TL;DR: Mergers and acquisitions routinely expose fragmented directories, inconsistent MFA enforcement, and slow access provisioning, creating security gaps and day-one productivity loss according to JumpCloud. Treating identity as the integration control plane changes the outcome from manual cleanup to governed onboarding and separation.
NHIMG editorial — based on content published by JumpCloud: M&A identity management in mergers and acquisitions
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: What breaks when identity integration is delayed in a merger?
A: When identity integration is delayed, the merged organisation inherits inconsistent authentication, uneven access policy, and manual exception handling.
Q: Why do mergers and acquisitions create IAM risk so quickly?
A: M&A creates IAM risk because directories, applications, and approval workflows are rarely aligned across both organisations.
Q: How should teams handle offboarding during a divestiture?
A: Teams should treat divestiture offboarding as a formal revocation exercise, not a data export.
Practitioner guidance
- Run an identity inventory before close Map directories, applications, privileged groups, and cross-domain trust relationships before migration work begins.
- Set one authoritative policy layer Choose the destination identity authority for authentication and access decisions, then align MFA, recovery, and approval rules to it.
- Treat divestiture as revocation work Build explicit separation checkpoints for accounts, groups, admin relationships, and shared applications.
What's in the full article
JumpCloud's full article covers the operational detail this post intentionally leaves for the source:
- Practical steps for centralising user identity across merged directories and applications
- Details on using cloud directory controls to reduce manual integration work after close
- Examples of how to enforce MFA and onboarding consistency during the first days of integration
- Separation guidance for divestitures where access must be removed without disrupting both entities
👉 Read JumpCloud’s analysis of IAM integration in mergers and acquisitions →
M&A identity integration: what IAM teams need to fix first?
Explore further
Identity fragmentation is the real M&A risk, not just integration delay. The article shows how separate directories, policies, and access processes create a governance gap before the business even begins to integrate. When identity states cannot be reconciled quickly, the environment inherits inconsistent assurance and long-lived exceptions. The practitioner implication is to treat identity unification as part of transaction risk, not post-close administration.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: What is the difference between directory consolidation and identity governance?
A: Directory consolidation combines technical identity stores. Identity governance defines who should authenticate, what they should access, and how lifecycle changes are enforced across the merged environment. Consolidation can happen without control alignment, but that leaves policy drift in place. Governance is what makes the new estate secure and manageable.
👉 Read our full editorial: M&A identity integration exposes the limits of fragmented IAM