M&A creates identity chaos and expands non-human attack surface

At a glance

What this is: This is an analysis of how mergers and acquisitions expand identity risk by inheriting undocumented access, fragmented governance, and hidden non-human identities.

Why it matters: It matters because M&A events can break normal IAM, NHI, and PAM controls at the exact moment attackers are most likely to exploit weak visibility and delayed deprovisioning.

By the numbers:

• NHIs outnumber human identities by 25x to 50x in modern enterprises.

👉 Read Hydden’s analysis of identity risk in mergers and acquisitions

Context

M&A identity risk begins with a simple problem: the acquiring organisation inherits access it did not create and often cannot fully see. That includes dormant accounts, stale entitlements, legacy authentication paths, and non-human identities buried in cloud apps and CI/CD pipelines. In an integration programme, the identity inventory is usually the first thing to become unreliable.

The governance failure is structural, not just operational. IAM, IGA, and PAM tools are often tuned for stability, while M&A produces rapid change, incomplete documentation, and conflicting trust boundaries. For teams responsible for NHI governance and identity lifecycle control, the issue is less about merging systems and more about avoiding blind trust in inherited access.

Key questions

Q: How should security teams manage inherited identity risk during an acquisition?

A: Security teams should inventory all identities before connectivity expands, then validate ownership, privilege, and lifecycle state across both organisations. The priority is to remove blind trust in inherited access. That means checking human accounts, service accounts, API keys, and federation paths before integration accelerates.

Q: Why do mergers create such a large non-human identity risk?

A: Mergers often inherit service accounts, API keys, and certificates that were created under different governance standards and are poorly documented. Those identities can survive longer than human employees because they are not visible in ordinary HR-driven processes. That makes them a persistent attack path unless they are discovered and reviewed early.

Q: What breaks when IAM and PAM tools are not aligned across two merged companies?

A: What breaks is the assumption that one governance model can certify the combined estate. Misaligned approval flows, role definitions, and privileged access handling create gaps where access remains valid without clear ownership. The result is delayed offboarding, excessive privilege, and hidden trust relationships that are hard to unwind later.

Q: Who is accountable for inherited access after an M&A event?

A: Accountability should sit with the acquiring organisation’s identity and security leadership, but each inherited account still needs a named business owner. Without explicit ownership transfer, access reviews become unreliable and deprovisioning stalls. Governance teams should require ownership assignment as part of every integration milestone.

Technical breakdown

Why identity inventories collapse during M&A integration

Identity inventories break when two organisations bring incompatible directories, policy models, and account lifecycles into the same programme. A single source of truth no longer exists at the moment it is most needed. That makes it easy for dormant accounts, orphaned service identities, and shadow privileges to survive the initial integration waves. In identity governance terms, the problem is not just scale. It is that discovery, entitlement mapping, and ownership attribution all become partial at once, which weakens both human IAM and NHI oversight.

Practical implication: establish a pre-merger inventory that covers human and non-human identities before any access is connected.

How fractured IAM, IGA, and PAM controls create hidden trust paths

When the two environments use different governance tools, they also use different assumptions about approval, privilege, and review. That creates hidden trust paths through federated SSO, redundant admin roles, and untracked service credentials. In practice, teams may unify access at the front door while leaving back-end access untouched. The result is configuration drift: entitlements stay valid longer than intended, deprovisioning lags behind organisational change, and the merged environment becomes harder to certify with confidence.

Practical implication: validate trust relationships, privileged roles, and deprovisioning flows across both environments before expanding connectivity.

Why post-deal identity discovery must be continuous, not point in time

M&A creates a moving target. New accounts appear as systems connect, entitlements change as business units consolidate, and temporary exceptions often become permanent. Point-in-time snapshots miss those changes. Continuous discovery is therefore the only viable mechanism for seeing newly exposed identities, especially service accounts and API keys that may never appear in human-centric review processes. Without continuous monitoring, integration teams can accidentally normalise risk instead of reducing it.

Practical implication: treat continuous identity discovery as a live control during integration, not a post-integration cleanup task.

Threat narrative

Attacker objective: The attacker aims to exploit the confusion of integration to gain durable access across both organisations before governance teams can normalise the environment.

1. Entry occurs through inherited identity debt, including dormant accounts, legacy SSO trust, or orphaned non-human credentials that remain valid after the acquisition.
2. Escalation follows when broad inherited privileges, delayed deprovisioning, or inconsistent PAM controls let the attacker move from one environment into higher-value systems.
3. Impact lands when the merged identity estate gives the attacker a wider blast radius, enabling data theft, ransomware spread, or system-wide disruption.

Breaches seen in the wild

• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.
• CI/CD pipeline exploitation case study — full server takeover via exposed .git directory and mismanaged CI/CD pipeline secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Inherited identity debt is the real merger risk, not just integration friction. An acquisition brings over dormant accounts, shadow privileges, legacy authentication paths, and undocumented non-human identities that may have been tolerated for years. Those issues become materially more dangerous when they are folded into a larger attack surface with partial visibility and conflicting ownership. The practitioner implication is straightforward: the deal inherits a security baseline, whether or not anyone has validated it.

Two IAM stacks create two versions of truth, and attackers exploit the gap between them. Merging organisations often try to reconcile directories, governance workflows, and privileged access after connectivity is already underway. That sequencing creates a window where neither side fully trusts the other, yet both expose access paths. The implication is that identity governance becomes a transition-control problem, not an administration problem.

Identity attack surface management becomes the only way to see what the merger actually added. Static inventories and periodic reviews cannot keep pace with newly linked cloud services, temporary exceptions, and inherited service accounts. Continuous discovery is the difference between knowing the estate and believing you know it. Practitioners should treat post-merger visibility as a live assurance function, not a reporting exercise.

Standstill access assumptions fail the moment business speed outruns governance maturity. Access review processes were designed for relatively stable estates with known owners and predictable certification cycles. That assumption fails during M&A because identities are rehomed, repurposed, or forgotten faster than review cadences can catch them. The implication is that lifecycle governance must be rethought around transition states, not just steady-state operations.

Identity blast radius is the named concept that explains why M&A incidents escalate so fast. A merger does not just increase the number of identities. It multiplies the number of cross-trust relationships, privileged pathways, and recovery dependencies that an attacker can chain together. The practitioner implication is that risk scoring should prioritise reachable privilege and unresolved trust paths over raw account counts.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to Oasis Security & ESG.
• For the control path behind those failures, read Ultimate Guide to NHIs for lifecycle, rotation, and visibility coverage.

What this signals

Identity blast radius will become the deciding metric in M&A security programmes. The question is no longer whether the target company has risky identities, but how many systems those identities can still reach after the transaction closes. Teams that cannot quantify reachable privilege across the combined estate will struggle to separate true business value from inherited exposure.

If the combined environment still depends on periodic reviews alone, exceptions will accumulate faster than they can be certified. That pushes identity governance toward continuous discovery, live ownership mapping, and tighter coupling between merger milestones and deprovisioning.

With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, inherited environments are rarely clean even before the deal begins. The merger simply exposes how much hidden identity debt already existed.

For practitioners

• Build a pre-merger identity inventory across both estates Map every human account, service account, API key, certificate, and federated trust path before Day One connectivity. Include ownership, last use, privileged status, and deprovisioning history so inherited access can be challenged early.
• Freeze and review inherited privileged access before integration Vault newly discovered admin accounts and keys, then verify whether each entitlement is still justified for the combined operating model. Prioritise accounts that can reach cloud control planes, CI/CD pipelines, or shared SaaS administration.
• Test federation and SSO trust boundaries before broadening connectivity Validate whether the merged identity paths create unintended authentication trust between directories, tenants, or partner systems. Pay particular attention to misaligned MFA enforcement, stale claims, and role mapping drift.
• Run continuous discovery during the full integration window Use live identity discovery to catch new accounts, new exceptions, and access changes as systems are connected. Treat any unexplained privilege growth as a security issue until ownership and business need are confirmed.

Key takeaways

• M&A expands identity risk by inheriting undocumented access, not just by connecting more systems.
• The most dangerous gaps are hidden trust paths, dormant accounts, and orphaned non-human identities that survive the transition.
• Continuous discovery, ownership validation, and privileged access review are the controls that determine whether integration reduces risk or multiplies it.

Key terms

• Identity Attack Surface Management: Identity attack surface management is the practice of continuously discovering and assessing all identity exposure across an estate. It focuses on human and non-human accounts, their privileges, and their trust relationships so security teams can see what an attacker could reach, not just what a directory reports.
• Orphaned Service Account: An orphaned service account is a machine identity that no longer has a clear owner, business purpose, or lifecycle control. These accounts often persist after system changes, mergers, or contractor departures, and they are dangerous because they can remain valid long after the original need has disappeared.
• Identity Blast Radius: Identity blast radius is the amount of systems, data, and administrative control an identity can reach if abused. In merger environments, the blast radius expands quickly when trust paths, privileged roles, and unmanaged credentials are combined before governance has been normalised.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy, lifecycle governance, or secrets management, it is worth exploring.

This post draws on content published by Hydden: identity chaos and inherited risk in mergers and acquisitions. Read the original.