Cloud IGA for healthcare M&A, compliance and lifecycle control

At a glance

What this is: RSA’s healthcare customer profile shows how cloud-managed IGA can reduce manual lifecycle work while improving compliance and audit readiness during rapid M&A-driven restructuring.

Why it matters: For IAM, IGA, and PAM teams, this is a clear signal that workforce change, SoD enforcement, and audit evidence must be managed as one governance system across human identity lifecycles.

By the numbers:

• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.

👉 Read RSA Security’s customer profile on cloud IGA for healthcare M&A

Context

Healthcare mergers and acquisitions create identity governance pressure because every organisational change alters who needs access, who should lose it, and which access combinations are no longer acceptable. In a regulated environment, joiner, mover, and leaver processes cannot remain manual when role churn, audit demands, and segregation of duties checks all move at the same time.

This case is about human identity governance first, but the lesson extends across NHI and autonomous programmes: lifecycle controls only work when they can keep pace with organisational change. The operational problem is not just scale, it is maintaining evidence, policy enforcement, and auditability while the identity population keeps shifting.

Key questions

Q: How should security teams automate joiner, mover, leaver governance in a regulated environment?

A: Security teams should connect joiner, mover, leaver workflows to authoritative business events so access changes follow role and employment changes without manual delay. The goal is not automation for its own sake. It is reducing the time between a change in business state and the corresponding entitlement correction, review, or removal.

Q: When do segregation of duties controls fail in a changing enterprise?

A: SoD controls fail when they are treated as static policy definitions instead of continuously re-evaluated access relationships. Mergers, restructurings, and system integration can create toxic combinations that were not visible at design time. The control must be rechecked every time identity structure changes.

Q: How can organisations know whether access reviews are producing real governance evidence?

A: Access reviews are working when they produce timestamped, role-specific evidence that a reviewer checked current access against policy and corrected what no longer fit. If the review only proves that a process happened, it is weak. If it proves what changed and why, it supports audit and risk decisions.

Q: Who is accountable when lifecycle governance gaps create compliance exposure?

A: Accountability sits with the identity, HR, and application owners that control the authoritative sources and enforcement points for access change. In regulated environments, governance failure is rarely a single-team problem. It usually reflects broken ownership across the workflow from business change to entitlement update.

Technical breakdown

Cloud-managed IGA in a high-change environment

Cloud-managed identity governance and administration centralises lifecycle workflows, access reviews, and reporting outside the constraints of an on-premises deployment. In a fast-changing healthcare organisation, that matters because mergers and restructurings create repeated entitlement changes, role remapping, and audit obligations. The architecture reduces the friction of scaling governance across multiple business units while keeping policy enforcement and reporting in one operational layer. It also supports faster deployment and less infrastructure overhead than maintaining a local platform through repeated organisational change.

Practical implication: move lifecycle governance to a model that can absorb frequent organisational change without breaking review and reporting cycles.

Joiner, mover, leaver automation and access reviews

Joiner, mover, and leaver automation is the control plane for identity change. It ensures access is created, adjusted, or removed when employment status or role changes, while access reviews and attestations validate that assigned access still matches business need. In regulated sectors, these workflows are the difference between traceable governance and ad hoc administration. When they are automated, teams can reduce manual error, shorten response times, and preserve a defensible audit trail across every identity event.

Practical implication: wire JML and attestation workflows directly to authoritative HR and business events so access changes are not delayed by manual queues.

Segregation of duties and toxic combination controls

Segregation of duties, or SoD, prevents a single identity from accumulating access that creates fraud, abuse, or compliance risk. Toxic combination mapping extends that idea by identifying privilege sets that are individually acceptable but dangerous when combined. In a healthcare M&A context, both controls are essential because inherited roles from different systems can collide after integration. The technical challenge is less about assigning roles and more about continuously checking whether combined access has become invalid as the organisation restructures.

Practical implication: continuously re-evaluate role combinations after each merger or restructure instead of treating SoD as a one-time design exercise.

Threat narrative

Attacker objective: The practical objective in this threat pattern is to preserve inappropriate access long enough for it to create compliance violations or operational risk.

1. Entry occurred through organizational change, where mergers and restructurings created a large volume of identity events that had to be governed across multiple systems.
2. Escalation risk came from legacy on-premises governance processes that required manual handling, increasing the chance that access drift and toxic combinations would persist unnoticed.
3. Impact would be audit failure, delayed deprovisioning, and compliance exposure across HIPAA, HITECH, and FDA obligations if identity changes were not tracked accurately.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Codefinger AWS S3 ransomware attack — Codefinger used compromised AWS credentials to encrypt S3 buckets via SSE-C.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Cloud IGA becomes a resilience control when organisational change is constant. In this profile, the real problem is not simply identity volume. It is the pace of structural change, which turns lifecycle governance into a control for keeping the enterprise administratively coherent while access relationships are being rewritten. In regulated healthcare, that makes access governance part of operational resilience, not just compliance administration. Practitioners should treat governance platforms as change-absorbing infrastructure.

Joiner, mover, leaver automation is only valuable when it shortens the time between business change and access correction. Manual review cycles cannot reliably keep up with repeated acquisitions, restructurings, and role remapping. The article shows that automation matters because it reduces lag, not because it removes governance judgement. Teams should measure how quickly identity state changes are reflected in entitlements, reviews, and audit evidence.

Segregation of duties failure is often a lifecycle problem, not a policy problem. Toxic combinations appear when inherited entitlements from separate systems are merged without continuous re-evaluation. That is why SoD mapping has to be tied to ongoing lifecycle events, especially in M&A environments. Practitioners should assume that access risk reappears every time organisational structure changes.

Healthcare compliance pressure exposes the gap between entitlement design and entitlement proof. HIPAA, HITECH, and FDA obligations require more than a role model on paper. They require auditable evidence that access was granted, reviewed, and corrected at the pace of the business. The implication is simple: if the evidence trail cannot survive restructuring, the governance model is too brittle for regulated operations.

Named concept: compliance lag debt. This profile shows how every manual step in joiner, mover, leaver processing accumulates delay between business change and access correction. That delay becomes debt when auditors, regulators, or risk teams need evidence that access was current at the time of review. Practitioners should treat that lag as a governance risk metric, not an operational inconvenience.

From our research:

• The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to the 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to Oasis Security & ESG.
• For lifecycle governance context, see NHI Lifecycle Management Guide for how provisioning, rotation, and offboarding shape control durability.

What this signals

Compliance lag debt: in fast-changing environments, the real governance risk is the delay between business change and access correction. M&A activity magnifies that delay because every restructuring event creates new role mappings, review obligations, and exception handling that must be resolved before auditors ask for evidence.

With 70% of organisations granting AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey, the next governance lesson is clear: lifecycle discipline must extend across humans, NHI, and autonomous systems.

Teams that already struggle with SoD and access review discipline in human identity programmes should expect the same control patterns to reappear in NHI and agentic environments. The operational question is no longer whether governance applies, but whether the workflow can keep pace with identity change without losing audit proof.

For practitioners

• Measure lifecycle lag after organisational change Track the time between a role change, merger event, or termination and the corresponding access update, review, or removal. Use that lag as a governance KPI alongside audit pass rates and SoD exceptions.
• Tie JML workflows to authoritative business events Connect access provisioning and deprovisioning to HR, organisational, and system-of-record triggers so access state changes follow the business event rather than a manual ticket queue.
• Re-run SoD and toxic combination checks after each integration milestone Validate inherited roles, cross-application entitlements, and merged access models immediately after restructuring milestones so dangerous combinations do not persist into the next audit cycle.
• Use access reviews as evidence capture, not just attestation Design review workflows so the output supports auditors with timestamped, role-specific evidence of who approved what, when, and against which policy baseline.

Key takeaways

• Rapid mergers and restructurings turn identity governance into a resilience function because access must stay aligned with business change.
• Automated JML, SoD, and access review workflows reduce manual error, shorten audit response time, and improve compliance evidence.
• The control that matters most is the one that can prove access was corrected as quickly as the organisation changed.

Key terms

• Joiner, mover, leaver: A joiner, mover, leaver process manages how access is created, changed, and removed as a person changes role or exits. In regulated environments, the control matters because entitlement drift often appears when business change outpaces system updates and review cycles.
• Segregation of duties: Segregation of duties is the control that prevents one identity from holding a risky combination of permissions that could enable fraud, abuse, or policy violation. In practice, it requires continuous checking because roles that are safe alone can become unsafe when merged.
• Toxic combination: A toxic combination is a set of entitlements that creates unacceptable risk when held together by the same identity. It is often discovered only when systems, business units, or roles are integrated, so it must be re-evaluated after organisational change rather than only at design time.
• Access attestation: Access attestation is the formal review and confirmation that an identity still needs its current access. The value is evidentiary as much as operational, because a good attestation record shows what was reviewed, who approved it, and what was corrected.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by RSA Security: Major Healthcare Provider Optimizes Compliance and Operational Efficiency with RSA Governance & Lifecycle Cloud. Read the original.