The acquiring or acquired vendor does not absorb accountability for the customer. The organisation still owns access decisions, lifecycle governance, and audit evidence. Security and IAM leaders need a clear operating model that assigns responsibility for controls before integration changes the tooling stack.
Why This Matters for Security Teams
After an acquisition, identity security usually becomes a governance problem before it becomes a tooling problem. The hard question is not which platform survives the merger, but who still owns access approvals, privileged paths, secret rotation, and evidence when two operating models collide. NHI risk rises quickly because inherited service accounts, OAuth grants, and automation tokens rarely map cleanly into the new control stack. NHIMG’s State of Non-Human Identity Security found that only 1.5 out of 10 organisations are highly confident in securing NHIs, while NIST Cybersecurity Framework 2.0 still expects clear ownership for governance, protection, and recovery.
That matters because accountability does not transfer automatically with the asset purchase. The customer or operating organisation still sets policy, approves exceptions, and answers auditors, even when the acquired vendor continues to run parts of the stack. In practice, many security teams encounter ambiguous ownership only after a stale token, over-privileged integration, or missing log trail has already been exposed.
How It Works in Practice
The practical model is to separate system operation from control ownership. The acquired team may administer the platform, but the buying organisation retains accountability for who can access what, how long credentials live, how exceptions are approved, and how audit evidence is preserved. That distinction should be written into the transition services agreement, the target operating model, and the post-close control register.
For identity security, this usually means assigning named owners for:
- Access approval and revocation for human and non-human identities
- Secret rotation, key custody, and emergency break-glass procedures
- Logging, monitoring, and evidence retention across both estates
- Exception handling when legacy integrations cannot be migrated immediately
Current guidance suggests using a control framework to prevent gaps during integration. NIST’s CSF 2.0 is useful for assigning governance and recovery ownership, while NHIMG’s Top 10 NHI Issues highlights why rotation, over-privilege, and visibility failures tend to surface during platform change. The operational rule is simple: if the customer depends on the integration, the customer owns the risk decision even if the vendor runs the tooling.
That same rule should extend to evidence. Audit artefacts, approval trails, and exception logs must be retained in a place the accountable organisation can actually produce after the acquisition closes. These controls tend to break down when responsibility is split across legal entities but incident response still depends on the acquired vendor’s administrators.
Common Variations and Edge Cases
Tighter integration often reduces duplication but increases transition overhead, requiring organisations to balance speed against control clarity. In some deals, the acquired vendor keeps operating a managed service for a defined period, and that can blur accountability unless the contract states who approves access, who rotates secrets, and who signs off on residual risk. There is no universal standard for this yet, but best practice is evolving toward explicit control ownership matrices rather than informal “shared responsibility” language.
Another edge case is when identity tooling is migrated before the underlying processes. Replacing the IAM platform without harmonising approvals, lifecycle rules, and audit retention simply moves the ambiguity into a new console. The same caution applies to third-party OAuth connections and service accounts inherited from the target environment, especially when the business has not completed its inventory. NHIMG’s 52 NHI Breaches Analysis shows how quickly unmanaged non-human access becomes a breach pathway once visibility is lost.
For merger scenarios, the safest assumption is that accountability remains with the organisation that set the business decision to acquire, integrate, or continue the service. The vendor may execute controls, but the customer must own the outcome.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OV-01 | Clarifies who owns governance outcomes after integration. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Rotation and lifecycle gaps often appear during acquisition integrations. |
| NIST AI RMF | Accountability for autonomous decision paths must be explicit during change. |
Inventory inherited NHIs and enforce rotation, revocation, and exception tracking under one operating model.
Related resources from NHI Mgmt Group
- Who is accountable when identity security controls fail across IAM, PAM, and NHI programmes?
- How do organisations keep identity security improvements from stalling after the first rollout?
- Who remains accountable when identity operations are outsourced?
- Who is accountable when access remains active after a leaver event?
