TL;DR: M&A integration concentrates non-human identity risk because service accounts, tokens, and machine credentials outlive ownership boundaries and often remain overprivileged, according to Token Security; the article cites 46% of organisations experiencing NHI-related breaches and 91% of former employee tokens staying active. The governance problem is not just discovery, but proving who can revoke, rotate, and inherit each identity before the combined environment becomes one attack surface.
NHIMG editorial — based on content published by Token Security: Identity due diligence and managing non-human identity security in M&A
By the numbers:
- 46% of organizations have experienced breaches related to non-human identities.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
Questions worth separating out
Q: How should security teams handle non-human identities during M&A integration?
A: They should treat every NHI as a lifecycle object that needs ownership, scope validation, and revocation authority before systems are merged.
Q: Why do orphaned service accounts create so much risk after an acquisition?
A: Orphaned service accounts are dangerous because they often keep working after the original owner has left or the original environment has changed.
Q: What do teams get wrong about least privilege in merged environments?
A: They often review permissions identity by identity and miss the combined access graph.
Practitioner guidance
- Inventory every NHI before systems are connected Map service accounts, API keys, tokens, certificates, automation scripts, and CI/CD identities in both organisations before any broad trust is established.
- Reconcile ownership and revocation authority early Require a named business or technical owner for each machine identity and define who can rotate, revoke, or transfer it after the transaction closes.
- Run transitive access analysis across the combined estate Look for hidden reach between SaaS, cloud, build systems, and data platforms that only becomes visible when two identity graphs are merged.
What's in the full article
Token Security's full blog covers the operational detail this post intentionally leaves for the source:
- The article's five risk categories for NHI due diligence across merger and acquisition workflows
- Practical questions integration teams should ask about ownership, privileged access, and shadow identities
- The vendor's machine-first identity security framing for attribution, behaviour analysis, and autonomous risk scoring
- Case-study context on Google's acquisition of Wiz and the NHI sprawl that can sit inside mature engineering organisations
👉 Read Token Security's analysis of non-human identity risk in M&A due diligence →
M&A identity due diligence: what teams are missing on NHIs?
Explore further
M&A is an identity lifecycle event, not just an integration project. The security failure in mergers is usually not discovery alone, but the assumption that access can be inherited and cleaned up later. That assumption breaks because NHIs outlive ownership changes, and the combined estate immediately multiplies revocation complexity. Practitioners should treat merger planning as lifecycle governance from day one.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- Only 5.7% of organisations have full visibility into their service accounts, which explains why merger integration so often starts with incomplete ownership data.
A question worth separating out:
Q: Who is accountable for revoking machine credentials after an acquisition closes?
A: Accountability should sit with the integration team and the system owners who inherit the environment, not with a vague central review process. If no one is explicitly named to revoke, rotate, or transfer the credential, the identity will usually survive by default and become part of the attack surface.
👉 Read our full editorial: M&A identity due diligence is failing on non-human identities