Mergers and acquisitions often combine separate identity stores, claims sources, and operational practices that were never designed to interoperate. That creates temporary exceptions, overlapping permissions, and incomplete tenant segmentation. Governance teams should assume the integration period is a control-risk period, not just a migration project.
Why This Matters for Security Teams
Mergers and acquisitions are not just directory consolidation exercises. They merge different trust models, token issuers, vault practices, and approval chains into one environment before those systems are actually aligned. That is where multi-tenant identity governance gets brittle: one tenant may have mature RBAC, another may rely on shared service accounts, and both may inherit access paths that were acceptable in isolation but risky together. Current guidance suggests treating identity convergence as a control-risk event, not a back-office cleanup.
The practical problem is scale and visibility. NHIs often outnumber human identities by 25x to 50x in modern enterprises, and only a small share of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs. During an acquisition, that gap widens because inherited accounts, API keys, and automation jobs are rarely documented with the same rigor as employee access. The result is temporary over-privilege, fragmented ownership, and exceptions that persist long after the integration project is declared complete. In practice, many security teams encounter the real risk only after inherited access has already been used in production, rather than through intentional governance design.
How It Works in Practice
Identity governance becomes harder after a merger because each organisation brings its own source of truth, entitlement language, and revocation process. A target company may use central IAM with tightly managed roles, while the acquiring company may depend on local admin groups, embedded secrets, or application-level authorization checks. The first task is not to unify everything immediately, but to map which identities are human, which are NHI, which are tenant-scoped, and which can cross boundaries. That inventory should include service accounts, workload identities, API keys, certificates, and any automation that can act without a person present.
Security teams should then apply staged controls: separate inherited tenants, limit cross-tenant trust, and require approval for any temporary exception. Just-in-time access, short-lived secrets, and explicit offboarding are especially important where the integration creates duplicate permissions or overlapping admin paths. The lifecycle and audit considerations in the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs are useful here, because they emphasise issuance, rotation, and revocation rather than static ownership assumptions. For control design, align the integration plan with NIST Cybersecurity Framework 2.0 so that access, monitoring, and recovery are handled as repeatable functions instead of one-time migration tasks.
- Classify every inherited identity by tenant, business function, and authority to act.
- Block broad inter-tenant trust until ownership and purpose are verified.
- Rotate or retire shared secrets as soon as the source system is no longer authoritative.
- Track exceptions with expiry dates, not open-ended waivers.
These controls tend to break down when integrations span legacy ERP, M&A carve-outs, and outsourced operations because each environment may depend on different approval paths and secret storage patterns.
Common Variations and Edge Cases
Tighter identity governance often increases integration overhead, so organisations have to balance acquisition speed against control assurance. That tradeoff is real when business units need rapid continuity, but it does not justify leaving inherited access in place indefinitely. Best practice is evolving toward tenant segmentation, explicit ownership transfer, and short-lived access grants, but there is no universal standard for every transaction structure yet.
One common edge case is a carve-out where the acquired team keeps operating on shared infrastructure for a period. Another is a phased migration where one tenant becomes authoritative for some apps while the old tenant still issues credentials for others. In both cases, the safest path is to use temporary boundaries, evidence-based access review, and documented revocation triggers. The Top 10 NHI Issues and the Ultimate Guide to NHIs — Regulatory and Audit Perspectives are useful reminders that misconfigured vaults, long-lived secrets, and weak offboarding are recurring failure modes, not rare events. Teams that only focus on user directory merges often miss the NHI layer entirely, even though that layer is where lateral movement and persistent access most often survive the transition.
In practice, the hardest cases are acquisitions involving autonomous tooling, because machine identities can keep operating long after human account cleanup is complete.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | M&A expands unmanaged NHIs and inherited secrets across tenants. |
| NIST CSF 2.0 | PR.AC-4 | Cross-tenant permission sprawl is an access-control governance issue. |
| NIST Zero Trust (SP 800-207) | M&A forces segmentation and continuous verification between trust domains. |
Treat acquired systems as untrusted until identity, device, and workload trust are re-established.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 29, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
