M&A identity chaos: what security teams need to control now

TL;DR: Mergers and acquisitions can rapidly expand identity attack surfaces by inheriting dormant accounts, shadow privileges, orphaned service accounts, and fragmented IAM, IGA, and PAM controls, according to Hydden. The core problem is not integration speed alone, but the collapse of a single, trustworthy identity inventory across two environments.

NHIMG editorial — based on content published by Hydden: identity chaos and inherited risk in mergers and acquisitions

By the numbers:

• NHIs outnumber human identities by 25x to 50x in modern enterprises.

Questions worth separating out

Q: How should security teams manage inherited identity risk during an acquisition?

A: Security teams should inventory all identities before connectivity expands, then validate ownership, privilege, and lifecycle state across both organisations.

Q: Why do mergers create such a large non-human identity risk?

A: Mergers often inherit service accounts, API keys, and certificates that were created under different governance standards and are poorly documented.

Q: What breaks when IAM and PAM tools are not aligned across two merged companies?

A: What breaks is the assumption that one governance model can certify the combined estate.

Practitioner guidance

• Build a pre-merger identity inventory across both estates Map every human account, service account, API key, certificate, and federated trust path before Day One connectivity.
• Freeze and review inherited privileged access before integration Vault newly discovered admin accounts and keys, then verify whether each entitlement is still justified for the combined operating model.
• Test federation and SSO trust boundaries before broadening connectivity Validate whether the merged identity paths create unintended authentication trust between directories, tenants, or partner systems.

What's in the full article

Hydden's full analysis covers the operational detail this post intentionally leaves for the source:

• The article’s phased M&A response model for pre-merger due diligence, integration, and post-integration remediation
• Specific examples of how identity attack surface management can surface hidden accounts and access paths during a merger
• The source discussion of how standard PAM, IAM, and IGA workflows fail when two organisations are combined quickly
• The practical identity controls Hydden recommends for inherited accounts, JIT access, and privilege reduction

👉 Read Hydden’s analysis of identity risk in mergers and acquisitions →

M&A identity chaos: what security teams need to control now?

Explore further

View Full Forum →  |  NHI Foundation Course →