By NHI Mgmt Group Editorial TeamPublished 2026-01-11Domain: Governance & RiskSource: Orchid Security

TL;DR: Tool and application sprawl can turn a routine acquisition into an identity incident when legacy systems, cleartext credentials, and uneven MFA controls create lateral movement paths, according to Orchid Security. The real issue is fragmented IAM and unchecked application sprawl, where governance breaks before attackers need anything sophisticated.


At a glance

What this is: This is an identity security analysis arguing that acquisition-driven tool sprawl, legacy access gaps, and weak credential hygiene create preventable breach paths.

Why it matters: It matters because IAM, NHI, and human identity programmes all fail in the same places when visibility, MFA coverage, and lifecycle control do not extend across the full application estate.

👉 Read Orchid Security's analysis of identity fabric controls for tool and app sprawl


Context

Tool and application sprawl means an organisation has more identities, applications, and access paths than its governance model can actually see. In acquisition scenarios, that gap becomes acute because legacy systems often arrive with different authentication standards, weaker access controls, and hidden credentials. The primary identity security issue here is not scale alone, but fragmented IAM across human logins, service access, and unmanaged application estates.

The article’s central claim is that identity fabric should tie these disconnected systems together through unified visibility, enforcement, and lifecycle control. That framing is relevant to IAM teams because the same failure pattern appears across human, non-human, and shared access: controls exist in pockets, but not as a coherent governance layer. Once that happens, attackers only need one weak system to move across the rest.


Key questions

Q: How should security teams manage identity risk during acquisitions and integration?

A: Treat acquisition integration as an identity consolidation project first and a technology migration second. Build a single inventory of users, applications, secrets, and privileged accounts, then decide which controls must be standardised before any trust is extended. The goal is to remove hidden access paths, not simply connect more systems faster.

Q: Why do legacy applications increase identity security risk?

A: Legacy applications often retain weaker authentication, inconsistent logging, and unmanaged credentials that bypass modern controls. When those systems are folded into a larger estate, attackers only need one neglected path to move laterally. The risk is highest when legacy access is assumed to be harmless because it is old rather than because it is governed.

Q: What do security teams get wrong about MFA and passwordless adoption?

A: Teams often assume MFA or passwordless coverage is universal once the primary identity platform supports it. In practice, inherited applications, service access, and shadow systems may remain outside enforcement. The mistake is treating modern authentication as complete when only part of the estate has actually been migrated.

Q: Who is accountable when cleartext credentials are found in inherited systems?

A: Accountability sits with the organisation that accepts the environment, not with the attacker who later finds the secrets. Governance teams, application owners, and integration leads must jointly prove where credentials live, how they are removed, and which systems still depend on them. That accountability should be explicit during post-acquisition remediation.


Technical breakdown

Why application sprawl breaks identity governance

Application sprawl creates governance blind spots because every new system introduces another authentication path, another policy exception, and another place where access can drift. In a merger or acquisition, those differences are often inherited rather than designed, so one legacy app may still rely on weak passwords, another may lack MFA, and a third may not be covered by central monitoring. The result is not just more surface area, but inconsistent enforcement across the identity estate. Identity fabric is an attempt to collapse those differences into one operating model, so controls are applied consistently rather than selectively.

Practical implication: inventory inherited applications early and map which authentication and policy controls actually exist before integration work begins.

How cleartext credentials turn a small foothold into full compromise

Hardcoded or cleartext credentials remain one of the most efficient escalation paths because they bypass normal authentication controls entirely. A phishing-driven initial compromise becomes far more dangerous when attackers can find usernames, passwords, API keys, or admin secrets in scripts, configuration files, or legacy systems. Once those credentials are exposed, the attacker no longer needs to keep relying on the original compromised account. The security failure is usually governance, not detection: teams know these artefacts exist somewhere, but do not have a reliable process to eliminate them across the full environment.

Practical implication: search for and remove embedded secrets across applications, scripts, and configs before you expand trust to newly inherited systems.

Why MFA, SSO, and just-in-time access need unified enforcement

MFA and SSO reduce password risk, but they do not solve inconsistent policy coverage if some applications never joined the central identity plane. The same is true for role-based and just-in-time access: they only limit blast radius when the enforcement layer reaches every meaningful system, including service accounts and legacy applications. Without that coverage, attackers can pivot from a hardened system to a weaker one and keep moving. The technical lesson is that access governance is only as strong as its least governed application.

Practical implication: validate that MFA, SSO, and JIT controls are enforced across both modern and inherited applications, not just the primary identity stack.


Threat narrative

Attacker objective: The attacker wants to turn one weak identity control into broad administrative access across inherited systems and critical assets.

  1. Entry occurs when a phishing attack compromises an employee and the attacker lands in an environment where a legacy system does not require MFA.
  2. Escalation happens when the attacker moves laterally and discovers admin credentials stored in plain text, bypassing normal authentication and access controls.
  3. Impact follows when those credentials provide full access to critical systems and the attack spreads across the acquired environment.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Identity fabric is a governance model, not a tooling stack. The article is right to focus on sprawl, but the deeper issue is that fragmented identity controls cannot survive acquisition-driven heterogeneity. A merged environment exposes every policy exception, every orphaned application, and every neglected credential store. Practitioners should treat integration as a governance consolidation exercise, not a point-product buying cycle.

Cleartext credential exposure remains the shortest path from initial access to administrative control. When secrets live in scripts, configuration files, or legacy platforms, the organisation has already lost the ability to control who can reuse them. That is not a detection problem alone. It is a lifecycle and hygiene failure that expands the attacker’s options long before defenders can respond.

Unified visibility is the prerequisite for enforcing least privilege across human and non-human identities. The same access sprawl that affects employees also affects service accounts, automation, and inherited application credentials. If the organisation cannot see those identities in one estate view, it cannot govern them in one policy model. Practitioners should assume that partial visibility means partial control.

Zero trust does not compensate for weak identity inventory. The article’s zero-trust framing only works when the organisation knows which users, applications, and secrets exist and which trust relationships still matter. Without that baseline, continuous verification becomes selective verification. The implication for security leaders is that zero trust and identity consolidation must advance together, or neither will hold under acquisition pressure.

Application sprawl is the named concept that explains why breach paths multiply faster than controls can be normalised. Each inherited app can carry its own auth model, secret handling practice, and review cadence. That creates governance drag, where defenders spend more time reconciling exceptions than shrinking exposure. The practitioner conclusion is simple: if you cannot standardise the estate, you cannot standardise the control plane.

From our research:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
  • That visibility gap is why practitioners should also examine Ultimate Guide to NHIs for the lifecycle and governance model that inherited environments usually lack.

What this signals

Application sprawl will keep turning identity integration into a governance problem. As acquisitions and hybrid estates grow, teams need one view of applications, credentials, and privilege before they can trust any downstream access model. The practical signal is that identity architecture now depends on estate rationalisation as much as on policy design.

Cleartext credentials are a programme-level anti-pattern, not just a finding to remediate. Once secrets appear in scripts or legacy systems, the organisation has already accepted hidden trust that cannot be managed through login controls alone. The strongest response is to treat secret discovery as a recurring control, not a one-time cleanup.

A strong identity fabric has to cover human logins, machine access, and inherited applications together. When those domains are separated operationally, the attacker only needs the least mature one to move through the rest of the environment.


For practitioners

  • Build a single application and identity inventory Create one authoritative view of inherited applications, authentication methods, and privileged accounts before migration or integration begins.
  • Hunt for embedded secrets across the estate Scan scripts, configuration files, repositories, and legacy platforms for cleartext credentials, then remove or replace them before attackers can reuse them.
  • Extend MFA and SSO coverage to acquired systems Validate that MFA, SSO, and central policy enforcement apply to every application that matters, including older platforms that were never originally integrated.
  • Apply just-in-time access to high-risk roles Convert standing administrative access into task-scoped access wherever possible so a compromise cannot immediately translate into persistent privilege.
  • Treat non-human identities as governed identities Bring service accounts, automation, and application credentials into the same lifecycle, review, and monitoring process used for user access.

Key takeaways

  • Tool and application sprawl creates identity blind spots that attackers can use to move from one weak system to broad compromise.
  • The article’s strongest evidence is the combination of legacy MFA gaps, lateral movement, and cleartext admin credentials.
  • Security teams should consolidate identity visibility, remove embedded secrets, and enforce consistent access controls across acquired and inherited systems.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Access control depends on knowing which identities and systems exist.
NIST Zero Trust (SP 800-207)SC-7Zero trust only works when every access path is continuously verified.
OWASP Non-Human Identity Top 10NHI-03Cleartext credentials and unmanaged machine identities are core NHI risks.

Treat embedded secrets as governed NHI assets and remove them from scripts and configs.


Key terms

  • Identity fabric: An identity fabric is a coordinated control model that connects users, applications, and credentials into one governance layer. It reduces fragmentation by tying authentication, access policy, monitoring, and lifecycle controls together across the full estate, including inherited and legacy systems.
  • Application sprawl: Application sprawl is the accumulation of many systems, often with different identity standards, until governance can no longer enforce consistent controls everywhere. It usually creates hidden exceptions, duplicated policy, and blind spots that attackers can exploit through the least mature application.
  • Cleartext credentials: Cleartext credentials are usernames, passwords, tokens, or secrets stored in readable form instead of protected by proper secret management. They are dangerous because they can be reused directly by attackers and often outlive the context in which they were created.
  • Just-in-time access: Just-in-time access is a task-scoped privilege model that grants elevated access only when needed and withdraws it after use. In inherited or sprawling environments, it only works when the control reaches every system that can otherwise preserve standing privilege.

What's in the full article

Orchid Security's full blog post covers the operational detail this post intentionally leaves for the source:

  • The identity fabric control model used to unify access across legacy and modern applications.
  • The practical steps for finding and eliminating hardcoded credentials across inherited environments.
  • How the article recommends applying MFA, SSO, and least-privilege controls to sprawl-heavy estates.
  • The specific governance practices the vendor says reduce blast radius after an acquisition.

👉 Orchid Security's full post covers the acquisition scenario, credential exposure path, and governance basics in more operational detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-01-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org