Security diligence in M&A is now an identity governance issue

At a glance

What this is: This episode argues that M&A and partnership security failures are really diligence and integration failures, with identity and access governance sitting at the centre of deal risk.

Why it matters: For IAM practitioners, it shows that inherited access, partner trust, and post-close integration can expose NHI, autonomous, and human identity programmes to risks that only surface after the transaction closes.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

👉 Read 1Password's podcast discussion on security diligence in M&A and partnerships

Context

Security in mergers and partnerships is an identity governance problem because the acquiring organisation does not just inherit code and contracts, it inherits access relationships, operational dependencies, and unresolved privilege. In practice, that means the deal team is also taking on service accounts, partner integrations, vendor trust, and the control gaps attached to them.

The episode frames a simple but often missed reality: diligence that stops at financials or product fit leaves security debt hidden until integration begins. For IAM, PAM, and NHI teams, that is where inherited access can turn into business disruption, because the acquired environment may not match the buyer’s governance model, review cadence, or offboarding discipline.

Key questions

Q: How should security teams assess identity risk during an acquisition or merger?

A: They should treat identity inventory as part of diligence, not as a post-close cleanup task. The review should cover human accounts, privileged roles, service accounts, API keys, and third-party access paths. If the team cannot explain who or what can still act after the close, it has not actually measured the operational risk of the transaction.

Q: Why do partnerships create access risk even when no acquisition is involved?

A: Deep partnerships often create shared trust through connected systems, delegated rights, and authenticated integrations. That can extend one organisation’s access decisions into another organisation’s environment. When the relationship changes, the access often persists unless someone owns offboarding, monitoring, and revocation. That is why partnership governance has to include lifecycle controls, not just legal terms.

Q: What breaks when inherited access is not re-certified after a deal closes?

A: Inherited access can remain active even when the business justification has changed. Privileged roles, service accounts, and partner integrations may continue to operate with the target’s old assumptions, creating excessive access and unexpected reach inside the combined environment. Re-certification is what forces the buyer to re-justify that access under its own control model.

Q: Who should own security accountability in M&A integration?

A: Security accountability should sit jointly with corporate development, product, engineering, and identity governance teams. Corp dev sets the deal conditions, while security and IAM teams validate whether the acquired environment can be integrated without importing unresolved access risk. If those groups are not aligned before close, accountability tends to become fragmented after the announcement.

Technical breakdown

Why acquisition diligence has to include identity and access inventory

An acquisition transfers the full operating model, which means every authenticated pathway, privileged role, API key, partner connection, and service account becomes part of the buyer’s risk surface. Identity inventory is not only a count of users. It is a map of who or what can act, where trust is delegated, and which access relationships would survive the close unless explicitly removed. In M&A, hidden access often matters more than visible architecture because integration pressure accelerates reuse before controls are normalised.

Practical implication: require a pre-close inventory of humans, NHIs, and third-party access before any integration plan is approved.

Post-close integration is where inherited privilege becomes operational risk

The hardest security work begins after the announcement, when teams have to reconcile two control environments, two offboarding models, and often two very different standards for access review. Privilege that looked acceptable inside the target company may be excessive in the buyer’s environment. If those rights are not re-baselined quickly, inherited access outlives the trust that originally justified it. That is how integration debt turns into exposure.

Practical implication: re-certify and re-baseline entitlements immediately after close, with special focus on service accounts and partner integrations.

Partnership trust expands the attack surface beyond the deal itself

A partnership can create the same security dependency as an acquisition when systems are deeply integrated. Shared trust means one party’s lapse can become both parties’ problem, especially where OAuth connections, delegated admin rights, or shared credentials are involved. The technical issue is not only connectivity but authority propagation. Once trust is embedded in tooling and workflows, separation becomes harder than initial onboarding.

Practical implication: treat partnership onboarding as privileged access governance, not as a simple business integration task.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

M&A security failures are usually identity governance failures in disguise. The episode’s core point is that a deal inherits not just technology but the access model that makes that technology usable. That means inherited service accounts, partner credentials, and undocumented admin pathways become part of the risk thesis the moment diligence begins. For practitioners, the conclusion is that deal review without identity inventory is only partial review.

Post-close integration is the point where dormant access becomes active exposure. What matters is not whether the target had security controls on paper, but whether those controls survive integration into the buyer’s environment. Access that was tolerable in a small environment can become excessive once duplicated systems, centralised tooling, and shared operations create new privilege paths. Practitioners should treat re-certification after close as a control event, not an administrative follow-up.

Partner relationships now need lifecycle governance, not just legal trust. The conversation shows how deeply integrated partnerships extend the security boundary across organisations, which means offboarding, revocation, and recertification have to be planned up front. The failure mode is not only weak partnership vetting. It is trust persistence after the commercial relationship changes. The practitioner takeaway is to govern partner access as a lifecycle, not a one-time approval.

Identity blast radius is the right concept for deal risk. A transaction can expand the number of systems, people, and machine identities whose access must be reconciled before the combined environment is safe. That blast radius is not visible in financial models, yet it often determines whether integration succeeds or stalls. Teams should assess which identities would keep working if the deal closed tomorrow, because that is where operational risk concentrates.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which is why inherited machine access remains one of the hardest parts of post-close integration.
• The lifecycle gap is wider than most deal teams assume, so readers should also review the Ultimate Guide to NHIs for rotation, offboarding, and visibility patterns.

What this signals

Identity blast radius: M&A teams should now measure how many identities would remain active if a target company closed tomorrow and nothing was remediated. That single question surfaces inherited privilege, partner dependencies, and the hidden work of combining two control planes into one.

The operational signal is not just whether a target has controls, but whether those controls can be re-certified fast enough to avoid carrying forward access that no longer fits the buyer’s model. A transaction that cannot absorb identity inventory, offboarding, and review into the integration plan is already accumulating security debt.

For practitioners building due diligence checklists, the next step is to connect transaction review to established identity guidance such as the NIST SP 800-63 Digital Identity Guidelines for assurance and the buyer’s own lifecycle controls for entitlements and revocation.

For practitioners

• Build an identity inventory into pre-close diligence Map all human users, privileged roles, service accounts, API keys, and third-party integrations before the transaction proceeds. Include inherited admin pathways and any delegated access that would survive a system merge.
• Re-certify inherited access immediately after close Reset review cadence for all acquired entitlements, with special attention to service accounts and partner connections that were approved under the target’s governance model.
• Treat integration partners as privileged trust relationships Require explicit lifecycle ownership for each partner connection, including renewal, monitoring, and offboarding steps when the commercial relationship ends or scope changes.
• Align corp dev and security on deal breakers Define in advance which identity or security findings are automatic escalation items, so technical diligence can stop a risky acquisition before integration work begins.

Key takeaways

• M&A security risk is often inherited identity risk, because the buyer acquires access relationships as well as assets.
• Excess privilege and weak offboarding become more dangerous after close, when two control environments collide.
• Identity inventory, re-certification, and partner lifecycle ownership are the controls that change whether integration creates value or exposure.

Key terms

• Identity inventory: An identity inventory is the authoritative list of people, service accounts, API keys, tokens, certificates, and delegated integrations that can act inside an environment. In M&A, it becomes the starting point for understanding inherited access and the control gaps that might survive the deal.
• Identity blast radius: Identity blast radius is the amount of operational and security exposure created by a set of accounts, privileges, and trust relationships. In a transaction, it measures how far inherited access can reach before re-certification, revocation, and normalisation bring it back under control.
• Partner lifecycle governance: Partner lifecycle governance is the discipline of managing third-party access from onboarding through renewal, monitoring, and offboarding. It matters when partnerships are deeply integrated because trust persists in technical connections long after the commercial relationship changes.
• Post-close re-certification: Post-close re-certification is the review of inherited access after a merger or acquisition completes. It forces teams to re-justify privileges under the buyer’s own policies, which is essential when the target’s old access model no longer matches the combined environment.

Deepen your knowledge

M&A identity diligence and post-close access governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governance programme that has to survive acquisitions and partnerships, it is worth exploring.

This post draws on content published by 1Password: a Chasing Entropy episode on security, acquisitions, and partnerships. Read the original.