M&A security diligence: what IAM teams should be watching

TL;DR: Security in acquisitions and partnerships now affects product trust, legal exposure, and integration risk because a deal inherits technology, process gaps, and security weaknesses, according to 1Password’s Chasing Entropy conversation with Matt O’Leary. The governance lesson is that identity, diligence, and post-close integration have become one control plane, not separate workstreams.

NHIMG editorial — based on content published by 1Password: a Chasing Entropy episode on security, acquisitions, and partnerships

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should security teams assess identity risk during an acquisition or merger?

A: They should treat identity inventory as part of diligence, not as a post-close cleanup task.

Q: Why do partnerships create access risk even when no acquisition is involved?

A: Deep partnerships often create shared trust through connected systems, delegated rights, and authenticated integrations.

Q: What breaks when inherited access is not re-certified after a deal closes?

A: Inherited access can remain active even when the business justification has changed.

Practitioner guidance

• Build an identity inventory into pre-close diligence Map all human users, privileged roles, service accounts, API keys, and third-party integrations before the transaction proceeds.
• Re-certify inherited access immediately after close Reset review cadence for all acquired entitlements, with special attention to service accounts and partner connections that were approved under the target’s governance model.
• Treat integration partners as privileged trust relationships Require explicit lifecycle ownership for each partner connection, including renewal, monitoring, and offboarding steps when the commercial relationship ends or scope changes.

What's in the full article

1Password's full podcast episode covers the operational detail this post intentionally leaves for the source:

• How Matt O’Leary frames technical diligence as a deal-killer when security exposure is material
• Why post-close integration is the hardest phase of an acquisition, including engineering retention and architecture alignment
• How partner trust changes when integrations tie two companies’ brands and customer expectations together
• What corporate development teams should ask before approving a transaction or strategic partnership

👉 Read 1Password's podcast discussion on security diligence in M&A and partnerships →

M&A security diligence: what IAM teams should be watching?

Explore further

View Full Forum →  |  NHI Foundation Course →