Your Migration Succeeded. The Identity Chain Didn’t.

Recoverability Gap - The Evidence Gap Series Banner

Identity chain continuity is the thing every migration runbook assumes and almost none of them prove. A migration dashboard can go fully green — compute online, storage attached, network reachable — while the identity chain underneath it is already broken, and nothing in that dashboard will tell you.

identity chain — migration dashboard proves compute, storage, network; identity chain status unverified
What the migration dashboard proves versus what it never checks.

The pattern is familiar to anyone who has run a cutover at scale. The migration team declares success. The completion report gets filed. Three days later, a scheduled job fails because a service account can no longer authenticate to a resource it has called successfully for two years. Nobody touched that job. Nobody touched that resource. What moved was the workload. What broke was the authority the workload depended on to do anything once it landed.

This is Part 3 of the Evidence Gap series. Part 1 argued that a recovery plan validated under clean conditions doesn’t prove it survives ransomware-class compromise. Part 2 argued that “the restore worked” is not the same claim as “we can prove the restore worked.” This post makes the same argument about migration: the migration team proved the workload moved. Nobody proved the identity chain survived. Those are different claims, and enterprise infrastructure has been treating them as interchangeable for years.

What the Migration Dashboard Proves

Every migration tool on the market — vMotion, Move Groups, HCX, Azure Migrate, whatever your platform’s equivalent is — is built to answer a narrow question: did the compute artifact arrive intact? That question breaks into three sub-claims, and migration tooling is genuinely good at proving all three.

Compute moved: the VM is running on the target platform, CPU and memory allocated, boot sequence completed. Storage moved: the disks are attached, the data is present, checksums match. Network moved: the interface is up, the VLAN or subnet is correct, the host is reachable.

Those three things are proven. Verified, logged, checkable after the fact. This is virtualization architecture doing exactly what it’s supposed to do — the platform’s job ends at “the artifact exists and responds.”

What the dashboard does not claim — because it was never built to claim it — is whether the identity chain that artifact depends on to actually function came across intact. That’s a separate question, and it’s the one nobody’s tooling is answering by default.

The Identity Chain: What Has to Survive Intact

“Identity chain” isn’t a single object. It’s a set of bindings that all have to hold simultaneously, and any one of them can fail independently of the others.

Machine identity — the computer object, its SID, its trust relationship to the domain or directory. Service identity — the accounts a workload runs as or authenticates with, whether that’s a domain service account, a managed identity, or a cloud IAM role binding. Delegation — the Kerberos constrained delegation or protocol-transition trust that lets a front-end service act on a user’s behalf against a back-end resource. Certificate bindings — the thumbprint-to-service mapping that TLS mutual auth and code-signing checks rely on. Authorization state — the actual permission grants layered on top of all of the above.

This is the layer this site’s Virtualization Control Plane Architecture material treats as part of the control plane, not an add-on to it: identity plane and control plane are the same governance surface, and migration tooling that only validates compute, storage, and network is validating half the control plane and calling it done.

Every one of those five bindings can be individually intact or individually broken. A VM can have perfect machine identity and a completely dead delegation trust. That’s what makes this failure mode hard to catch with a single check — there’s no one place to look.

Where the Chain Actually Breaks

01 — SID MISMATCH

P2V and V2V tooling can regenerate or duplicate a machine SID during conversion. The new instance boots fine and joins the network fine — it just isn’t the same trusted computer object the domain thinks it’s talking to.

02 — ORPHANED SPN BINDINGS

Service principal names are registered against the old host or the old service account. Nothing re-registers them automatically on migration, so Kerberos authentication silently falls back to NTLM or fails outright.

03 — CERT THUMBPRINT MISMATCH

Mutual TLS and code-signing checks are bound to a specific certificate thumbprint, not a hostname. A re-issued or re-provisioned cert on the new host breaks that binding even when the hostname and IP are unchanged.

04 — BROKEN DELEGATION TRUST

Constrained delegation is configured against a specific account-to-account relationship. If the front-end service’s identity changes even slightly during migration, the msDS-AllowedToDelegateTo binding no longer matches, and double-hop authentication fails.

05 — DROPPED IAM ROLE ATTACHMENT

Lift-and-shift into a cloud-adjacent target doesn’t automatically carry the instance role or managed identity binding the workload used to authenticate to storage, queues, or downstream APIs. The workload runs; it just runs unauthorized.

06 — STALE DNS / SERVICE DISCOVERY REGISTRATION

The hardest of the six to diagnose. Everything reports healthy — the host resolves, the service starts — but authentication attempts resolve to the wrong target because the discovery record still points at the pre-migration endpoint. Nothing here looks broken until you trace an actual failed auth attempt back through DNS.

None of these six show up on a migration dashboard, because none of them are things a dashboard is designed to check. Every one of them shows up the first time the workload tries to do real, authenticated work against something it depends on — which is often hours or days after the cutover window closed and everyone stopped watching.

Why the Dashboard Can’t See This

six identity chain failure modes during virtualization migration
Six ways the identity chain breaks without tripping a single migration health check.

This isn’t a tooling gap that a better dashboard fixes. It’s an architectural boundary. Migration health checks test reachability and boot state — they ping, they poll, they confirm the instance responds. They do not make an authenticated call down the full dependency chain the way the production workload eventually will. A health check that pings a database port proves the port is open. It doesn’t prove the service account trying to query that database still has a valid delegation path to get there.

That’s exactly the mechanism behind what this site has already documented as the migration dashboard illusion: a dashboard reporting success is reporting the thing it was built to measure, and identity continuity was never on that list. The gap isn’t a bug in any specific tool — it’s a category mismatch between what “the migration succeeded” is being asked to mean and what was actually checked.

This isn’t hypothetical. One earlier account on this site tracked the exact failure at a single-VM level — the VM itself was fine, its identity wasn’t. The six failure modes above are that same incident generalized into a checklist instead of a war story.

The Missing Artifact

When a migration completes, what gets retained is: the migration log, the completion report, the cutover timestamp, the validation checklist signed off by whoever ran the runbook. All of that documents that a process executed and that specific technical checks passed.

None of it documents whether machine identity, service identity, delegation relationships, and authorization state survived the migration boundary unchanged. Identity continuity evidence — proof that the identity chain crossed the boundary intact rather than merely that the compute did — is not a byproduct of any of those artifacts. It has to be produced deliberately, and almost nobody produces it, because nobody has been asking for it.

This is the same evidence-gap thesis Part 2 of this series made about disaster recovery, applied one layer earlier. Restore Evidence asked whether recovery could be proven. Identity continuity asks whether authorization survived the recovery — or in this case, the migration — that supposedly succeeded. The migration succeeded. The identity chain may not have. Nothing in the standard artifact set would tell you either way.

dashboard check versus identity chain check comparison
The verification gate a migration runbook needs and almost never has.

Validate the Chain, Not the Instance

The fix isn’t more monitoring on the migrated instance. It’s a distinct verification gate that checks the chain, not the artifact — run as an explicit step, not inferred from the fact that the VM is running.

Dashboard CheckIdentity Chain Check
VM powers on and bootsMachine SID matches the pre-migration trusted computer object
Disk attaches, checksums matchService account authenticates successfully against a real dependent resource, not a health endpoint
Network interface reports upSPN registrations resolve to the current host and are usable for Kerberos, not silently falling back to NTLM
Host responds to ping/pollDelegation trust (msDS-AllowedToDelegateTo) is intact end to end for double-hop scenarios
Instance appears in inventoryIAM role or managed identity binding is present and grants the same effective permissions as pre-migration

This is the same distinction Framework #145 (Migration Survivability Test) draws for the broader migration lifecycle — that a successful cutover event and a survivable architecture are not the same claim, and the difference only shows up under the first real incident. The identity chain check is that framework’s logic applied specifically to the authentication and authorization layer, and it connects directly to the anchor thesis of this series: Framework #148’s Recoverability Gap is the distance between a plan validated under clean conditions and one that survives real compromise. An unverified identity chain is exactly that gap, just triggered by a migration event instead of a ransomware event.

This Isn’t a Migration Problem

Identity chain failures aren’t unique to migration. They show up under failover, when a DR environment activates and discovers its service accounts were never re-delegated for the standby site. They show up during cloud relocation, when a lift-and-shift assumes IAM bindings travel with the workload and they don’t. They show up during platform modernization, whenever a control plane changes and nobody re-validates what was implicitly trusting the old one.

Migration just happens to be the event that exposes this failure mode first and most often, because migration is the most common deliberate control-plane change most infrastructure organizations undertake. The underlying problem — that authority chains are assumed to survive events they were never tested against — is the same problem this site’s Data Protection material calls recovery authority fragmentation: identity, credentials, and delegation are personnel- and platform-dependent authority, and that authority doesn’t automatically travel with the system it protects. Treat migration as the special case and you’ll keep discovering this the same way, one broken integration at a time. Treat it as the general case, and you start building the verification gate once instead of relearning it under every kind of infrastructure event that moves a workload’s ground truth out from under it.

SERIES: The Evidence Gap

Architect’s Verdict

The migration team proved the workload moved. Nobody proved the identity chain survived.

That’s not a criticism of the migration team — it’s a criticism of what “success” has been allowed to mean. A dashboard that only checks compute, storage, and network was never lying to anyone; it was just answering a narrower question than the one everyone assumed it was answering. The identity chain was never in scope, and nobody drew a new scope boundary to cover it.

Until identity continuity evidence exists as a deliberate artifact — produced the same way a migration log or a validation checklist is produced — the migration is still operating on assumption, no matter how green the dashboard is.

Download: Your Migration Succeeded. The Identity Chain Didn’t. Carousel
All six identity chain failure modes plus the Dashboard Check vs. Identity Chain Check verification gate — one reference to save before your next cutover.
PDF · 11 SLIDES
[↓] Download Carousel →

Additional Resources

Editorial Integrity & Security Protocol

This technical deep-dive adheres to the Rack2Cloud Deterministic Integrity Standard. All benchmarks and security audits are derived from zero-trust validation protocols within our isolated lab environments. No vendor influence.

Last Validated: June 2026   |   Status: Production Verified
R.M. - Senior Technical Solutions Architect
About The Architect

R.M.

Senior Solutions Architect with 25+ years of experience in HCI, cloud strategy, and data resilience. As the lead behind Rack2Cloud, I focus on lab-verified guidance for complex enterprise transitions. View Credentials →

The Dispatch — Architecture Playbooks

Get the Playbooks Vendors Won’t Publish

Field-tested blueprints for migration, HCI, sovereign infrastructure, and AI architecture. Real failure-mode analysis. No marketing filler. Delivered weekly.

Select your infrastructure paths. Receive field-tested blueprints direct to your inbox.

  • > Virtualization & Migration Physics
  • > Cloud Strategy & Egress Math
  • > Data Protection & RTO Reality
  • > AI Infrastructure & GPU Fabric
[+] Select My Playbooks

Zero spam. Includes The Dispatch weekly drop.

Need Architectural Guidance?

Unbiased infrastructure audit for your migration, cloud strategy, or HCI transition.

>_ Request Triage Session

>_Related Posts