Identity-first authentication for post-quantum enterprise integration

At a glance

What this is: Axiad’s announcement says Accenture used identity-first controls to standardize authentication, centralize governance, and reduce privileged access across a large integration estate.

Why it matters: It matters because practitioners managing NHI, autonomous, and human identity programmes must treat integration speed, authentication consistency, and privilege reduction as one governance problem.

By the numbers:

• Accenture has completed nearly 100 acquisitions since 2023, according to Axiad.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read Axiad's announcement on Accenture being named Customer of the Year

Context

Identity-first authentication is the practice of making authentication, governance, and privileged access controls consistent across the enterprise before integration scale creates fragmentation. In this announcement, the underlying issue is not a product rollout but the identity control problem that appears when a large enterprise absorbs many systems, directories, and user populations at speed.

For identity programmes, the core lesson is that acquisition-heavy environments expose gaps in authentication consistency, privileged access reduction, and directory governance. That makes this relevant to human IAM and NHI governance at the same time, because the same integration pressure tends to multiply service accounts, tokens, and privileged pathways alongside users.

Key questions

Q: How should security teams govern authentication across acquired environments?

A: Treat authentication as a merger control, not a local IT preference. Build one policy model for phishing-resistant login, retirement of legacy methods, and exception tracking across every inherited directory. The goal is to make the weakest environment visible and removable before it becomes the enterprise baseline.

Q: Why does standing privilege become a bigger problem during integration projects?

A: Integration teams often preserve elevated access to avoid disrupting operations, but that keeps legacy admin paths alive longer than necessary. Standing privilege becomes a bigger problem because it expands blast radius while the organisation is already changing structure, ownership, and trust relationships at the same time.

Q: How do you know if identity governance is actually working after an acquisition?

A: Look for fewer authentication exceptions, fewer retained administrator roles, and a smaller number of independent directory policies. If merged environments still require local access rules and transitional privilege months after integration, governance is lagging behind the business change it was meant to absorb.

Q: Who should own identity risk when multiple acquired environments are being consolidated?

A: Ownership should sit with the enterprise identity function, with business and platform teams accountable for exceptions. If ownership stays fragmented, each acquired environment keeps its own standards and review cadence, which makes risk reporting unreliable and privileged access reduction difficult to enforce.

Technical breakdown

Why distributed Active Directory governance becomes a control problem

Distributed Active Directory estates create multiple policy boundaries, inconsistent authentication paths, and uneven privilege assignment. When enterprises integrate acquired environments, the issue is not just account sprawl. It is that identity policy becomes conditional on directory geography, legacy trust relationships, and local exceptions. That weakens standardisation and makes it harder to enforce phishing-resistant authentication or consistent access controls across the estate.

Practical implication: inventory directory boundaries and decide where policy normalisation must happen before further integrations expand the exception set.

Passwordless authentication and phishing resistance across merged environments

Passwordless authentication reduces dependence on reusable secrets, while phishing-resistant methods raise the bar against credential theft and replay. In a merger or acquisition context, those controls matter because inherited identity stacks often contain mixed authentication strengths, legacy MFA gaps, and unmanaged trust transitions. Identity teams need to understand that the weakest legacy path becomes the effective enterprise standard unless it is actively retired or isolated.

Practical implication: map every authentication path in acquired environments and prioritize removal of reusable credentials from high-risk access flows.

Privilege reduction as an integration control, not an afterthought

Privileged access reduction is a governance mechanism, not just a cleanup task. Integration projects often preserve elevated access to avoid business disruption, but that convenience extends the life of standing privilege and legacy administrator roles. Over time, that creates a larger attack surface than the acquisition itself introduced. Centralized governance only works when entitlement reduction is built into the integration sequence, not deferred until later hardening phases.

Practical implication: make privilege reduction part of the integration checklist, with explicit owner approval for every retained elevated role.

NHI Mgmt Group analysis

Identity-first integration is now a governance requirement, not a maturity slogan. Large acquisition-heavy enterprises do not fail because they lack tools alone. They fail when identity policy is allowed to lag behind structural change, leaving directory sprawl and inconsistent authentication to become the real control plane. Practitioners should treat integration speed as an identity governance issue, not only a business operations goal.

Phishing-resistant authentication matters most where inherited identity estates overlap. The more mergers, acquisitions, and directory boundaries an organisation inherits, the more likely it is that one weak authentication path will persist as a back door into the wider estate. That makes authentication assurance a cross-environment design problem rather than a local login choice. Practitioners should assume the weakest inherited path will define enterprise risk until it is removed.

Privileged access reduction is the hidden win in large-scale integration. When central governance reaches thousands of users and multiple directories, the important outcome is not only consistency. It is the removal of standing privilege that otherwise accumulates during transition work. This is where identity programmes either enforce discipline across the integration lifecycle or silently inherit the old access model. Practitioners should measure success by privilege contraction, not just user migration.

Post-quantum readiness belongs in the same conversation as identity standardisation. The announcement points to a broader market direction where enterprises are linking authentication modernization, certificate readiness, and risk quantification. That combination signals that identity teams will be expected to manage cryptographic transition as part of operational governance, not as a separate security project. Practitioners should align authentication roadmaps with long-term crypto migration planning.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes still cannot see the full machine identity estate they are trying to govern.
• For a broader foundation on lifecycle, rotation, and offboarding, see Ultimate Guide to NHIs and 52 NHI Breaches Analysis.

What this signals

Identity consolidation is becoming a crypto and governance event at the same time. Enterprises that keep treating authentication modernisation as separate from directory integration will continue to inherit technical debt faster than they retire it. The programme signal is clear: merger-heavy environments need a single control model for user identity, privileged access, and credential assurance before scale multiplies exceptions.

Post-quantum readiness now sits inside identity architecture decisions. The practical issue is not abstract cryptography alone. It is whether the authentication and certificate layers in merged estates can be updated without leaving legacy paths untouched. Teams should use that lens to prioritise which identity components need standardisation first and which exception paths should be retired immediately.

For practitioners

• Standardise authentication across acquired environments Map every inherited directory and authentication path, then retire exceptions that let legacy systems keep separate login policies. Focus first on the systems that still rely on reusable credentials or weaker MFA patterns.
• Reduce standing privilege during integration Review administrator roles, delegated access, and transitional exceptions before the merged environment is normalised. Remove access that exists only to keep migration moving and require a named owner for any retained elevation.
• Centralise governance for distributed directories Create one governance model for user, service, and privileged identities across all Active Directory estates, including those inherited from acquisitions. Track exceptions as temporary integration debt, not normal operating state.
• Align identity controls with crypto transition planning Fold passwordless adoption, certificate posture, and post-quantum readiness into the same roadmap so identity modernisation and cryptographic migration do not drift into separate programmes.

Key takeaways

• Large acquisition programmes expose identity governance gaps faster than traditional IAM operating models can absorb them.
• Centralised authentication, privilege reduction, and directory governance are the decisive controls when enterprises integrate at scale.
• Identity teams should measure progress by exception reduction and privilege contraction, not by migration speed alone.

Key terms

• Identity-first integration: An integration approach that treats identity controls as the foundation of enterprise consolidation rather than a downstream cleanup task. In practice, authentication, privilege design, and directory governance are aligned early so that acquisitions do not inherit inconsistent access models.
• Phishing-resistant authentication: Authentication methods that are designed to resist credential theft, replay, and social engineering. These controls reduce dependence on reusable secrets and make it harder for attackers to turn a stolen login into broad enterprise access.
• Standing privilege: Access that remains continuously available instead of being granted only when needed. In merged environments, standing privilege often persists because it is convenient during transition, but it expands attack surface and makes governance harder to enforce.
• Directory governance: The discipline of controlling how directories, trust relationships, and identity policies are managed across an organisation. It becomes especially important during acquisitions, where multiple identity systems can create inconsistent authentication and access rules.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Axiad: Axiad names Accenture Customer of the Year for 2025. Read the original.