Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

M&A identity sprawl: what it means for IAM teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Mergers and acquisitions can turn access management into a multi-IDP governance problem, with fragmented identity sources, duplicated users, and inconsistent policies across Okta, Entra, Google Workspace, and legacy systems, according to Opal Security. Architectural diversity is now the default condition, and IAM programmes need to govern it instead of forcing brittle standardisation.

NHIMG editorial — based on content published by Opal Security: Scaling Security through M&A and multi-IDP access management

By the numbers:

Questions worth separating out

Q: How should security teams govern access when two companies keep separate identity providers after an acquisition?

A: Security teams should govern access with a clear source-of-truth model, deterministic identity matching, and unified review workflows.

Q: Why do mergers and acquisitions make identity governance harder for IAM teams?

A: M&A introduces duplicate identities, inconsistent attributes, and fragmented approval paths across multiple directories and applications.

Q: What do security teams get wrong about standardising identity platforms after an acquisition?

A: The common mistake is assuming immediate standardisation is the safest path.

Practitioner guidance

  • Define source-of-truth ownership by population Document which identity provider owns employees, contractors, subsidiaries, and legacy accounts before any integration work begins.
  • Build cross-directory identity matching rules Create deterministic correlation logic for duplicate people, including email aliases, secondary usernames, and merged employee records.
  • Preserve attribute namespaces across systems Keep source-specific tags and attribute semantics separate so access decisions do not inherit collisions from different directories.

What's in the full article

Opal Security's full product post covers the operational detail this analysis intentionally leaves for the source:

  • Step-by-step examples of how the platform correlates identities across separate Okta and Entra environments
  • Detailed deployment patterns for hub-and-spoke versus multi-source governance models
  • Operational handling of ABAC tag isolation and cross-system group management in mixed identity estates
  • Practical examples of unified access review workflows across parent and acquired organisations

👉 Read Opal Security's analysis of M&A access management across identity systems →

M&A identity sprawl: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Architectural diversity is now the default security condition in M&A. The article shows that every acquisition introduces another identity provider, another directory model, and another set of access rules that cannot be erased overnight. The assumption that one corporate standard can absorb every acquired environment quickly is increasingly unrealistic. Practitioners should treat heterogeneity as a persistent operating state, not a temporary exception.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

A question worth separating out:

Q: Who is accountable for access reviews when users exist in multiple identity systems?

A: Accountability should remain with the organisation that owns each entitlement and lifecycle event, even when the person appears in more than one directory. Reviews should be unified, but the source system that granted access must remain visible so remediation, offboarding, and audit evidence stay traceable.

👉 Read our full editorial: M&A identity complexity is reshaping access governance models



   
ReplyQuote
Share: