M&A identity risk persists before, during, and after close

At a glance

What this is: This is an analysis of five identity security inflection points across the M&A lifecycle, showing how access, visibility, and governance failures can turn deal acceleration into long-lived exposure.

Why it matters: It matters because IAM, PAM, NHI, and lifecycle teams must govern identity through change, not just steady state, or acquisition activity will create persistent privilege and compliance risk.

By the numbers:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.

👉 Read Delinea's full guide to cybersecurity in mergers and acquisitions

Context

M&A identity risk is a governance problem first and a technical problem second. The core failure is that teams often validate what is documented instead of what is actually enforced, then inherit orphaned accounts, overprovisioned entitlements, and fragmented policy as soon as integration starts.

In acquisition environments, access commonly expands before controls can be unified. That creates a familiar pattern for IAM and PAM teams, but it also reaches NHI governance because service accounts, application links, and shared credentials can survive long after the business rationale has changed.

The challenge is not simply to discover identities faster. It is to preserve continuity while preventing temporary access from becoming permanent exposure, which is why the NHI Lifecycle Management Guide is relevant whenever acquisition work touches offboarding, rotation, or entitlement review.

Key questions

Q: How should security teams assess identity risk before an acquisition closes?

A: They should compare documented access with live entitlements across human, privileged, and non-human identities. The goal is to find orphaned accounts, stale exceptions, and hidden trust paths before the deal is approved, because inheritance is the point at which acquisition risk becomes permanent.

Q: Why do mergers and acquisitions increase IAM and NHI risk so quickly?

A: Because access often expands faster than governance can consolidate. Temporary permissions, shared trust, and legacy accounts can survive the transition, so the combined environment inherits privilege that was never designed for the new operating model.

Q: What breaks when identity reviews are only done at a single point in the deal cycle?

A: Static reviews miss the fact that access changes during and after close. Orphaned accounts, overprovisioned roles, and unmanaged integrations can appear after the review finishes, which means the organisation mistakes a snapshot for control.

Q: Who is accountable when temporary access becomes permanent after a merger?

A: Accountability belongs to the business and security owners who approved the interim access and to the integration teams that failed to revalidate it. Frameworks such as NIST Cybersecurity Framework 2.0 expect governance to continue after the initial decision, not stop at the approval date.

Technical breakdown

Pre-acquisition identity discovery vs documented controls

Due diligence often reviews policies, diagrams, and inventories, but those artefacts do not prove how access behaves in production. In M&A, that gap matters because orphaned accounts, stale entitlements, and unverified exceptions can sit outside documented governance for months. The technical issue is not missing paperwork alone. It is the mismatch between policy intent and enforced access across directories, SaaS apps, and connected systems. Continuous evidence-based discovery narrows that gap by showing whether identities, privileges, and trust relationships actually match the target state.

Practical implication: verify enforced access, not just documented controls, before you assume the target identity estate is understood.

Temporary access and cross-organisational trust

During deal announcement to close, temporary access is often granted to keep operations moving, but temporary controls are frequently implemented as persistent entitlements. Cross-organisational trust chains can extend across directories, federated links, and privileged workflows without a unified owner. That is where risk compounds: the business treats access as short-term, while the identity system treats it as standing permission. In mixed estates, this pattern affects human admins, service accounts, and app integrations alike.

Practical implication: treat every interim trust relationship as time-bounded and explicitly owned until it is revalidated or removed.

Post-close identity sprawl and control hardening

After close, identity sprawl grows because teams merge systems before they fully understand dependencies. Access models collide, legacy privileges remain in place, and every unresolved account becomes harder to unwind as integrations deepen. This is especially dangerous when IAM, PAM, and NHI workflows are consolidated too quickly, because the environment becomes harder to audit while the risk surface expands. Continuous monitoring is the technical counterweight to that drift, but it only works if the organisation keeps tracking identity behaviour after the integration milestone.

Practical implication: keep monitoring privilege drift after close, because integration milestones do not end identity risk.

Threat narrative

Attacker objective: The objective is to exploit the expanded, under-governed access created during acquisition so the combined environment inherits durable privilege and control gaps.

1. Entry begins when acquisition activity creates transitional access needs and teams grant broad temporary permissions to preserve continuity.
2. Escalation follows when those temporary permissions are not re-baselined, allowing orphaned accounts, overprovisioned entitlements, and cross-organisation trust to persist.
3. Impact appears when unresolved identities and fragmented policy enforcement widen the attack surface, complicate auditability, and leave the combined organisation with inherited exposure.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

M&A creates identity debt before the deal closes. The article correctly shows that the most expensive risks are often inherited during diligence, when leaders validate documents rather than actual access behaviour. That is a governance failure, not just a visibility gap, because the combined organisation is committing to entitlements it has not truly inspected. Practitioners should treat pre-close discovery as a control boundary, not a paperwork exercise.

Temporary access becomes permanent when governance is slower than integration. The period between announcement and close is where organisations most often mistake continuity for control. Cross-organisational trust chains, privileged exceptions, and shared credentials can outlive the transition that justified them. The result is standing exposure hidden inside a business process that was supposed to be temporary, which makes acquisition governance a lifecycle discipline, not a project task.

Identity blast radius is the right named concept for acquisition risk. M&A does not merely add more accounts, it multiplies the reach of every unresolved account by connecting two control environments that were never designed to interoperate. That is why post-close sprawl is so hard to reverse: each delay increases the number of systems, identities, and approvals that depend on the original mistake. Practitioners should measure acquisition risk by blast radius, not by deal stage.

Continuous monitoring is the only viable post-close assumption. The article is right to warn that incidents can surface months after integration because identity behaviour keeps changing after formal milestones end. In NIST CSF terms, the issue is not whether an environment was assessed once, but whether monitoring keeps pace with changing trust relationships. The practitioner conclusion is simple: a one-time identity review cannot govern a moving acquisition target.

M&A exposes the limits of static least-privilege thinking. Least privilege is often defined at provisioning time, but acquisitions change the shape of legitimate access before teams can complete consolidation. That means entitlement review, PAM governance, and NHI lifecycle controls have to operate on changing organisational truth rather than on the original access model. The implication is that acquisition governance must follow the business transition, not lag it.

From our research:

• 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
• 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.
• Use the NHI Lifecycle Management Guide to extend offboarding discipline into acquisition clean-up, where ownership often changes before access does.

What this signals

Identity blast radius: acquisition programmes should now be measured by how far one unresolved entitlement can propagate across the combined estate. When access crosses company boundaries, the risk is not just exposure, it is compounding dependency, so teams need a single view of identity ownership before they can trust any integration milestone.

M&A teams that already struggle with offboarding and lifecycle discipline will feel the weakness first. The same pattern that leaves 91% of former employee tokens active after offboarding also appears in deal work, where temporary access survives because no one owns the cleanup. That is why acquisition governance needs a lifecycle lens, not just a project timeline.

Teams should align M&A controls with the NIST Cybersecurity Framework 2.0 and the Ultimate Guide to NHIs so monitoring, access review, and offboarding continue after the integration milestone. The practical signal is simple: if the combined organisation cannot explain who owns every inherited identity, it is not ready to scale the merger.

For practitioners

• Baseline actual access before diligence closes. Compare documented entitlements with live directory, SaaS, and privileged access records before approval. Flag orphaned accounts, policy exceptions, and any access path that lacks a named owner.
• Treat interim access as time-bounded governance. Assign an owner, expiry condition, and revalidation trigger to every temporary cross-company permission so the access does not survive the acquisition phase by default.
• Re-certify privileged and non-human identities after integration milestones. Review service accounts, API keys, integrations, and admin roles once systems are merged, because the acquisition process often changes business purpose before the technical control plane is updated.
• Track identity blast radius during every integration wave. Measure how many applications, directories, and workflows depend on a single unresolved account or trust relationship, then prioritise the ones that can affect the widest share of the new estate.
• Keep monitoring after close, not just during transition. Extend continuous identity monitoring beyond day-one integration so delayed incidents, legacy privileges, and forgotten trust paths are still visible when the combined organisation stabilises.

Key takeaways

• M&A risk is fundamentally an identity governance problem because access often expands before ownership, visibility, and enforcement are unified.
• The evidence in the article points to a recurring pattern: temporary permissions, orphaned accounts, and post-close sprawl become durable exposure if they are not revalidated.
• Security teams should make acquisition clean-up a lifecycle process, with continuous discovery, re-certification, and monitoring extending well beyond close.

Key terms

• Identity debt: Identity debt is the accumulation of access decisions that were made for speed and are later expensive to unwind. In M&A, it appears when temporary permissions, inherited roles, and merged directories remain in place after the business context that justified them has changed.
• Identity blast radius: Identity blast radius is the number of systems, users, and workflows affected when one identity or trust relationship is wrong. In acquisition scenarios, it describes how a single unresolved account can propagate risk across the combined organisation if ownership and scope are not revalidated.
• Orphaned account: An orphaned account is an identity that still exists and may still have access even though its owner, user, or business purpose no longer does. These accounts are dangerous because they often survive offboarding, integration, or restructuring and remain invisible until they are abused.
• Standing privilege: Standing privilege is access that remains continuously available instead of being granted only when needed. In transitional environments such as M&A, it becomes risky because temporary trust can harden into permanent access before teams complete review or consolidation.

Deepen your knowledge

NHI governance, identity lifecycle management, and secrets management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for IAM, PAM, or broader identity security in your organisation, it is worth exploring.

This post draws on content published by Delinea: 5 critical steps to strengthen cybersecurity in M&A. Read the original.