Managing non-human identities during M&A requires a new baseline

At a glance

What this is: This is a practical guide to managing non-human identities during M&A, with a focus on discovery, risk scoring, governance baselines, and continuous monitoring across merged environments.

Why it matters: It matters because post-merger identity integration can quickly turn service accounts, secrets, and federated access paths into unmanaged risk across NHI, autonomous, and human identity programmes.

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps , 38% have no or low visibility, and a further 47% have only partial visibility.

👉 Read Oasis Security's guide on managing non-human identities during M&A

Context

M&A creates an identity governance problem long before it creates a platform consolidation problem. When two organisations merge, their service accounts, API keys, certificates, and workload identities inherit different trust models, naming standards, lifecycle rules, and ownership assumptions. For non-human identities, that mismatch is where risk appears first.

The article frames the issue correctly: integration is not just about connecting systems, it is about deciding which identities survive, which ones are re-scoped, and which ones must be retired. In practice, that means NHI inventory, credential lifecycle control, and access baseline alignment need to happen before the merged environment starts behaving like a single estate.

Key questions

Q: How should security teams manage non-human identities during M&A?

A: Security teams should start with discovery, then classify every inherited service account, key, token, and certificate by owner, privilege, and lifespan. After that, they should freeze new long-lived credentials, remove orphaned identities, and set one merged governance baseline for rotation, scoping, and decommissioning. The goal is to stop inherited access from becoming permanent.

Q: Why do non-human identities become riskier after a merger?

A: They become riskier because two organisations often merge identity systems that were built on different assumptions about trust, naming, ownership, and credential lifetime. That creates hidden access paths, inconsistent controls, and orphaned secrets that may still work after the business need has changed. In M&A, residual access is usually the real problem.

Q: What breaks when NHI ownership is unclear after integration?

A: When ownership is unclear, no one can confidently revoke, rotate, or recertify the identity when the system changes. That leaves stale credentials, over-permissioned roles, and unmonitored service accounts in place long after their purpose has ended. In merged environments, unclear ownership is a direct path to persistent exposure.

Q: Who should be accountable for inherited NHI risk in M&A?

A: Accountability should sit with the team that owns the merged identity programme, not with whichever side originated the account. That team needs authority to approve scope changes, remove dormant identities, and enforce the lifecycle baseline across both estates. If accountability is split, orphaned access tends to survive the integration window.

Technical breakdown

NHI discovery across merged environments

M&A discovery is fundamentally an inventory and classification problem. Organisations need to find service accounts, service principals, managed identities, certificates, personal access tokens, hard-coded secrets, and automation credentials across clouds, SaaS tenants, on-prem systems, repositories, and CI/CD pipelines. The technical challenge is that these identities are distributed across systems with different naming conventions, different scoping models, and different owners, so manual review misses the long tail. Discovery is only useful when it is paired with risk attributes such as privilege, exposure, lifespan, and lineage.

Practical implication: build a cross-environment inventory that tags each NHI by owner, privilege, exposure, and expiry before integration work begins.

Credential sprawl, rotation, and orphaned access

Post-merger environments tend to accumulate credential sprawl because legacy systems often preserve secrets in code, configs, infrastructure templates, and old automation paths. The result is orphaned access, where an identity still authenticates successfully even though no one can clearly explain why it exists. Rotation matters because a credential that is valid across both merged environments can survive long after the business reason for it has disappeared. In NHI governance, persistence without ownership is the technical condition that turns inherited access into latent exposure.

Practical implication: freeze new long-lived credentials during integration and target high-privilege, stale, or undocumented secrets for immediate rotation or revocation.

Governance baseline for workload identities

A unified governance baseline gives merged organisations one control language for non-human identities. That means standardising naming, scoping, rotation intervals, and lifecycle states while deciding whether the end state is lift-and-shift or federated trust. The article correctly notes that stricter policy should win when environments differ, because weaker rules tend to become the default during consolidation. This is where lifecycle governance becomes operational: creation, use, review, rotation, and decommissioning must be defined as one chain, not as separate team tasks.

Practical implication: document one merged policy for NHI lifecycle management and enforce it across cloud, SaaS, and on-prem systems.

Threat narrative

Attacker objective: The objective is to turn inherited non-human identity sprawl into durable access across the merged environment before governance catches up.

1. Entry occurs when merged environments inherit service accounts, keys, and certificates from both organisations without a complete discovery or ownership pass.
2. Credential access follows when stale, over-permissioned, or embedded secrets remain valid inside scripts, CI/CD workflows, and SaaS connectors after integration.
3. Escalation and impact occur when those inherited identities retain access across the new estate, creating ungoverned paths into cloud, on-prem, and SaaS systems.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Merger-time identity governance is a lifecycle problem, not a systems integration problem. The article shows that post-merger risk begins with discovery, but the real issue is whether every inherited non-human identity has an owner, a scope, and a retirement path. That maps directly to OWASP-NHI and the lifecycle discipline described in the NHI Lifecycle Management Guide. Practitioners should treat M&A as a governance reset, not a migration exercise.

Configuration drift becomes identity drift when two estates carry different credential assumptions. One environment may accept long-lived credentials and broad roles, while another expects short-lived, tightly scoped access. Once those models collide, the merged estate inherits inconsistent trust boundaries that are difficult to audit or enforce. The practical conclusion is that the organisation must choose one control standard, because dual baselines are usually just unmanaged privilege in disguise.

Orphaned access is the named failure mode this article exposes. The underlying assumption is that system identities remain meaningful because a business owner can still explain them. That assumption fails during M&A when credentials survive the operational transition but lose accountability, and the result is access that outlives the process that created it. The implication is that ownership and decommissioning must be treated as first-class controls, not clean-up work.

Continuous monitoring is not a finishing step, it is the only way merged NHI estates stay legible. The article's KPI list points to a simple truth: if teams cannot see count, privilege, lifespan, and anomaly signals in one place, they do not have a governance baseline yet. That is why NIST CSF style detect and respond functions matter here, but only after the identity inventory is trustworthy. Practitioners should measure for drift, not just compliance.

M&A accelerates the market case for identity platforms that can govern non-human access across heterogeneous estates. The practical pressure is on teams that still run separate discovery, rotation, and monitoring silos. Merged organisations need a consistent control plane for access visibility, credential lifecycle, and policy enforcement, or they will keep inheriting risk faster than they can classify it. The field is moving toward unified identity governance for machines, not isolated tooling by environment.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, which shows how slowly remediation can trail exposure.
• For the lifecycle angle, see NHI Lifecycle Management Guide for provisioning, rotation, offboarding, and visibility controls.

What this signals

Orphaned access is the control failure most M&A programmes underestimate. Once two estates are joined, the merged organisation often inherits more identity objects than it can immediately explain, let alone govern. The practical signal for readers is simple: if ownership, lifespan, and scope are not centralised, integration is creating residual access faster than security can remove it.

With 97% of NHIs carrying excessive privileges, per the Ultimate Guide to NHIs, post-merger rationalisation cannot wait for normal review cycles. The programme signal is that M&A is the moment to reset privilege assumptions, not preserve them.

Identity blast radius: the merged estate's risk is no longer defined by one platform at a time, but by how far a single inherited credential can travel across cloud, SaaS, and on-prem boundaries. That makes post-merger monitoring a governance function, not just a detection function, and it needs one control owner from day one.

For practitioners

• Run a pre-close NHI inventory sweep Scan cloud accounts, SaaS tenants, repositories, container registries, and on-prem systems for service accounts, service principals, managed identities, PATs, certificates, and embedded secrets before integration work begins.
• Freeze new long-lived credentials during integration Block creation of persistent credentials until the merged governance baseline is defined, then require short-lived access where the business process can support it.
• Assign ownership to every inherited identity Record a named owner, business purpose, privilege scope, and retirement date for each NHI so orphaned accounts can be removed instead of left to drift.
• Standardise the stricter policy set first When merging environments with different access rules, adopt the more restrictive naming, rotation, and lifecycle standard and apply it across both estates.
• Track merged-estate drift with operational metrics Monitor total NHI count, privileged-role percentage, credential lifespan, stale identities, and anomalous machine-to-machine traffic to spot governance failures early.

Key takeaways

• M&A exposes non-human identity risk because merged environments inherit credentials, permissions, and ownership gaps that were never designed to coexist.
• The scale problem is visibility, not just volume, because orphaned and over-permissioned identities can survive the integration process with active access.
• The control that changes the outcome is lifecycle governance, especially discovery, ownership, rotation, and retirement enforced under one merged baseline.

Key terms

• Non-Human Identity: A non-human identity is any machine-used identity that authenticates to systems or data, including service accounts, API keys, tokens, and certificates. In practice, these identities need ownership, scope, rotation, and retirement controls because they often persist longer than the systems or jobs they were created for.
• Identity Drift: Identity drift is the gradual mismatch between what an identity can access and why it should still exist. In merged environments, it appears when ownership, privilege, and lifecycle state are no longer aligned across the two estates, creating access that is technically valid but operationally unjustified.
• Orphaned Access: Orphaned access is credentialed access that still works even though no clear business owner can justify or manage it. It usually appears after system changes, reorganisations, or integrations, and it is especially dangerous because it can remain active long after the original purpose has disappeared.
• Credential Lifespan: Credential lifespan is the period during which a secret, token, certificate, or key remains valid and usable. Shorter lifespans reduce exposure, but only when paired with reliable rotation, ownership, and revocation processes that ensure old credentials actually stop working when they should.

Deepen your knowledge

NHI lifecycle management during M&A is a core topic in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are consolidating identity estates after a merger, it is a strong fit for your team.

This post draws on content published by Oasis Security: How to manage Non-Human Identities during M&A. Read the original.