Why identity integration is the hardest part of joining two companies

Mergers and acquisitions do two things spectacularly well: they accelerate business growth and unleash absolute pandemonium inside identity and access management. The minute your organizations join, so do your clouds, your legacy systems, your service accounts, and your “temporary” permissions that have quietly been permanent since 2017.

For security leaders, managing access in mergers and acquisitions isn’t a side task; it’s a core risk event. You’re not just inheriting users; you’re inheriting their entitlements, their machine identities, their old policies, and every piece of identity debt the acquired company never got around to fixing.

If you approach access with a manual, trust-based model (“let’s just connect the directories and hope for the best”), you’ll create long-lived privilege paths that follow you around for years—basically, Bedlam.

“It’s a trap!”
- Admiral Ackbar, Return of the Jedi.

A modern identity-first platform changes that. It helps you bring two companies together at speed without accidentally creating a single, sprawling access domain full of blind spots.

The Problem: Two Companies, One Giant Identity Tangle

Every M&A event joins more than networks. It joins assumptions. One company might treat IAM as a formal discipline; the other might consider IAM “the thing that breaks releases.” You may discover:

• Engineers using global admin whenever they need it
• CI/CD pipelines using service accounts with near-root access
• Legacy line-of-business systems with shared local admin
• Entire cloud accounts built on defaults
• Identity providers configured inconsistently
• Contractors who still have access to cloud services no one remembers
• Hundreds of dormant, privileged machine identities

Multiply this across AWS, Azure, GCP, plus on-prem AD, multiple IdPs, SaaS platforms, and all the “don’t touch this, it works” machines… and you don’t have a merger. You have a hydra.

The challenge in managing access in mergers and acquisitions is visibility. Without a unified view, every decision is guesswork.

Step 1: Start With Discovery, Not Trust

Before you merge directories, before you link clouds, before you create any trust relationships, you need to discover every identity and every permission across both companies.

A strong identity-first platform helps by:

• Connecting to all clouds and IdPs within minutes
• Normalizing permissions into a single view
• Building a cross-cloud identity map
• Highlighting high-risk roles and dormant accounts
• Revealing orphaned service accounts
• Showing cross-environment privilege paths

This is your access census. Without it, you’ll merge not only users but their mistakes.

Step 2: Define a Controlled “Day 1” Access Model

On Day 1, people need to work together. But that doesn’t mean you should immediately merge the identity providers. In fact, that’s often the riskiest move.

Instead, aim for:

• Minimal, scoped access bridges
• Limited trust relationships
• JIT access for elevated roles
• Defined boundaries for production and sensitive systems
• Tagging systems that must remain isolated until reviewed
• Easy provisioning and deprovisioning for upcoming structural changes

Your goal is a narrow corridor between companies, not a warehouse full of open doors.

Step 3: Use Just-in-Time Access Instead of Permanent Exceptions

M&A creates constant exceptions:

• Integration engineers need access to environments in both clouds
• Legal needs data extraction
• Operations needs elevated roles to map infrastructure
• Dev teams need temporary API access across estates

If all of this becomes standing privilege, you’ll never clean it up.

JIT access solves this instantly:

• Engineers request roles through Slack or Teams
• Access is time-bound
• Elevated privileges self-expire
• Audit trails demonstrate control and compliance
• No lingering admin permissions survive the transition

JIT is the single strongest tool for preventing long-term identity debt during integration.

Step 4: Normalize Access Across Multi-Cloud Environments

Every cloud speaks its own language. Every company interprets “admin,” “dev,” and “read-only” differently, and manually reconciling these is miserable.

A multi-cloud identity platform normalizes everything so you can:

• Compare roles side by side
• Map similar entitlements between clouds
• Create a unified access taxonomy
• Prevent accidental “double-admin” situations
• Design a target-state model for the merged environment

This step alone avoids more breaches than most people realize.

Step 5: Don’t Forget Legacy Systems

M&A always includes:

• AD forests never modernized
• Old line-of-business apps
• Shared local admin credentials
• VPN groups granting broad access
• SQL servers with hand-built role models

Even if these systems won’t be modernized immediately, they must still be brought into your identity map.

Modern IAM platforms ingest legacy identities and show how their access overlaps with cloud systems. This lets you:

• Wrap legacy systems in JIT
• Remove shared admin passwords
• Control access through one consolidated workflow
• Phase out old models without losing visibility

Step 6: Watch for Identity Debt as Integration Progresses

Every M&A event creates identity debt by accident:

• Temporary access that becomes permanent
• Duplicate identities with inconsistent permissions
• Old roles repurposed for new systems
• “Bridge” service accounts that survive far too long

Continuous monitoring catches this:

• Entitlements that haven’t been used in months
• Escalations or drift from least privilege
• Roles gaining new permissions unexpectedly
• Identities spanning both estates with growing reach

If you pay off identity debt while integrating, you won’t carry it for years to come.

Step 7: Give Security and Engineering the Same Reality

CISOs want risk clarity; engineers want work to continue without chaos. A good platform offers both:

• Plain-language permission paths for security
• Chat-based access workflows for engineers
• A single audit trail covering both identities and systems
• One coherent model of all access, human and machine

You replace competing narratives with shared visibility.

More Than Housekeeping

Managing access in mergers and acquisitions isn’t just technical housekeeping. It’s the most consequential identity event an organization can face.

Do it manually, and you inherit years of risk.

Do it with identity-first automation, and you control the narrative from Day 1.

Discover everything.

Normalize everything.

JIT everything you can.

Monitor everything else.

“What gets measured gets managed.”
- Peter Drucker.

That’s how you merge companies without merging their vulnerabilities.

‍