M&A identity risk and access chaos: what security teams miss

TL;DR: M&A creates a sharp identity governance problem because buyers inherit devices, applications, accounts, contractors, and policy conflicts before integration is complete, according to 1Password. The real control failure is assuming diligence can be deferred until after the deal closes, when access sprawl and orphaned identities are already in motion.

NHIMG editorial — based on content published by 1Password: identity and access risk in mergers and acquisitions

Questions worth separating out

Q: How should security teams handle identity risk during mergers and acquisitions?

A: Treat M&A as a live identity governance problem from the first negotiation.

Q: Why do mergers and acquisitions increase access control risk?

A: M&A increases risk because the acquiring organisation inherits unknown accounts, inconsistent policies, and unreviewed third-party access while systems are being combined.

Q: What do security teams get wrong about acquisition due diligence?

A: The common mistake is treating due diligence as a paperwork exercise rather than an operational identity review.

Practitioner guidance

• Build identity diligence into Corp Dev workflow Require security to join acquisition planning early enough to review users, service accounts, contractors, SaaS apps, and device posture before close.
• Separate integration assumptions from security scope Document whether the deal is no integration, partial integration, or full integration, then align controls to that decision.
• Harden the first 30 days of access governance Prioritise deprovisioning, access review, and logging as soon as the transaction moves toward integration.

What's in the full article

1Password's full article covers the operational detail this post intentionally leaves for the source:

• The due diligence workflow for combining security review with Corp Dev timing.
• The different integration models for no integration, partial integration, and full integration.
• The practical access-control issues that show up after close, including ghost accounts and BYOD exposure.
• The webinar discussion with Wendy Nather, Dave Lewis, and Kane Narraway on M&A security lessons.

👉 Read 1Password's analysis of identity and access risk in mergers and acquisitions →

M&A identity risk and access chaos: what security teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →