What Is M&A Identity Risk?
M&A identity risk is the security and governance exposure created when a merger or acquisition combines two organizations’ identity estates, each with its own IdP, its own PAM and IGA tooling (or none), and its own years of accumulated accounts, before either side has a clear, correlated picture of what the combined environment actually contains.
The scale compounds quickly. A single acquisition can bring in thousands of accounts overnight, often duplicated across domains, inconsistently named, and impossible to map to a single owner without manual, account-by-account reconciliation. Legacy systems from the acquired company frequently stay running for months or years during a phased integration, each one a data source most tools never onboard because it was never expected to still be there.
The risk isn’t hypothetical: attackers specifically look for the seams in a fresh integration, because a newly merged environment reliably has accounts nobody has reviewed yet, trust relationships nobody has audited, and an org chart too new for anyone to reliably say who owns what. The exposure window is largest in exactly the period when both organizations are most distracted by the integration itself.