M&A identity chaos exposes inherited NHI risk across merged estates

At a glance

What this is: This is an analysis of how mergers and acquisitions turn inherited identity debt into a larger attack surface, especially for human and non-human identities.

Why it matters: It matters because IAM, IGA, PAM, and NHI governance programmes can fail when they assume clean ownership, stable entitlements, and a single source of truth during integration.

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• Only 5.7% of organisations have full visibility into their service accounts.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

👉 Read Hydden's analysis of M&A identity chaos and inherited access risk

Context

M&A identity chaos starts when two organisations combine identity estates that were never designed to coexist. The problem is not just duplicated users, but inherited service accounts, API keys, stale entitlements, and trust relationships that become harder to see the moment integration begins.

For IAM, IGA, and PAM teams, the core challenge is governance under uncertainty. A merger can turn a manageable identity programme into a fragmented environment with partial inventory, delayed deprovisioning, and access decisions made before risk is fully mapped.

The recurring pattern is that business integration moves faster than identity reconciliation. That is typical, not exceptional, which is why M&A should be treated as an identity security event, not only a corporate systems project.

Key questions

Q: What breaks when M&A teams do not inventory inherited identities early?

A: Without an early inventory, inherited accounts, keys, and trust paths remain hidden long enough to be abused during integration. The result is delayed deprovisioning, unresolved ownership, and privileged access that survives the deal closure. In practice, this creates a blind spot where attackers can move faster than governance can reconcile the estate.

Q: Why do mergers make NHI governance harder than usual?

A: Mergers multiply the number of service accounts, API keys, automation paths, and third-party trust links that must be governed at once. Those identities often lack clean ownership and are easy to overlook when teams focus on employees and application cutover. That makes visibility and retirement discipline central to merger security.

Q: How do security teams know if inherited access is actually under control?

A: They know it is under control only when duplicate accounts are removed, privileged access is vault-managed, stale credentials are rotated, and each identity has a clear owner. If those conditions are not measurable across both estates, the merger is still carrying hidden access risk, even if business systems are already connected.

Q: Who is accountable for identity risk after a merger closes?

A: Accountability should sit with the team that owns identity reconciliation, privileged access cleanup, and offboarding across the combined estate, not with infrastructure teams alone. When ownership is split between business integration and security operations, orphaned identities and unresolved entitlements tend to persist far beyond Day One.

Technical breakdown

Inherited identity debt after an acquisition

An acquired company brings its full identity history into the combined estate, including dormant accounts, shared admin access, legacy service identities, and credentials embedded in automation. These are not theoretical leftovers. They are live trust paths that may still authenticate successfully after the transaction closes. The hard part is that ownership, purpose, and retirement dates are often unclear, so standard entitlement reviews miss the real exposure. In M&A, the issue is less the number of identities than the quality of provenance attached to them.

Practical implication: build a complete inventory of inherited identities before integration work starts, with ownership and purpose attached to each account.

Why fragmented IAM, IGA, and PAM break under integration

Merging organisations often run different identity stacks, different naming conventions, and different approval workflows. That means no single control plane can reliably tell you which accounts are privileged, which ones are redundant, or which trust relationships are accidental. Without a unified view, governance becomes a sequence of local decisions made on incomplete data. This is why point-in-time reports fail during M&A. The risk changes too quickly for static snapshots to remain useful.

Practical implication: use continuous discovery across both estates instead of relying on periodic entitlement exports or manual reconciliation.

Why Day One access creates configuration drift

M&A integration often prioritises business continuity, which means access is granted before controls are fully normalised. That creates short-term operational convenience but long-term security drift: broader permissions, inconsistent MFA coverage, and delayed cleanup of obsolete accounts and keys. Attackers benefit because the combined environment has more trust paths and fewer mature boundaries. In identity terms, the issue is not just overprovisioning. It is the compounding effect of rushed connectivity across systems that were never aligned.

Practical implication: separate business connectivity from access normalisation, and enforce post-merger remediation windows for privileged and non-human identities.

Threat narrative

Attacker objective: The attacker wants to exploit merger-driven identity confusion to gain durable access across the combined environment before governance catches up.

1. Entry occurs through inherited trust relationships, such as dormant accounts, orphaned service identities, or misconfigured SSO links left behind in the acquired environment.
2. Escalation follows when excessive privileges, delayed offboarding, or inconsistent MFA coverage let an attacker move from one inherited identity path into higher-value systems.
3. Impact arrives as broader compromise across the merged estate, where attackers can access sensitive data, disrupt operations, or use the integration window to persist unnoticed.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Dropbox Sign breach — compromised Dropbox Sign service account exposed API keys and OAuth tokens.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity debt becomes attack surface the moment two estates are joined: M&A does not create new identities from scratch, it inherits undocumented trust paths, old credentials, and ownership gaps. That means the combined risk is often larger than either company understood separately. Practitioners should treat inherited identity inventory as a first-order security problem, not a downstream cleanup task.

Single-source-of-truth governance is a merger assumption, not a reality: IAM, IGA, and PAM programmes are usually designed around one operating model, one directory logic, and one approval chain. That assumption fails when two organisations bring conflicting identity data and incompatible control states into the same environment. The implication is that governance teams must stop assuming reconciliation will be automatic once integration begins.

Orphaned non-human identities are the quietest failure mode in M&A: Service accounts, API keys, and CI/CD credentials often survive the organisational transition because nobody owns their retirement. Identity provenance gap: the identity exists, but its reason for existence no longer does. The implication is that NHI visibility and lifecycle controls become as important as user account clean-up.

Day One access can override the security model before it is validated: business pressure to connect systems quickly often pushes security controls into a reactive role. That creates a governance pattern where access is granted first and normalised later, which is exactly when attackers look for the widest trust window. Practitioners should treat integration speed as a security variable, not only a programme milestone.

M&A proves that identity governance is a lifecycle discipline, not a tooling category: The real challenge is not whether a team owns IAM, IGA, or PAM. It is whether the organisation can re-establish ownership, entitlement quality, and deprovisioning discipline while two environments are being fused. Practitioners should design merger playbooks around lifecycle certainty, not just system connectivity.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why merger inventories so often miss the identities most likely to persist after integration.
• That visibility gap is the forward problem to solve, and the 52 NHI Breaches Analysis shows how those hidden accounts turn into real compromise paths.

What this signals

Identity provenance gap: merger programmes need to track not just what access exists, but why it still exists after corporate ownership changes. If the answer is unclear, the entitlement is already a governance exception.

The practical signal is that M&A teams should expect identity clean-up to outlast system cutover. Continuous discovery, owner assignment, and privileged credential rotation need to be built into the integration plan, not added after audit findings arrive.

The broader lesson is that NHI risk rarely arrives alone. When user accounts, service identities, and third-party access are inherited together, the programme that can reconcile them fastest is the one most likely to contain the merger blast radius.

For practitioners

• Map inherited identities before integration begins Build a global inventory that includes human accounts, service accounts, API keys, certificates, and third-party access across both organisations. Record ownership, purpose, and retirement status before any broad connectivity work starts.
• Separate connectivity from privilege normalisation Allow business systems to connect only with tightly bounded access, then run a formal cleanup phase for excessive permissions, duplicate accounts, and misaligned trust relationships.
• Continuously discover identity drift during Day One operations Replace point-in-time reconciliation with continuous discovery so new accounts, altered entitlements, and inherited trust paths are visible as the merger unfolds.
• Vault and rotate privileged non-human credentials immediately Move discovered privileged accounts and keys into controlled vaulting workflows, then rotate credentials and reduce privilege before the merged estate stabilises.
• Assign retirement ownership for orphaned service identities Create a named owner for every service account, API key, and automation credential so offboarding and revocation are accountable during and after integration.

Key takeaways

• M&A turns inherited identity debt into immediate security exposure because dormant accounts, stale privileges, and orphaned non-human identities enter the new estate with the transaction.
• The scale of the problem is structural, not accidental, because IAM, IGA, and PAM controls usually assume a stable operating model that mergers do not provide.
• The control that changes the outcome is disciplined identity reconciliation: inventory first, normalise access second, and revoke or rotate inherited credentials before attackers exploit the integration window.

Key terms

• Identity Debt: Identity debt is the accumulation of stale accounts, excessive privileges, undocumented trust paths, and unowned credentials that persist as systems change. In M&A, it becomes inherited risk because the new organisation absorbs both the accounts and the unresolved governance problems behind them.
• Identity Attack Surface Management: Identity Attack Surface Management is the continuous discovery and prioritisation of identities, entitlements, and trust relationships that can be abused. It matters in M&A because static reports cannot keep up with the pace of integration, configuration drift, and inherited access changes.
• Orphaned Service Account: An orphaned service account is a non-human identity that still functions but no longer has a clear owner, business purpose, or retirement plan. These accounts are dangerous because they often retain privileges long after the team that created them has moved on or disappeared.
• Identity Provenance: Identity provenance is the chain of ownership, purpose, and lifecycle history that explains why an account or credential exists. When provenance is missing, security teams cannot reliably tell whether access is still justified, which makes inherited identities harder to govern during a merger.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Hydden: M&A identity chaos and the risks of inherited access during integration. Read the original.