Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

M&A security diligence: what IAM teams should be watching


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: Security in acquisitions and partnerships now affects product trust, legal exposure, and integration risk because a deal inherits technology, process gaps, and security weaknesses, according to 1Password’s Chasing Entropy conversation with Matt O’Leary. The governance lesson is that identity, diligence, and post-close integration have become one control plane, not separate workstreams.

NHIMG editorial — based on content published by 1Password: a Chasing Entropy episode on security, acquisitions, and partnerships

By the numbers:

Questions worth separating out

Q: How should security teams assess identity risk during an acquisition or merger?

A: They should treat identity inventory as part of diligence, not as a post-close cleanup task.

Q: Why do partnerships create access risk even when no acquisition is involved?

A: Deep partnerships often create shared trust through connected systems, delegated rights, and authenticated integrations.

Q: What breaks when inherited access is not re-certified after a deal closes?

A: Inherited access can remain active even when the business justification has changed.

Practitioner guidance

What's in the full article

1Password's full podcast episode covers the operational detail this post intentionally leaves for the source:

  • How Matt O’Leary frames technical diligence as a deal-killer when security exposure is material
  • Why post-close integration is the hardest phase of an acquisition, including engineering retention and architecture alignment
  • How partner trust changes when integrations tie two companies’ brands and customer expectations together
  • What corporate development teams should ask before approving a transaction or strategic partnership

👉 Read 1Password's podcast discussion on security diligence in M&A and partnerships →

M&A security diligence: what IAM teams should be watching?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

M&A security failures are usually identity governance failures in disguise. The episode’s core point is that a deal inherits not just technology but the access model that makes that technology usable. That means inherited service accounts, partner credentials, and undocumented admin pathways become part of the risk thesis the moment diligence begins. For practitioners, the conclusion is that deal review without identity inventory is only partial review.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which is why inherited machine access remains one of the hardest parts of post-close integration.

A question worth separating out:

Q: Who should own security accountability in M&A integration?

A: Security accountability should sit jointly with corporate development, product, engineering, and identity governance teams. Corp dev sets the deal conditions, while security and IAM teams validate whether the acquired environment can be integrated without importing unresolved access risk. If those groups are not aligned before close, accountability tends to become fragmented after the announcement.

👉 Read our full editorial: Security diligence in M&A is now an identity governance issue



   
ReplyQuote
Share: