Ultimate Guide to NHIs shows how weak visibility, excessive privilege, and poor rotation routinely undermine identity assurance. The practical test is whether the merged organisation can inventory who has access, prove why that access exists, and show a scheduled path to removal or reduction. In practice, many security teams discover the control gap only after legacy access has already been used in an incident or audit finding.
How It Works in Practice
Security teams should validate identity controls after a merger by testing evidence, not claims. Start with a complete inventory of users, service accounts, API keys, and delegated app access across both legacy environments. Then check whether each privileged identity has an owner, a business purpose, a review date, and a revocation path. If those fields are missing, the control is not functioning even if the account technically exists in a directory.
Effective post-merger identity control usually depends on four observable signals:
- Privileged identities are classified and mapped to a business owner.
- Access is reduced to the minimum required for current operations.
- Logs are retained long enough to reconstruct admin and authentication activity.
- Legacy credentials are rotated, disabled, or removed on a defined schedule.
For non-human identities, the bar is higher because secrets and tokens often persist outside standard joiner-mover-leaver workflows. The 52 NHI Breaches Analysis and the Top 10 NHI Issues both reinforce the same operational lesson: visibility and rotation matter as much as authentication. A merged environment should therefore be tested for privileged account sprawl, duplicate admin roles, dormant secrets, and logging gaps across the acquisition boundary.
Controls tend to break down when the acquired business keeps separate IAM tooling, because inconsistent naming, incomplete log forwarding, and delayed deprovisioning make it impossible to prove effective access governance.
Common Variations and Edge Cases
Tighter identity control often increases operational overhead, requiring organisations to balance risk reduction against migration speed and business continuity. That tradeoff becomes sharp in mergers where the acquired company runs regulated workloads, external customer portals, or legacy platforms that cannot be re-platformed quickly. Current guidance suggests treating those cases as time-bound exceptions, not permanent access models.
Some environments need extra caution. Shared administrative break-glass accounts may be acceptable for continuity, but they should be rare, monitored, and reviewed after each use. Third-party OAuth apps, managed service accounts, and automation tokens can also mask inherited privilege, so teams should not limit review to human users alone. NIST’s identity guidance and NHIMG’s research on NHI exposure both point to the same issue: the most dangerous access is often the least visible. In merged estates, that usually means credential sprawl hidden in CI/CD pipelines, scripts, and vendor integrations.
There is no universal standard for how quickly all legacy access must disappear after a merger. Best practice is evolving toward short review cycles, explicit expiry dates, and continuous attestation rather than annual cleanup. If the organisation cannot show that privileged access is shrinking over time, the merger has merely consolidated risk instead of controlling it.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Post-merger access review hinges on rotating and retiring inherited NHI credentials. |
| NIST CSF 2.0 | PR.AC-1 | Access management is the clearest way to test whether merged identity controls work. |
| NIST AI RMF | Governance and accountability are essential when identity sprawl comes from merger integration. |
Use AI RMF governance practices to assign ownership, review cadence, and escalation paths for identity risk.
Related resources from NHI Mgmt Group
- How can security teams tell whether identity controls are actually catching real attacker movement?
- How should security teams govern identity controls in disconnected container environments?
- How can security teams tell whether automation is helping or harming identity governance?
- How can security teams tell whether their identity programme is ready for zero trust?
