A pre-integration review that inspects a target environment without changing mail flow or access configuration. It gives defenders a safe way to inventory accounts, apps, and exposure before the acquisition closes, which is often the last reliable point to measure inherited risk cleanly.
Expanded Definition
Read-only Pre-close Assessment is a controlled due-diligence activity used before an acquisition closes to inspect a target’s identity and access environment without modifying mail flow, authentication, or account settings. In NHI practice, it is narrower than a full technical integration assessment because the goal is evidence collection, not remediation or cutover. That distinction matters: an assessment can reveal service accounts, API keys, certificates, privileged automation, and external dependencies while preserving the target state for legal, operational, and forensic accuracy.
Definitions vary across vendors, but the common security principle is consistent with NIST Cybersecurity Framework 2.0: understand assets and exposure before changing them. In NHI governance, the read-only constraint also helps prevent accidental lockouts, evidence contamination, or premature trust decisions. It is especially valuable when the buyer has not yet received administrative control or when the target’s environment is too fragile to alter safely.
The most common misapplication is treating the assessment as a lightweight onboarding task, which occurs when teams start making changes before closing or before legal approval to intervene.
Examples and Use Cases
Implementing a read-only pre-close assessment rigorously often introduces a timing constraint, requiring organisations to balance speed of deal execution against the need for complete identity evidence.
- Inventorying service accounts, machine identities, and application secrets in a target tenant before post-merger access planning begins, using the visibility approach discussed in the Ultimate Guide to NHIs.
- Reviewing privilege breadth across automation pipelines to identify where inherited access could violate least privilege after close, consistent with NIST-aligned identity governance.
- Mapping mail flow, token issuers, and certificate dependencies without reconfiguring them, so the buyer can estimate where integration failure would create service interruption.
- Checking for exposed secrets in code repositories, config files, and CI/CD systems before any operational handoff, a pattern tied to recurring NHI exposure in the Ultimate Guide to NHIs.
- Using SPIFFE concepts as a reference point when documenting workload identity boundaries, especially in environments with service-to-service trust relationships.
Why It Matters in NHI Security
Read-only pre-close assessment matters because inherited NHI risk is often invisible until an acquisition exposes it. NHI Management Group research shows that only 5.7% of organisations have full visibility into their service accounts, while 97% of NHIs carry excessive privileges, creating a high likelihood that a target environment contains latent access paths the buyer does not yet understand. Those findings, documented in the Ultimate Guide to NHIs, are directly relevant to pre-close diligence because they explain why a non-invasive review is often the last clean chance to measure scope before entanglement.
This assessment also supports governance decisions that align with NIST Cybersecurity Framework 2.0, particularly asset visibility and access control. Without it, buyers may inherit overprivileged service accounts, undocumented integrations, or unmanaged secrets that cannot be safely triaged after systems are joined. Organisational risk rises when teams assume that merger planning can substitute for identity discovery, because NHI failures often surface as authentication outages, blocked automation, or credential sprawl after legal close. Organisations typically encounter unexpected access failures, secret leakage, or privilege abuse only after the acquisition transitions into integration, at which point read-only pre-close assessment becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Read-only assessment is the safest way to discover NHI inventory and exposure before integration. |
| NIST CSF 2.0 | ID.AM | Asset management requires visibility into identities and dependencies before trust is extended. |
| NIST Zero Trust (SP 800-207) | SA-3 | Zero Trust requires understanding the environment before authorizing access or interconnection. |
Validate identity boundaries and trust assumptions before any post-close federation or connectivity is approved.
