Accenture’s identity consolidation shows how authentication scales

At a glance

What this is: This is Axiad’s customer story about Accenture using centralised phishing-resistant authentication to unify identity across hundreds of acquired Active Directory environments.

Why it matters: It matters because acquisition-heavy enterprises need identity governance that can absorb mergers, reduce privileged access sprawl, and keep authentication consistent across human, NHI, and workload estates.

By the numbers:

• Accenture was acquiring nearly 100 companies in two years, creating hundreds of distinct Active Directory environments to manage.
• Axiad says it delivered centralized, phishing-resistant MFA to 2,000 end users across multiple AD environments.
• One outcome was a roughly 50% reduction in highly privileged AD admin accounts.

👉 Read Axiad's customer story on identity consolidation at acquisition speed

Context

Acquisition-heavy identity programmes fail when each newly acquired environment keeps its own authentication model, privilege structure, and administrative habits. In this case, the primary identity problem is not just migration scale. It is whether identity governance can keep pace with fast business integration without leaving behind privileged access sprawl or inconsistent authentication controls.

For IAM teams, the hard question is how to standardise trust quickly across inherited Active Directory estates without waiting for long migration projects. The article frames phishing-resistant authentication as a way to unify control across those environments, which is a classic human identity governance challenge with strong spillover into broader lifecycle and privilege management.

That starting position is typical for large acquirers: the complexity comes from inherited identity fragmentation, not from any single technical weakness. The lesson is that identity becomes part of the integration architecture, not an afterthought.

Key questions

Q: How should security teams standardise identity after an acquisition?

A: Security teams should begin with an inventory of inherited directories, authentication methods, and privileged accounts, then set one target identity standard for the merged estate. The goal is to remove duplicated trust models early, especially where admin access crosses business boundaries. Without that consolidation, identity sprawl becomes a permanent integration cost.

Q: Why do acquisitions often increase identity risk?

A: Acquisitions increase identity risk because every new business brings its own directories, admin accounts, MFA patterns, and emergency access habits. Those differences create inconsistent assurance levels and more privileged identities than the enterprise intended to carry. If governance does not normalise them quickly, the merged environment inherits a larger attack surface.

Q: What breaks when privileged account cleanup is delayed after a merger?

A: Delayed cleanup leaves duplicate administrators, inherited exceptions, and unclear ownership in place. That creates monitoring blind spots and makes it harder to prove least privilege across the combined environment. In practice, the longer those accounts remain active, the more likely they are to become default paths for misuse or lateral movement.

Q: How do you know if identity consolidation is actually working?

A: Look for fewer privileged accounts, fewer authentication variants, and a smaller number of environments that still rely on local exceptions. Those are stronger indicators than policy statements alone because they show the merged estate is becoming governable. If those numbers do not move, the programme is only renaming fragmentation.

Technical breakdown

Centralised phishing-resistant authentication across inherited AD estates

The core mechanism here is federated identity standardisation across multiple Active Directory environments. Rather than leaving each acquired business on separate authentication methods, the programme moves end users toward a single phishing-resistant model, in this case smart card based authentication delivered through PKIaaS. That matters because the security boundary is no longer one directory or one tenant. It becomes the consistency of trust signals across many inherited identity stores. The architectural challenge is reducing variation without breaking local operations or forcing long cutover windows.

Practical implication: standardise authentication policy across acquired directories before inconsistent login paths become permanent.

Privileged account consolidation and attack-surface reduction

A reduction in highly privileged AD administrator accounts is an identity governance outcome, not just an access management metric. Privileged accounts are the most valuable targets in a merged environment because they can bridge old and new domains, accelerate administrative abuse, and complicate monitoring. When multiple estates are consolidated, privileged access often expands quietly through duplication and local exceptions. Removing unnecessary admin identities shrinks the attack surface and makes monitoring simpler, but only if account ownership and role boundaries are defined cleanly during integration.

Practical implication: inventory and collapse duplicate privileged accounts during every acquisition wave.

Why passwordless adoption matters in post-merger environments

Passwordless and phishing-resistant authentication are often discussed as user experience improvements, but in acquisition scenarios their real value is control uniformity. When new environments arrive with different password practices, MFA exceptions, and admin habits, the enterprise inherits a patchwork of trust levels. Centralising authentication helps remove those differences, which makes governance measurable and incident response cleaner. The important point is that strong authentication is doing two jobs at once here: reducing credential risk and creating a repeatable integration pattern for future acquisitions.

Practical implication: treat passwordless rollout as a merger integration control, not only an end-user experience project.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity consolidation is the real acquisition control plane. When an enterprise acquires dozens of organisations, the security problem is not merely bringing users into a new directory. It is collapsing many inherited trust models into one governable structure without preserving old exceptions. That is why centralised authentication and administrative control matter more than isolated migration milestones. Practitioners should treat post-merger identity standardisation as a core integration dependency, not a cleanup task.

Privileged account reduction is the clearest signal that governance is working. A roughly 50% drop in highly privileged AD admin accounts shows that identity programmes can materially shrink attack surface during consolidation. This is more than account hygiene. It demonstrates that merger activity can be used to remove duplicate authority instead of inheriting it. The practitioner conclusion is simple: if privileged identity counts do not fall during integration, sprawl is being preserved.

Phishing-resistant authentication is now an operational requirement in fast-growth enterprises. When acquisition tempo is high, password-based or loosely governed MFA patterns create inconsistent trust across environments. That inconsistency becomes a structural weakness because the enterprise cannot enforce the same identity assurance level everywhere it operates. The implication is that identity assurance must be designed for speed of integration, not just steady-state security.

Least privilege becomes measurable when identity is centralised. In a fragmented acquisition landscape, every inherited environment can carry its own admin culture and emergency access norms. Centralisation turns those hidden habits into something governable, auditable, and reducible. The field-level lesson is that identity integration can be used to expose privilege creep rather than absorb it.

Named concept: acquisition-driven identity sprawl. This is the accumulation of duplicated users, admin accounts, authentication methods, and directory exceptions created when many companies are absorbed faster than identity governance can normalise them. It matters because the programme risk is not only access inconsistency. It is that each acquisition permanently expands the enterprise's identity attack surface unless consolidation is treated as a first-class control objective.

From our research:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• Forward pivot: The 52 NHI Breaches Analysis shows how missing lifecycle control turns identity sprawl into repeated compromise paths, according to The 52 NHI Breaches Report.

What this signals

Acquisition-heavy identity work is becoming a governance test, not just an integration task. When an enterprise absorbs many businesses quickly, the real question is whether identity controls can be normalised before old trust patterns harden into the merged estate. That is why privileged account reduction and authentication standardisation should be tracked as board-visible integration outcomes, not internal admin work.

Identity sprawl is the hidden cost of fast growth. The practical lesson for practitioners is that every inherited directory, exception, and admin account can persist long after the deal closes unless it is actively collapsed. In environments with repeated acquisitions, the attack surface is shaped less by policy than by how quickly identity duplication is removed.

Acquisition-driven identity sprawl: the accumulation of duplicated accounts, trust paths, and directory exceptions after each merger or acquisition. Practitioners should use this lens to decide whether their merger runbook is actually reducing identity complexity or simply documenting it. For the control baseline, align the work with the NIST Cybersecurity Framework 2.0 and the Ultimate Guide to NHIs where privileged identity governance is involved.

For practitioners

• Map inherited directories before standardising trust Create an inventory of all Active Directory environments, authentication methods, and privileged accounts across acquired entities before enforcing a common identity standard.
• Collapse duplicate privileged accounts during integration Review administrator memberships, break-glass accounts, and local exceptions as part of the acquisition workstream so duplicate authority does not persist after cutover.
• Prioritise phishing-resistant authentication for high-risk users Roll out phishing-resistant MFA first to end users and administrators who bridge multiple environments, because their access paths create the largest cross-domain risk.
• Treat identity as a merger KPI Track privileged account counts, authentication consistency, and directory consolidation progress as measurable integration outcomes rather than informal security tasks.

Key takeaways

• Fast acquisition growth turns identity into an integration control, not a back-office function.
• The strongest evidence of progress is a smaller privileged account footprint and a single authentication standard across inherited environments.
• If identity standardisation lags the deal pipeline, the merged organisation keeps the old attack surface even after the rebranding is complete.

Key terms

• Acquisition-driven identity sprawl: The accumulation of duplicated users, administrators, authentication methods, and directory exceptions after mergers or acquisitions. It happens when integration moves slower than business growth, leaving multiple trust models alive at the same time. The result is more complexity, more privilege, and a larger attack surface.
• Phishing-resistant authentication: An authentication method that is designed to resist credential phishing, typically by binding the login flow to a strong cryptographic factor rather than a reusable secret. In acquisition environments, it matters because it helps standardise trust across inherited directories and reduces dependence on passwords.
• Privileged account consolidation: The process of reducing duplicate or unnecessary administrative identities after an organisation merges systems or businesses. It is not just account cleanup. It is a governance activity that narrows the number of identities capable of broad system change and makes access easier to audit.

Deepen your knowledge

Identity consolidation and privileged access reduction are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is trying to keep pace with acquisition-heavy growth, it is worth exploring.

This post draws on content published by Axiad: Why Accenture Is Axiad's 2025 Customer of the Year. Read the original.