TL;DR: Mergers and acquisitions create five identity risk inflection points, from pre-acquisition visibility gaps to post-close sprawl, where orphaned accounts, overprovisioned access, and temporary trust can become durable exposure, according to Delinea. The central issue is that deal-speed assumptions outpace identity governance, so access decisions harden before teams can verify them.
NHIMG editorial — based on content published by Delinea: 5 critical steps to strengthen cybersecurity in M&A
By the numbers:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
Questions worth separating out
Q: How should security teams assess identity risk before an acquisition closes?
A: They should compare documented access with live entitlements across human, privileged, and non-human identities.
Q: Why do mergers and acquisitions increase IAM and NHI risk so quickly?
A: Because access often expands faster than governance can consolidate.
Q: What breaks when identity reviews are only done at a single point in the deal cycle?
A: Static reviews miss the fact that access changes during and after close.
Practitioner guidance
- Baseline actual access before diligence closes. Compare documented entitlements with live directory, SaaS, and privileged access records before approval.
- Treat interim access as time-bounded governance. Assign an owner, expiry condition, and revalidation trigger to every temporary cross-company permission so the access does not survive the acquisition phase by default.
- Re-certify privileged and non-human identities after integration milestones. Review service accounts, API keys, integrations, and admin roles once systems are merged, because the acquisition process often changes business purpose before the technical control plane is updated.
What's in the full article
Delinea's full blog covers the operational detail this post intentionally leaves for the source:
- Phase-by-phase M&A security checkpoints for pre-acquisition, during-acquisition, and post-acquisition review
- Practical checklists for identity discovery, access consolidation, and post-close monitoring
- Examples of where identity debt accumulates across inherited applications and privileged access paths
- The article's own framing of how CISOs can preserve continuity without embedding long-term exposure
👉 Read Delinea's full guide to cybersecurity in mergers and acquisitions →
M&A identity risk: are your controls keeping pace with deals?
Explore further
M&A creates identity debt before the deal closes. The article correctly shows that the most expensive risks are often inherited during diligence, when leaders validate documents rather than actual access behaviour. That is a governance failure, not just a visibility gap, because the combined organisation is committing to entitlements it has not truly inspected. Practitioners should treat pre-close discovery as a control boundary, not a paperwork exercise.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.
A question worth separating out:
Q: Who is accountable when temporary access becomes permanent after a merger?
A: Accountability belongs to the business and security owners who approved the interim access and to the integration teams that failed to revalidate it. Frameworks such as NIST Cybersecurity Framework 2.0 expect governance to continue after the initial decision, not stop at the approval date.
👉 Read our full editorial: M&A identity risk persists before, during, and after close