Subscribe to the Non-Human & AI Identity Journal

Who is accountable for credential exposure found after an acquisition?

Accountability should sit with both the acquiring security team and the deal team, because identity risk affects valuation, integration, and operational continuity. The buyer needs a defined owner for remediation, a timeline for resets and policy cleanup, and a way to prove that inherited access has been reduced before normal business resumes.

Why This Matters for Security Teams

credential exposure after an acquisition is not just a cleanup task. It is a control failure that can affect valuation, integration sequencing, and the buyer’s ability to prove inherited access has been reduced. Post-deal environments often contain unknown service accounts, shared secrets, stale API keys, and undocumented automations that were acceptable in the target company but unsafe under the buyer’s standards. The risk is amplified because secrets tend to outlive the systems they protect.

Current guidance from OWASP Non-Human Identity Top 10 and NIST-aligned control thinking makes clear that the problem is not only exposure, but ownership and lifecycle control. NHIMG’s Guide to the Secret Sprawl Challenge shows how secrets spread across tools, repos, and handoffs, making acquisition due diligence incomplete unless identity inventory is part of the deal workstream. In the 2024 Non-Human Identity Security Report, only 19.6% of security professionals expressed strong confidence in their organisation’s ability to securely manage non-human workload identities, which reflects how often inherited identity risk is underestimated.

In practice, many security teams discover exposed credentials only after an integration freeze, a suspicious login, or a post-close incident review has already forced the issue.

How It Works in Practice

Accountability should be assigned in layers. The deal team owns discovery discipline during diligence, including asking for secrets inventories, automation mappings, and evidence of rotation practices. The acquiring security team owns remediation, because once the target is accepted into the buyer’s environment, the buyer controls risk acceptance, reset timing, and policy enforcement. Business owners remain accountable for validating that critical workflows still function after secrets are replaced.

The practical response is to move from “who had access before” to “what access is still live now.” That means identifying all credentialed paths, classifying them by business criticality, and revoking or reissuing them on a defined timeline. For NHI-heavy environments, the preferred pattern is short-lived, task-bound credentials instead of inherited static secrets. NHIMG’s Ultimate Guide to NHIs — Static vs Dynamic Secrets is useful here because post-acquisition cleanup usually fails where static credentials are embedded in scripts, CI/CD systems, and third-party integrations.

  • Build a joint inventory of secrets, service accounts, and machine tokens before Day 1 integration.
  • Assign one remediation owner and one approval owner for each critical system.
  • Rotate credentials in waves, starting with internet-facing and privileged systems.
  • Validate that revoked credentials are actually unused, not merely archived.
  • Document evidence for audit, legal hold, and operating model handoff.

For control design, NIST SP 800-53 Rev 5 Security and Privacy Controls provides the underlying access-control and configuration expectations, while NIST SP 800-63 Digital Identity Guidelines reinforces identity proofing and authenticator lifecycle discipline. These controls tend to break down when acquisition timelines are compressed and the target’s service dependencies are undocumented, because teams then preserve risky credentials to avoid breaking production.

Common Variations and Edge Cases

Tighter credential control often increases integration cost and can delay post-close stabilisation, so organisations must balance rapid business continuity against the need to remove inherited access. That tradeoff is real, especially when the target operates acquired SaaS platforms, regulated workloads, or outsourced development pipelines.

There is no universal standard for this yet, but current guidance suggests a few patterns. If a credential is tied to regulated data access, accountability should remain with the acquiring security leader until rotation and verification are complete. If a credential supports a legal hold, integration freeze, or carve-out service, the deal team and legal counsel may need to keep joint approval until the control owner is transferred. In highly distributed environments, the most difficult cases are secrets embedded in CI/CD runners, unmanaged cloud accounts, and vendor-managed automations that were never documented in the seller’s asset register.

For that reason, the question is not only “who is accountable” but “who can prove control.” NHIMG breach analysis such as the 52 NHI Breaches Analysis shows how exposed machine credentials often remain useful long after the original owner believes the risk has passed. In acquisition settings, that means accountability should be formalised in the transaction plan, then revalidated after every major cutover.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Covers secret rotation and lifecycle control after acquisition.
NIST CSF 2.0 PR.AC-4 Addresses access permissions and least-privilege cleanup.
NIST SP 800-63 Supports identity lifecycle discipline for authenticators and credentials.
NIST Zero Trust (SP 800-207) Zero Trust reinforces continuous verification for inherited access.
NIST AI RMF GOVERN Governance is needed to assign ownership for post-deal identity risk.

Treat acquisition as an identity lifecycle event and reissue credentials under buyer control.