Identity challenges in M&A are now an access governance problem

At a glance

What this is: This is a Zluri analysis of five identity challenges in M&A, with the central finding that fragmented directories, access drift, and compliance misalignment can derail integration and increase security risk.

Why it matters: It matters because M&A stress-tests every identity programme at once, from NHI service accounts and app access to human access reviews and privilege governance.

By the numbers:

• A logistics company implementing a least privilege access model during their M&A saw a 70% reduction in unauthorized access attempts within the first 3 months.

👉 Read Zluri's analysis of the five identity challenges in M&A

Context

Identity challenges in M&A are governance failures that appear first as visibility gaps, then as access drift, and finally as compliance exposure. When two organisations merge, their identity models, application estates, and approval paths rarely line up cleanly, which makes both human IAM and non-human identity control harder to sustain.

The primary issue is not just technical integration. It is the need to reconcile duplicate accounts, conflicting role models, and different access lifecycles fast enough that business continuity is not interrupted. That same pressure also exposes service accounts, app credentials, and privileged access paths that were manageable in a single organisation but become harder to govern once environments are combined.

Key questions

Q: What breaks when identity governance is not aligned during M&A?

A: The first break is usually visibility, followed by inconsistent provisioning and delayed revocation. When two identity estates are merged without a shared model, duplicate accounts, misclassified roles, and stale privileges persist. That creates operational friction and makes it much harder to prove who should have access to what across the combined environment.

Q: Why do mergers and acquisitions increase access risk for service accounts and privileged users?

A: M&A increases access risk because temporary exceptions become common, and temporary exceptions often survive longer than the integration itself. Service accounts, admin credentials, and shared access paths are especially exposed because they are less visible than human accounts and are often left out of early reconciliation work.

Q: What do security teams get wrong about least privilege during integration projects?

A: They often treat least privilege as a post-migration clean-up task rather than a design constraint. In practice, access expands during integration unless teams actively translate roles, expire exceptions, and continuously review privileged paths. Without that discipline, the merged environment accumulates more access than either original organisation intended.

Q: Who should be accountable for identity risk after a merger closes?

A: Accountability should sit with the integration owner, identity governance lead, and system owners who can certify access across the merged estate. If responsibility is split between old operating models, revocation and review slow down. The merged organisation needs one accountable process for entitlements, evidence, and exception handling.

Technical breakdown

Why identity visibility breaks first in M&A

M&A creates overlapping identity sources, often spanning Active Directory, LDAP, cloud directories, HR systems, and application-specific stores. A federated view can reduce the chaos, but only if identity attributes, roles, and access levels are normalised before users are merged into shared workflows. Without that normalisation, duplicate accounts, orphaned entitlements, and role mismatches multiply. The technical failure is not just lack of data. It is lack of a single authoritative model for who exists, what they should access, and which system owns the truth.

Practical implication: establish a unified identity inventory before migration work begins.

How access provisioning and RBAC drift during integration

In M&A, access decisions often move from steady-state governance to emergency provisioning. That is where manual approvals, inconsistent onboarding rules, and mismatched role definitions create delay and over-permissioning. RBAC helps only when both firms share a compatible role taxonomy and when provisioning is automated across the merged estate. If they do not, access becomes a series of exceptions, and exceptions become permanent. The result is not just friction for users. It is a growing gap between intended access and actual access.

Practical implication: map role models early and automate provisioning and revocation across both environments.

Why least privilege and compliance controls fail under merger pressure

M&A often widens privilege faster than teams can review it. Admin access, shared vaults, and temporary exceptions are frequently introduced to keep integration moving, but those choices expand blast radius and weaken auditability. Compliance risk rises when identity controls differ across entities subject to different obligations, because access evidence, review cadence, and offboarding discipline rarely align on day one. Zero trust helps only if continuous verification extends across both organisations and the merged control plane, not just the perimeter.

Practical implication: treat privilege cleanup and audit alignment as part of the integration design, not a post-close task.

Threat narrative

Attacker objective: The practical objective is to exploit merger-created access confusion to reach systems, data, or privileges that would not exist in either organisation’s original control model.

1. Entry occurs through merger-driven identity consolidation, where two separate user and access ecosystems are forced into shared governance without a fully normalised inventory.
2. Escalation follows when duplicate accounts, misaligned roles, and temporary privileged access are left in place long enough for over-permissioned users or accounts to persist.
3. Impact shows up as delayed business operations, unauthorised access paths, and compliance exposure across systems that were never designed to be governed as one estate.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity fragmentation in M&A is a governance problem before it is a migration problem. The first failure is the absence of a shared identity truth across two organisations, which leaves duplicate users, conflicting roles, and inconsistent application ownership in place during integration. That is not just an operational inconvenience. It means access cannot be confidently certified, revoked, or inherited across the merged estate. Practitioners should treat identity harmonisation as a prerequisite for every downstream control decision.

Standing privilege becomes easier to overlook when integration work is framed as temporary exception management. M&A programmes routinely create access windows that are justified as short-lived, but those windows often outlast the original workstream and become enduring entitlements. This is a classic NHI governance failure as much as a human IAM one, because service accounts, API tokens, and admin credentials are usually the least visible actors in the merger. The practical conclusion is simple: if privilege exists outside a reviewable lifecycle, it will survive the integration.

Access governance during M&A should be evaluated by control continuity, not by deployment speed. RBAC, automated provisioning, and access reviews only work when they are carried through both organisations with the same lifecycle logic. If one side still relies on manual provisioning or weak offboarding, the merged environment inherits the weaker discipline. That is why M&A exposes whether governance is real or merely documented.

Least privilege in an acquisition is a moving target unless the merged control plane enforces it continuously. The article’s own examples show that privilege creep, admin overreach, and delayed revocation all become more likely once environments are combined. For identity leaders, the signal is not whether an integration plan exists. It is whether the plan can keep privilege bounded as systems, users, and third-party connections change.

M&A forces identity teams to unify human and non-human governance under one operating model. The same merger that exposes user duplication also exposes service accounts, shared credentials, and application access paths that were acceptable in isolation but become risk multipliers after consolidation. That makes cross-domain governance essential. Practitioners should use the merger to collapse siloed IAM, IGA, and NHI controls into one lifecycle model.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage.
• If M&A exposes hidden credentials or unmanaged app access, the next step is to align it with Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.

What this signals

Identity consolidation is becoming a lifecycle discipline, not a one-time migration exercise. The moment two estates merge, the programme has to manage joiner, mover, and leaver logic across multiple directories, application owners, and privileged roles. That is where merged estates fail most often: not in design, but in the sustained follow-through required after go-live. Teams should plan for recurring reconciliation, not a single integration milestone.

M&A also exposes the hidden NHI layer inside almost every identity programme. Service accounts, API keys, and embedded application credentials often outlive organisational boundaries and survive longer than the people who created them. Our research shows that only 5.7% of organisations have full visibility into their service accounts, which is a reminder that merger due diligence must include machine access as well as human access.

Merge pressure is also a useful test of Zero Trust maturity. If continuous verification cannot be applied consistently across both estates, the combined organisation inherits the weakest trust model. Practitioners can use this moment to compare access review quality, vault hygiene, and offboarding discipline across both sides before the post-close operating model is locked in.

For practitioners

• Build a merged identity inventory first Inventory users, groups, service accounts, application accounts, and privileged entitlements across both organisations before any migration or cutover work. Normalise ownership, source systems, and authoritative attributes so duplicate identities can be resolved against one control model.
• Map role equivalence before automating access Compare job-based and department-based role structures, then create a translation layer for RBAC and provisioning rules. Where roles do not align, use temporary exceptions with expiry and review the access review outcomes in the same control cycle.
• Treat offboarding as part of the merger plan Revoke stale access, retire unused accounts, and validate that shared credentials and admin paths are reassigned or removed as part of the integration workstream. The goal is to prevent temporary access from becoming permanent through merger inertia.
• Align compliance evidence across both estates Standardise access certification, logging, and approval records so audit evidence survives the consolidation of systems. If the two organisations cannot produce comparable records, compliance risk persists even after the technical integration is complete.

Key takeaways

• M&A exposes identity gaps because two governance models must be reconciled before the business can operate as one.
• The clearest risk is access drift, where duplicate identities, temporary exceptions, and uneven offboarding become permanent security debt.
• Practitioners should make identity inventory, privilege cleanup, and access review alignment part of the integration plan itself.

Key terms

• Identity Harmonisation: The process of making two or more identity estates behave as one coherent governance model. In M&A, it means normalising identifiers, roles, ownership, and access rules so certifications, revocations, and audit evidence can be trusted across the merged organisation.
• Access Drift: A gradual mismatch between intended access and actual access. During integration, drift appears when temporary exceptions, duplicate accounts, or inconsistent role mappings stay in place long enough to become the new normal, increasing both operational confusion and security exposure.
• Merged Estate: The combined identity and access environment that exists after two organisations begin operating under shared governance. It includes human accounts, machine identities, applications, and privileged pathways that must be controlled as one system even if the underlying infrastructure remains split.
• Lifecycle Offboarding: The controlled removal of access when an account, role, system, or relationship is no longer needed. In merger work, offboarding is not just employee exit management. It also covers stale entitlements, obsolete integrations, shared credentials, and inherited access that no longer has a business owner.

Deepen your knowledge

Identity governance in mergers and acquisitions is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a merged access model or cleaning up inherited credentials, it is worth exploring.

This post draws on content published by Zluri: 5 Identity Challenges in M&A To Address in 2026. Read the original.