M&A identity sprawl: what it means for IAM teams

TL;DR: Mergers and acquisitions can turn access management into a multi-IDP governance problem, with fragmented identity sources, duplicated users, and inconsistent policies across Okta, Entra, Google Workspace, and legacy systems, according to Opal Security. Architectural diversity is now the default condition, and IAM programmes need to govern it instead of forcing brittle standardisation.

NHIMG editorial — based on content published by Opal Security: Scaling Security through M&A and multi-IDP access management

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams govern access when two companies keep separate identity providers after an acquisition?

A: Security teams should govern access with a clear source-of-truth model, deterministic identity matching, and unified review workflows.

Q: Why do mergers and acquisitions make identity governance harder for IAM teams?

A: M&A introduces duplicate identities, inconsistent attributes, and fragmented approval paths across multiple directories and applications.

Q: What do security teams get wrong about standardising identity platforms after an acquisition?

A: The common mistake is assuming immediate standardisation is the safest path.

Practitioner guidance

• Define source-of-truth ownership by population Document which identity provider owns employees, contractors, subsidiaries, and legacy accounts before any integration work begins.
• Build cross-directory identity matching rules Create deterministic correlation logic for duplicate people, including email aliases, secondary usernames, and merged employee records.
• Preserve attribute namespaces across systems Keep source-specific tags and attribute semantics separate so access decisions do not inherit collisions from different directories.

What's in the full article

Opal Security's full product post covers the operational detail this analysis intentionally leaves for the source:

• Step-by-step examples of how the platform correlates identities across separate Okta and Entra environments
• Detailed deployment patterns for hub-and-spoke versus multi-source governance models
• Operational handling of ABAC tag isolation and cross-system group management in mixed identity estates
• Practical examples of unified access review workflows across parent and acquired organisations

👉 Read Opal Security's analysis of M&A access management across identity systems →

M&A identity sprawl: what it means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →