These events create ownership confusion, delayed access cleanup, and temporary permissions that outlive their purpose. Ransomware operators exploit that ambiguity because identity governance slows while the organisation is changing. The risk is highest where privileged accounts, third-party access, and recovery authority are not explicitly reassigned.
Why This Matters for Security Teams
Mergers, acquisitions, and layoffs are not just HR events. They are identity events that temporarily break normal control ownership, approval paths, and offboarding discipline. That matters because ransomware crews look for exactly that kind of administrative drift: accounts that are still active, privileged paths that were never reassigned, and recovery processes that nobody clearly owns. NIST’s Cybersecurity Framework 2.0 treats governance and access control as core security functions, but those functions are hardest to execute when the organisation is changing shape.
NHIMG research shows how quickly weak identity hygiene compounds risk. In the Ultimate Guide to NHIs — Why NHI Security Matters Now, NHI-related breaches and excessive privileges appear repeatedly as a systemic problem, not an edge case. During M&A or workforce reduction, the same pattern often extends to service accounts, backup tooling, admin consoles, and third-party access. In practice, many security teams discover stale access only after an operator has already used it to move laterally or disable recovery controls.
How It Works in Practice
The risk rises because change events slow down the normal identity lifecycle. Legal close, HR notifications, IT handoffs, and security reviews rarely happen at the same speed. That delay creates a window where users, contractors, partner admins, and NHI credentials remain valid longer than intended. Ransomware operators do not need perfect access; they need one surviving admin path, one overprivileged backup account, or one neglected API key to begin encryption, exfiltration, or recovery sabotage. The Top 10 NHI Issues page highlights how common excessive privilege and poor visibility remain across enterprises.
Operationally, teams should treat every transaction or workforce reduction as a reset point for identity governance:
- Revalidate ownership for privileged users, service accounts, and vault-admin roles.
- Shorten approval chains and use temporary access with explicit expiry dates.
- Revoke or rotate secrets tied to departed staff, acquired systems, and external vendors.
- Confirm recovery authority separately from day-to-day administrative access.
- Review backup, hypervisor, directory, and remote-management accounts first, not last.
The most effective control is speed with verification: remove access quickly, then confirm the removal through logs, directory state, and privileged session review. Current guidance suggests that identity cleanup should be coordinated as part of the incident response and integration plan, not treated as a post-close administrative task. These controls tend to break down when acquired environments use undocumented local admins or when layoffs affect shared accounts that were never tied to a single owner.
Common Variations and Edge Cases
Tighter access control often increases coordination overhead, requiring organisations to balance fast business transition against clean identity revocation. That tradeoff is real during carve-outs, divestitures, and rapid layoffs, where freezing access too aggressively can disrupt payroll, customer support, or forensic preservation. The practical answer is not to keep access broad, but to stage it by risk.
Best practice is evolving for mixed human and NHI estates. For example, a merger may preserve a supplier’s API integrations for weeks, while an internal reorganisation may require immediate removal of a departing executive’s delegated privileges. In both cases, short-lived credentials and explicit re-approval are safer than standing access. The Ultimate Guide to NHIs — Key Challenges and Risks is useful here because it ties offboarding, rotation, and visibility together rather than treating them as separate tasks.
When the organisation uses shared break-glass accounts, unmanaged local admins, or shadow IT tools, the clean answer often fails because no single system knows where authority actually lives. In those environments, manual attestations and emergency access reviews become necessary, but they should be time-bound and documented. The hardest cases are acquisitions with incomplete asset inventories, because unknown credentials and unknown dependencies are precisely what ransomware crews hope to find.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Identity and access control drift is the core merger and layoff risk. |
| OWASP Non-Human Identity Top 10 | NHI-03 | NHI credential cleanup and rotation are critical when staff or systems change. |
| NIST AI RMF | Governance guidance fits high-change environments where accountability becomes unclear. |
Assign accountable owners and runtime controls for access decisions during organisational transitions.
Related resources from NHI Mgmt Group
- Why do mergers and acquisitions increase privileged access risk so quickly?
- Why do mergers and acquisitions increase access risk for service accounts and privileged users?
- Why do mergers and acquisitions increase access control risk?
- Why do mergers and acquisitions increase IAM and NHI risk so quickly?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
