Accenture’s identity standard shows how acquisition scale reshapes IAM

At a glance

What this is: Axiad’s customer-of-the-year post uses Accenture’s acquisition-heavy environment to show how centralized phishing-resistant authentication and reduced privileged AD accounts can make identity governance keep pace with growth.

Why it matters: It matters because IAM, PAM, and lifecycle teams often inherit fragmented directories after mergers and acquisitions, and the post shows why standardisation and privilege reduction have to happen before long migrations finish.

By the numbers:

• Accenture deployed phishing-resistant MFA across 2,000 end users spanning multiple Active Directory environments.
• Accenture cut highly privileged AD admin accounts by about 50% after the identity rollout.
• The role of identity governance becomes harder when organisations are acquiring nearly 100 companies in two years.

👉 Read Axiad's perspective on how Accenture unified identity across acquired environments

Context

Acquisition-driven identity consolidation is a governance problem before it is a technology problem. When a company inherits many Active Directory environments at once, authentication consistency, privileged access reduction, and administrative control all become harder to maintain across the transition.

This post uses Accenture’s rollout as an example of how large-scale mergers and acquisitions force IAM teams to standardise faster than migration programmes usually allow. The practical question is whether identity controls can preserve trust while business integration continues at high speed.

Key questions

Q: How should security teams govern identity across acquired Active Directory environments?

A: They should standardise authentication and administrative control before expecting full technical consolidation. Mixed environments usually persist for months or years after acquisition, so the immediate priority is a consistent assurance level, clear privileged account ownership, and one governance view across all inherited directories.

Q: Why does privileged account reduction matter during mergers and acquisitions?

A: Because each inherited directory often brings overlapping admins and local exceptions that enlarge the attack surface. Reducing privileged accounts lowers the number of identities an attacker can abuse and makes governance more defensible while integration is still in progress.

Q: What do teams get wrong about centralised identity governance after acquisitions?

A: They often assume the main challenge is directory migration, when the bigger problem is inherited trust inconsistency. If authentication remains uneven and admin sprawl stays intact, centralisation becomes a reporting layer rather than a real control improvement.

Q: What should organisations verify before treating acquisition identity integration as complete?

A: They should verify that phishing-resistant authentication is deployed consistently, highly privileged accounts have been rationalised, and the same governance standards apply across each inherited environment. If any of those remain split, the identity programme is still exposed.

Technical breakdown

Phishing-resistant authentication across fragmented Active Directory estates

When newly acquired businesses keep their own Active Directory environments, the identity plane becomes fragmented. Phishing-resistant authentication, such as certificate-based smart card access, shifts trust away from passwords and toward centrally governed credentials. That matters because password-based controls are easier to reuse, steal, and standardise poorly across multiple domains. The technical challenge is less about login UX and more about getting one authentication standard to operate consistently while directories are still separate. Centralised identity governance only works if the authentication method is strong enough to survive that transition.

Practical implication: standardise phishing-resistant authentication before directory migration completes, not after.

Privileged account reduction as an attack-surface control

Highly privileged AD admin accounts concentrate risk because they can change identity policy, reset access, and expand compromise quickly. Reducing those accounts lowers the number of identities an attacker can target and narrows the blast radius if one is abused. In acquisition-heavy environments, privilege often grows by accident as each acquired business brings its own admin model. The technical issue is not just who has access today, but how many separate privileged identities must be monitored, protected, and reconciled across inherited environments.

Practical implication: map and cut duplicate privileged accounts during integration, before inherited admin sprawl becomes permanent.

Centralised identity governance in a multi-domain migration

Centralised identity governance means one policy and control plane can oversee authentication and administrative access across many directories, even while the underlying environments remain distinct. This is different from forcing immediate technical consolidation. The control objective is consistency: the same assurance level, the same privilege standards, and the same administrative oversight across acquired environments. In practice, that requires coordinated deployment, clear ownership, and enough operational maturity to avoid introducing friction that causes teams to bypass the new model.

Practical implication: treat governance centralisation as a phased control model, not a one-time cutover.

Threat narrative

Attacker objective: The objective is to turn inherited identity fragmentation and privilege concentration into durable administrative control over enterprise access.

1. Entry begins in fragmented Active Directory estates where inherited password-based or inconsistent authentication creates a broader exposure surface for account compromise.
2. Escalation follows when highly privileged AD admin accounts are available in multiple environments, giving an attacker more paths to reset access, modify policy, or move laterally.
3. Impact is concentrated in identity control loss, because fragmented governance makes it harder to enforce consistent trust, reduce privilege, and contain administrative abuse.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity consolidation is now an acquisition control, not just an IAM project. When an enterprise is buying and integrating at high speed, identity becomes the gating function for secure growth. The important issue is not whether the target environment can be migrated eventually, but whether trust can be made consistent before fragmentation turns into operational risk. Practitioners should treat acquisition integration as an identity governance programme first and a directory project second.

Centralised authentication only matters if it reduces the number of privileged identities. A unified login layer without privileged account reduction leaves the attack surface largely intact. The value in this pattern is that it links stronger authentication to a measurable drop in high-risk admin identities, which is the metric security teams should care about. The practitioner takeaway is that authentication modernisation must be paired with privilege rationalisation.

Privileged account sprawl is the hidden cost of post-merger identity drift. Every acquired Active Directory environment tends to bring its own admin exceptions, service accounts, and local trust assumptions. Those exceptions rarely disappear on their own, and they become difficult to unwind once business continuity depends on them. Identity drift: the accumulation of inherited directories, overlapping admins, and inconsistent assurance levels that makes governance harder after acquisitions. Practitioners should measure drift as a control failure, not an integration inconvenience.

Zero-trust arguments remain incomplete if they ignore acquisition realities. The post shows that trust has to be re-established repeatedly across inherited environments, not assumed because a policy exists centrally. That aligns with the logic of NIST Cybersecurity Framework 2.0 and Zero Trust Architecture, where identity assurance and continuous governance matter more than perimeter assumptions. The implication is that M&A programmes need identity controls that can operate while the environment is still in motion.

The market is signalling that identity infrastructure must support business velocity. Enterprises do not have the luxury of waiting for perfect rationalisation before they secure access. The field is moving toward controls that can overlay fragmented estates, reduce privilege quickly, and support standardisation during transition. Practitioners should expect acquisition-driven identity governance to stay a core design requirement, not a temporary project.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• For broader context on privilege concentration and lifecycle control, see 52 NHI Breaches Analysis and the control patterns it surfaces across real incidents.

What this signals

Identity drift: post-acquisition environments accumulate overlapping directories, admins, and assurance levels faster than most governance teams can rationalise them. That is why the control question is not whether consolidation happens, but whether the programme can enforce one trust standard while the estate is still fragmented. For teams aligning to NIST Cybersecurity Framework 2.0, this is a governance and protect function issue as much as an implementation task.

The practical signal is that authentication modernisation should be measured alongside privilege reduction, not in isolation. If the number of highly privileged accounts does not fall, the programme has improved access mechanics without materially reducing exposure. This is the kind of identity programme shift that separates cosmetic standardisation from real control improvement.

Acquisition-heavy enterprises should expect identity work to move closer to business integration planning. In that model, Ultimate Guide to NHIs remains useful as a reference point for sprawl, over-privilege, and visibility gaps, even when the immediate subject is human administrator access.

For practitioners

• Standardise phishing-resistant authentication early Deploy one strong authentication standard across acquired directories before full migration is complete, so users do not remain on mixed assurance levels during integration.
• Inventory privileged AD accounts across every inherited environment Build a single view of administrative accounts, then remove duplicates and exceptions that exist only because the environments were acquired separately.
• Tie identity modernisation to privilege reduction metrics Track whether the rollout lowers the number of highly privileged identities, not just whether users can authenticate more easily.
• Use central governance to drive integration sequencing Sequence directory consolidation around governance priorities, so authentication, admin control, and policy consistency land before the long tail of migration work.

Key takeaways

• Accenture’s rollout shows that acquisition-scale identity governance is fundamentally about standardising trust across fragmented environments before migration finishes.
• The reported 50% reduction in highly privileged AD admin accounts is the clearest evidence that authentication modernisation only matters when it also shrinks the attack surface.
• Teams integrating acquired environments should treat centralised authentication, privileged account rationalisation, and governance consistency as a single programme, not separate workstreams.

Key terms

• Identity drift: The gradual accumulation of inconsistent authentication methods, administrative exceptions, and overlapping trust boundaries after mergers or environment sprawl. In practice, it is a governance failure because the organisation no longer has one coherent view of who can access what, or why that access still exists.
• Phishing-resistant authentication: Authentication methods that do not rely on credentials easily stolen through phishing, such as passwords or reusable secrets. In identity programmes, it usually means certificate-backed or hardware-bound methods that raise assurance and reduce the chance that users or administrators can be tricked into handing over access.
• Privileged account sprawl: The condition where administrative identities multiply across systems, environments, or acquired organisations faster than governance can rationalise them. It increases exposure because every extra privileged account is another high-value target, another review item, and another potential source of policy inconsistency.
• Centralised identity governance: A control model where a single policy and oversight layer manages authentication standards, privilege rules, and administrative accountability across multiple environments. It does not require immediate technical consolidation, but it does require consistent assurance and measurable control outcomes across all inherited estates.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Axiad: Why Accenture Is Axiad's 2025 Customer of the Year. Read the original.