TL;DR: M&A creates a sharp identity governance problem because buyers inherit devices, applications, accounts, contractors, and policy conflicts before integration is complete, according to 1Password. The real control failure is assuming diligence can be deferred until after the deal closes, when access sprawl and orphaned identities are already in motion.
At a glance
What this is: This is 1Password’s analysis of why mergers and acquisitions create immediate identity, access, and governance risk before integration begins.
Why it matters: It matters because IAM, NHI, PAM, and lifecycle teams need to treat M&A as an access-control event from day one, not a post-close clean-up exercise.
👉 Read 1Password's analysis of identity and access risk in mergers and acquisitions
Context
M&A introduces an identity governance problem the moment negotiations begin: a buyer inherits unknown users, devices, applications, contractors, and policy mismatches before any integration work is complete. In that environment, access control is not just about login mechanics, but about who and what can move across systems while the deal is still forming.
For IAM and NHI programmes, the core issue is visibility. Security teams need to establish what exists, who can reach it, and which credentials or accounts will survive the transaction, because ghost accounts, overprovisioned roles, and third-party access often become the hidden failure points during integration.
Key questions
Q: How should security teams handle identity risk during mergers and acquisitions?
A: Treat M&A as a live identity governance problem from the first negotiation. Security teams should inventory users, contractors, applications, devices, and delegated access early, then decide which identities will remain active after integration. The safest approach is to align diligence, deprovisioning, and logging with the actual deal structure, not with optimistic assumptions about post-close cleanup.
Q: Why do mergers and acquisitions increase access control risk?
A: M&A increases risk because the acquiring organisation inherits unknown accounts, inconsistent policies, and unreviewed third-party access while systems are being combined. That creates a temporary but highly exposed trust gap. Orphaned accounts, overprovisioned roles, and unmanaged devices can all survive the transition unless they are identified and removed before integration completes.
Q: What do security teams get wrong about acquisition due diligence?
A: The common mistake is treating due diligence as a paperwork exercise rather than an operational identity review. Documentation matters, but it is not enough on its own. Teams also need validation through targeted recon, access inventory review, and clear decisions about which systems and identities are actually in scope for integration.
Q: Who should own access decisions during an acquisition?
A: Ownership should sit with security, IAM, and the deal team together, because access decisions affect both business value and technical risk. Corp Dev needs the transaction context, while security needs authority to flag identity exposure, limit inherited access, and enforce the stricter policy model until the merged environment is stable.
Technical breakdown
Due diligence as an identity discovery problem
M&A due diligence is not simply a legal or financial review. It is an identity discovery exercise that must surface accounts, applications, devices, contractors, and delegated access paths before the acquisition closes. Discovery means reading policies, reviewing documentation, and interviewing security and IT teams. Validation means lightweight recon, pentesting where appropriate, and checking for obvious access-control failures. The point is not to prove perfection. The point is to identify signal-rich evidence that shows whether the target organisation can actually govern identities once it is absorbed into a larger environment.
Practical implication: Security teams should make identity and access discovery part of deal diligence, not an afterthought after signing.
Integration strategy determines the access risk surface
M&A integration is not one pattern. Some deals keep systems separate, some integrate only endpoints and identity platforms, and some move toward full integration. That choice changes the identity risk surface. If the target will remain isolated, security should not waste time overengineering controls for systems that will be retired. If the target will be integrated, access provisioning, device trust, SaaS governance, and logging all become immediate concerns. The governance question is therefore not just how to secure the acquired company, but which identities and systems are actually meant to remain live after the transaction.
Practical implication: Map controls to the intended integration model so security work matches the deal strategy.
Post-deal access sprawl is the real control failure
The most dangerous period often begins after due diligence, when integration creates confusion and social engineering risk rises. Orphaned accounts, ghost accounts, overprovisioned roles, BYOD access, and inherited third-party contractors all widen the blast radius. In identity terms, this is where lifecycle governance fails: accounts are still active even though accountability has shifted, and logging often lags behind the operational reality. M&A exposes the weakness of treating access as static when the organisation itself is being redefined.
Practical implication: Apply stricter access review, logging, and deprovisioning discipline during the first phase of integration.
Threat narrative
Attacker objective: The attacker objective is to exploit transitional identity weakness to reach data, systems, or privileges that should not survive the transaction.
- Entry occurs through inherited users, contractors, and access paths that were already present in the acquired environment before integration is complete.
- Escalation happens when overprovisioned roles, orphaned accounts, and inconsistent policies allow broader access than the buyer expected.
- Impact comes through data exposure, privilege abuse, integration delays, and social engineering opportunities during the chaotic post-deal period.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
M&A is an identity lifecycle event, not just a transaction event. The buyer inherits joiner-mover-leaver complexity for every account, contractor, device, and application in scope. That means the governance problem is not only who had access yesterday, but which identities should still exist after the deal is signed. The practical conclusion is that lifecycle ownership must be assigned before integration starts.
Access reviews designed for steady-state enterprises do not survive acquisition turbulence. Reviews assume a relatively stable identity population, but M&A creates rapid churn across systems, policies, and accountability. That makes orphaned accounts and stale entitlements more likely to persist than in ordinary operations. Practitioners should treat acquisition windows as high-risk governance periods, not as exceptions outside the normal model.
Conditional access and device trust become deal-critical controls when BYOD and contractors enter the picture. The article correctly points to unmanaged endpoints and third-party access as part of the access-trust gap. For NHI and IAM teams, that means trust decisions must extend beyond named employees to every account that can reach corporate data. The implication is simple: access governance has to follow the asset, not the org chart.
Identity blast radius is the right concept for M&A risk. The question is not whether the acquired company has any control failures, but how far those failures can spread once systems are connected. A small number of weak accounts, mis-scoped contractors, or undocumented SaaS apps can become enterprise-wide exposure after integration. Practitioners should measure which identities would expand the most if the deal moves ahead.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- A separate finding shows that 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, according to The State of Non-Human Identity Security.
- For a lifecycle lens on inherited access and offboarding, see NHI Lifecycle Management Guide for the governance steps that matter after integration begins.
What this signals
Identity blast radius: acquisition planning should now be read as an access-boundary redesign exercise. The more systems, contractors, and SaaS apps the buyer inherits, the more likely a small governance miss will spread across the merged environment. That is why identity visibility has to be established before integration, not after the first sync.
As M&A activity accelerates, security leaders should expect corporate development, legal, and IAM teams to work from a single access-risk model. The organisations that can reconcile inherited identities, device trust, and policy differences fastest will have less post-close cleanup and less exposure to social engineering during the transition.
The practical signal is straightforward: if you cannot name every identity class that will survive the deal, you do not yet have control of the deal. That is where the next phase of security work should begin, with the NHI Lifecycle Management Guide as the baseline reference for offboarding and access governance.
For practitioners
- Build identity diligence into Corp Dev workflow Require security to join acquisition planning early enough to review users, service accounts, contractors, SaaS apps, and device posture before close. Ask for compliance documents, org charts, recent audits, and access inventories as standard diligence inputs.
- Separate integration assumptions from security scope Document whether the deal is no integration, partial integration, or full integration, then align controls to that decision. Do not spend effort hardening systems that will be retired, but do fully govern identities and devices that will remain connected.
- Harden the first 30 days of access governance Prioritise deprovisioning, access review, and logging as soon as the transaction moves toward integration. Focus on ghost accounts, overprovisioned roles, third-party contractors, and BYOD endpoints that can still reach sensitive data.
- Apply the stricter policy model across both organisations When the two companies use different retention, logging, or privacy standards, default to the stricter policy set until the merged operating model is formally approved. That reduces ambiguity while the new identity boundary is still unstable.
Key takeaways
- M&A is an identity governance event because the buyer inherits accounts, contractors, devices, and policies before integration is complete.
- The largest risk is not the deal itself but the access sprawl that follows it, including ghost accounts, overprovisioned roles, and unmanaged third-party access.
- Security teams should tie diligence, lifecycle control, and logging to the actual integration plan so inherited access does not become enterprise exposure.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | The article centres on inherited credentials and lifecycle control during acquisitions. |
| NIST CSF 2.0 | PR.AC-4 | Acquisition access decisions depend on least privilege and controlled entitlement management. |
| NIST Zero Trust (SP 800-207) | AC-4 | M&A integration changes trust boundaries and demands continuous access enforcement. |
Revalidate trust relationships and segment inherited access before enabling cross-company connectivity.
Key terms
- Identity blast radius: The amount of damage or exposure that can spread when a weak identity or access path is inherited into a broader environment. In M&A, it describes how quickly a small control failure can become enterprise-wide once systems, users, and contractors begin to connect.
- Orphaned account: An account that remains active after the person, contractor, or system it was tied to is no longer meant to have access. In acquisition scenarios, orphaned accounts often survive because ownership is unclear and cleanup work is delayed until after integration.
- Access-trust gap: The mismatch between who or what can reach a system and the level of trust the organisation has actually verified. It is especially visible when unmanaged devices, SaaS apps, contractors, or AI agents can access data without the governance controls that should constrain them.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by 1Password: identity and access risk in mergers and acquisitions. Read the original.
Published by the NHIMG editorial team on 2025-09-03.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
