Five Identity Risks Every M&A Deal Team Misses

Why Identity Is Consistently Missed in M&A Due Diligence

M&A technical due diligence has become reasonably thorough on infrastructure, application security, and data classification. Identity is the consistent gap. Deal teams focus on systems, data, and compliance frameworks — and discover identity problems only after close, when they become the acquirer's problem to fix.

The reasons are structural. Identity systems are complex, cross-cutting, and deeply integrated with everything else. Assessing them properly requires specialist knowledge. Most technical due diligence is conducted by generalists or infrastructure reviewers who will note "Active Directory in place" without understanding what is in it.

The cost of that gap is significant. Identity integration is routinely underestimated by 3–5x in deal planning, and the security risks inherited can be immediate. Below are the five identity risks we consistently find in M&A due diligence assessments — and that conventional due diligence teams miss.

Risk 1: Privilege Inheritance

When you acquire an organisation, you acquire its identity estate — including every over-privileged account within it. This typically includes:

• Former employees whose accounts were disabled but not removed — some with stale privileged access still intact
• Contractors whose engagement ended but whose accounts remain active
• Service accounts with domain-level or Global Admin membership accumulated over years of "just add them to this group for now"
• Emergency access accounts created during incidents and never reviewed

These accounts do not disappear at close. They persist — and they are typically not reviewed as part of standard integration planning. The moment you connect environments, those accounts have access to yours.

Due diligence finding: privileged account counts are rarely what acquirers expect. Typical findings include 3–4 times more privileged accounts than anticipated, with a significant proportion stale, unowned, or carrying privilege far exceeding their documented purpose.

Risk 2: Trust Relationship Complexity

Active Directory trust relationships are among the most dangerous and least-understood elements of M&A integration. They create authenticated pathways between environments — including pathways that may not be visible to either party without specialist assessment.

Common scenarios:

• Legacy trusts: Two-way trusts established years ago for a project or joint venture that never got cleaned up. At close, these create immediate lateral movement opportunities between environments.
• Entra ID cross-tenant access: B2B guest access configured for partner collaboration, with permissions that were never scoped tightly. These persist post-acquisition.
• SaaS federation: Service accounts in the target's environment have access to SaaS platforms that are now connected to the acquirer's infrastructure.

Trust relationships are not discoverable from organisational documents or from standard questionnaires. They require direct assessment of the identity environment.

Risk 3: Regulatory Control Gaps

The acquiring organisation has regulatory obligations. The target may not have been subject to the same obligations — and its identity controls may not meet your standards from day one post-close.

Common examples:

• A financial services acquirer subject to DORA acquiring a smaller firm with no formal privileged access management programme
• An NHS supplier acquiring a private healthcare company whose access control practices do not meet NHS DSPT requirements
• A regulated entity acquiring a software firm with API keys and service principals that would require immediate remediation to meet the acquirer's compliance framework

The compliance exposure is immediate at close. You are responsible for the combined entity's security posture from day one, regardless of when you actually integrate the systems. Discovering gaps post-close means emergency remediation against a compliance clock.

Risk 4: Directory Consolidation Complexity

Identity integration is consistently the most expensive and time-consuming element of technical M&A integration — and it is consistently underestimated.

Why it is always harder than expected:

• Multiple forests and tenants: The target may have multiple Active Directory forests, an Azure tenant, and multiple SaaS directories — each requiring separate integration planning. This is invisible in a standard due diligence process.
• Naming conflicts: User and group naming conventions from two organisations collide during consolidation, creating provisioning errors and access gaps that take months to resolve.
• Application dependencies: Identity systems have undocumented application dependencies. Migrating accounts without mapping these first causes application failures and forces emergency reversals.
• Governance debt: The target's identity estate likely has years of governance debt — unreviewed access, unowned groups, accumulated privileges. Migrating governance debt into your environment multiplies its impact.

Deal planning that budgets two quarters for identity integration routinely takes four to six. The difference between an accurate estimate and an optimistic one is a proper pre-close assessment.

Risk 5: Non-Human Identity Sprawl

Service accounts, API keys, managed identities, and application service principals are the least-governed identities in most organisations — and the first thing attackers target in post-acquisition integration windows.

Standard patterns in acquisition targets:

• Service accounts with domain admin membership created for a specific task years ago and never downscoped
• Application service principals with Contributor or Owner roles on Azure subscriptions with no documented justification
• API keys for third-party services embedded in application code, never rotated, and with permissions broader than the application requires
• Managed identities granted access to resources long after the workloads they were created for were decommissioned

None of these appear in standard questionnaires. None of them get cleaned up automatically at close. All of them become your risk the moment you take ownership.

What to Do With This Information

The good news is that identity risk is assessable before close — remotely, without disruption to the target environment. A proper identity due diligence assessment takes days, not weeks, and produces findings that are directly actionable in deal structuring.

Specifically, findings from an identity assessment can inform:

• Price negotiations: Quantified integration cost range and remediation cost provides a factual basis for price adjustment
• Representations and warranties: Specific identity control conditions can be included in deal documentation
• Conditions precedent: Material identity risks can be conditions for close
• Integration planning: Post-close identity remediation roadmap is produced before you sign, not after you own the problem