M&A identity security risks: why merger governance breaks down

At a glance

What this is: This is an M&A identity security analysis that shows how integration amplifies access risk, governance drift, and inherited compromise.

Why it matters: It matters because merger planning changes the identity blast radius for human users, service accounts, and privileged access at the same time.

By the numbers:

• A research report published in 2023 found that the risk of a cybersecurity incident is twice the average during a merger or acquisition.
• 65% of executives regretted an acquisition after discovering post-merger security issues.
• Marriott's acquisition of Starwood exposed information on up to 500 million guests after attackers remained inside the acquired environment for years.

👉 Read Unosecur's analysis of six identity security risks in M&A

Context

M&A identity security is the discipline of controlling who and what can access systems while two organisations combine directories, privileges, and governance processes. The problem is not just integration complexity. It is that merger activity expands the identity attack surface before teams have established a stable access model for humans, privileged users, and machine identities.

The article's core claim is that mergers fail when identity is treated as an integration chore rather than a security control plane. That is the right lens for IAM, PAM, and lifecycle teams, because the highest-risk failures in M&A are usually about excessive access, inconsistent authentication, and inherited compromise rather than traditional perimeter defence.

Key questions

Q: What breaks when identity governance is not in place during an acquisition?

A: Without identity governance, merger teams lose track of who owns access, which accounts are temporary, and where privileged rights overlap. That creates orphaned access, unresolved segregation-of-duties conflicts, and hidden trust between environments. The result is a larger attack surface and a longer window for misuse during the integration period.

Q: Why do mergers and acquisitions increase identity security risk so quickly?

A: M&A increases risk because the combined estate usually contains more identities, more privileged accounts, and two different governance models. Security teams must reconcile access under time pressure, which often leads to provisional permissions, inconsistent policies, and weaker review discipline. The risk rises fastest where lifecycle ownership is unclear.

Q: How do security teams know if merger access controls are working?

A: They should be able to show that every temporary account has an owner, an expiry date, and a review record, and that privileged access is being monitored for unusual use. If the team cannot produce those artefacts quickly, the control is not operating at merger speed.

Q: Who is accountable when inherited compromise is discovered after a deal closes?

A: Accountability should be shared between acquisition, security, legal, and compliance teams, but the buyer still needs evidence that it performed adequate identity due diligence. If the target concealed a breach, contractual recourse may apply. If diligence was weak, the buyer owns the remediation burden.

Technical breakdown

Disparate IAM systems create hidden trust gaps

When two companies merge, identity stores, authentication methods, and policy engines rarely line up cleanly. One environment may use cloud-native directories, while the other depends on legacy Active Directory or local admin patterns. The technical problem is not just synchronisation. It is that mismatched trust boundaries can let old entitlements persist, create duplicate identities, or break policy enforcement across systems. Identity Security Posture Management helps expose those mismatches before cutover, while IAM operations work is needed to reconcile naming, ownership, and authentication paths across both estates.

Practical implication: reconcile identity sources and access policies before the merger closes, not after users start crossing environments.

Provisional access expands the privileged access footprint

During an acquisition, teams often grant temporary access to keep operations running, but provisional access tends to become standing privilege if no lifecycle control exists. That creates a larger pool of accounts with broad rights, especially where admin roles, VPN access, or contractor credentials are issued under time pressure. From a technical standpoint, the risk is not temporary access itself. It is the absence of expiry, review, and scope enforcement. PAM and ITDR matter here because they constrain high-risk access and surface anomalous use before short-term access turns into long-term exposure.

Practical implication: make expiry and recertification mandatory for every interim account, especially privileged and third-party access.

Inherited compromise survives the deal unless identity evidence is checked

An acquisition can inherit not only systems but also active compromise. If the target environment already contains breached credentials, dormant attackers, or weak access hygiene, those conditions move into the new entity after close. The technical lesson is that identity evidence must be inspected as part of diligence, not assumed clean because the deal is done. Access review logs, MFA coverage, credential age, and privileged account inventory become core acquisition artefacts. Without that evidence, the buyer may absorb a breach instead of a business.

Practical implication: require identity posture validation and breach-hunting checks before and immediately after integration.

Threat narrative

Attacker objective: The attacker aims to exploit merger chaos to gain durable access, move laterally across the combined estate, and preserve a compromise that looks like integration noise.

1. Entry occurs when merging organisations connect directories, VPNs, or shared applications before access hygiene is normalised, creating a path for misuse of inherited or provisional identities.
2. Escalation follows when excessive roles, unresolved SoD conflicts, or privileged accounts give an intruder broader reach across the combined environment.
3. Impact is business interruption, unauthorised data exposure, fraud opportunity, or the silent continuation of an existing breach into the post-merger estate.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Merger identity governance breaks when teams assume the two estates can be merged before access is understood. That assumption fails because directories, admin roles, and machine credentials do not merge cleanly on day one. The result is a governance gap where ownership, expiry, and least privilege are all undefined at the same time. Practitioners should treat identity reconciliation as a prerequisite to operational integration.

Identity attack surface inflation is the real M&A risk multiplier. Every new employee, contractor, admin, API key, and service account increases the number of places an attacker can hide or escalate. The issue is not just more identities, but more high-value identities with unclear control ownership. IAM and PAM teams need to see merger scope as a privilege-management event, not only an IT migration.

Vendor access without lifecycle offboarding is the failure mode merger teams miss most often. Third-party identities created for due diligence, integration work, or transitional support frequently outlive the task that justified them. That is not a tooling problem, it is a lifecycle assumption problem. Access was granted as if the relationship were temporary, but the controls behaved as if the account would self-expire. Practitioners must redesign offboarding ownership before the deal closes.

M&A compliance risk is an identity evidence problem as much as a legal one. If teams cannot prove who had access, when it was granted, and whether high-risk accounts were reviewed, regulatory obligations become difficult to defend. The practical consequence is that access evidence should be part of the transaction file, not an afterthought in post-close remediation. Governance teams should insist on auditable identity records alongside financial and legal diligence.

The identity blast radius of a merger is often larger than either company expects. When two partial control models combine, their weaknesses compound rather than average out. That is why acquisition integration should be framed as a reduction of identity blast radius, not a simple consolidation project. Security leaders should re-baseline access, visibility, and privileged entitlements before normal business resumes.

From our research:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why merger integration often inherits blind spots as well as identities.
• For a deeper view of lifecycle and offboarding failure patterns, read Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.

What this signals

Identity blast radius is the right concept for M&A programmes to track. A merger does not just combine users and systems, it combines privilege density, review debt, and unknown third-party access. If your integration plan cannot quantify that blast radius before close, you are already treating identity as a post-merger clean-up exercise rather than a control.

The governance signal is clear: acquisition readiness now depends on being able to prove access ownership, expiry discipline, and review coverage across both organisations. In practice, that means identity evidence belongs in due diligence alongside financial controls and legal warranties.

For teams looking to benchmark their identity posture, the 52 NHI Breaches Analysis is a useful way to study how weak ownership and excessive privilege become exploit paths across machine and service identities.

For practitioners

• Baseline both identity estates before close Inventory directories, privileged accounts, service accounts, contractor access, and third-party connections across both organisations before migration decisions are made.
• Time-box every provisional access grant Require explicit expiry dates, approval ownership, and recertification for all merger-related access, including temporary admin rights and external support accounts.
• Run SoD conflict analysis on the merged role model Test the combined access model for toxic combinations that did not exist inside either company alone, then block conflicting role assignments before production cutover.
• Validate inherited credentials as part of diligence Check MFA coverage, stale passwords, dormant accounts, and privileged access logs so the acquiring organisation does not absorb an active compromise.

Key takeaways

• M&A turns identity governance into an immediate risk domain because two access models, two policy sets, and two ownership structures collide at once.
• The most dangerous failure is not just more access, but access that survives beyond the business purpose that created it.
• Merger teams should validate identity evidence, time-box provisional access, and resolve privileged conflicts before integration becomes permanent.

Key terms

• Identity attack surface: The total set of identities, accounts, credentials, and access paths that can be targeted in an environment. In an M&A context, it expands quickly because two organisations combine users, admins, service accounts, and third-party access before governance is harmonised.
• Segregation of duties: A governance control that separates sensitive actions between different people or roles so no single identity can complete an entire high-risk process alone. In merger settings, role overlap often breaks this control unless merged access is analysed for conflicting permissions.
• Identity security posture management: A control approach that inventories and evaluates identity configurations, privileges, and weak points across environments. During acquisitions, it helps teams compare two estates, find mismatches, and identify access risks before they become production exposure.
• Provisional access: Temporary access granted to keep business operations moving during a transition such as a merger or acquisition. It becomes risky when expiry, ownership, or review is missing, because temporary rights can silently become standing privilege.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• A practical breakdown of how to assess identity security posture across two separate IAM estates before integration.
• Examples of the six merger-specific identity risks, including role conflicts, compliance drift, and inherited compromise.
• Consulting-led mitigation patterns for PAM, ITDR, and IAM operations in live acquisition environments.
• The article's own framing of post-merger identity risk from a client advisory perspective.

👉 Unosecur's full post covers the merger risk examples, mitigation patterns, and post-acquisition identity issues in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, machine identity security, and secrets management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity strategy, access governance, or security operations, it is worth exploring.