TL;DR: Tool and application sprawl can turn a routine acquisition into an identity incident when legacy systems, cleartext credentials, and uneven MFA controls create lateral movement paths, according to Orchid Security. The real issue is fragmented IAM and unchecked application sprawl, where governance breaks before attackers need anything sophisticated.
NHIMG editorial — based on content published by Orchid Security: identity fabric controls for tool and app sprawl
Questions worth separating out
Q: How should security teams manage identity risk during acquisitions and integration?
A: Treat acquisition integration as an identity consolidation project first and a technology migration second.
Q: Why do legacy applications increase identity security risk?
A: Legacy applications often retain weaker authentication, inconsistent logging, and unmanaged credentials that bypass modern controls.
Q: What do security teams get wrong about MFA and passwordless adoption?
A: Teams often assume MFA or passwordless coverage is universal once the primary identity platform supports it.
Practitioner guidance
- Build a single application and identity inventory Create one authoritative view of inherited applications, authentication methods, and privileged accounts before migration or integration begins.
- Hunt for embedded secrets across the estate Scan scripts, configuration files, repositories, and legacy platforms for cleartext credentials, then remove or replace them before attackers can reuse them.
- Extend MFA and SSO coverage to acquired systems Validate that MFA, SSO, and central policy enforcement apply to every application that matters, including older platforms that were never originally integrated.
What's in the full article
Orchid Security's full blog post covers the operational detail this post intentionally leaves for the source:
- The identity fabric control model used to unify access across legacy and modern applications.
- The practical steps for finding and eliminating hardcoded credentials across inherited environments.
- How the article recommends applying MFA, SSO, and least-privilege controls to sprawl-heavy estates.
- The specific governance practices the vendor says reduce blast radius after an acquisition.
👉 Read Orchid Security's analysis of identity fabric controls for tool and app sprawl →
Tool and app sprawl: what it means for identity teams?
Explore further
Identity fabric is a governance model, not a tooling stack. The article is right to focus on sprawl, but the deeper issue is that fragmented identity controls cannot survive acquisition-driven heterogeneity. A merged environment exposes every policy exception, every orphaned application, and every neglected credential store. Practitioners should treat integration as a governance consolidation exercise, not a point-product buying cycle.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when cleartext credentials are found in inherited systems?
A: Accountability sits with the organisation that accepts the environment, not with the attacker who later finds the secrets. Governance teams, application owners, and integration leads must jointly prove where credentials live, how they are removed, and which systems still depend on them. That accountability should be explicit during post-acquisition remediation.
👉 Read our full editorial: Identity fabric is the answer to tool and app sprawl