Security & Compliance

The Risks of Mergers and Acquisitions, and How Zluri Closes the Access Gap

Aditi Sharma
Director, Strategy & GTM
April 24, 2026
8 MIn read

Ready to secure your identity surface?

About the author

Aditi leads Go-to-Market (GTM) and Business Strategy at Zluri, where she helps mid-market organizations modernize their identity governance and access management practices. Prior to Zluri, she was a Management Consultant at McKinsey & Company advising large enterprises on digital transformation, and part of the enterprise software investment team at B Capital. She holds an engineering degree from IIT Kharagpur and an MBA from Harvard Business School.

Financial risk gets a due diligence team. Cultural risk gets a change management plan. Access risk usually gets nothing, until it's already the acquiring company's problem.

Mergers and acquisitions carry real risk across financial, cultural, operational, and legal categories, and most of that risk gets real attention during planning. Identity and access risk is different. It's rarely owned by a single function, it's almost never fully visible until after close, and it becomes the acquiring company's legal and operational responsibility the moment the deal signs, regardless of whether anyone has assessed it yet.

This piece groups that exposure into four risk categories: visibility, reconciliation, security and governance, and financial exposure. Each section covers how the risk actually shows up during a real integration, and the specific mechanics Zluri uses to close it.

Category 1: Visibility Risk

Before any integration decision can be made, the acquiring organization needs an honest answer to a basic question it usually can't answer on day one: what does the acquired company actually have, and who's authoritative for that data during the transition.

Risk: No Visibility Into What the Acquired Company Actually Has

Due diligence data rooms rarely contain an accurate, complete inventory of an acquired company's applications, licenses, and identities. Acquired companies frequently carry meaningful shadow IT of their own: informally adopted tools, personal-card subscriptions, and integrations nobody centrally tracked, on top of whatever official records show.

How Zluri closes this. Zluri's eight-source discovery model, deployed directly against the acquired organization, surfaces the real application and identity footprint in days rather than the weeks or months a manual inventory exercise typically takes. The integration team gets an accurate picture to plan against, instead of an incomplete data room list.

Risk: Two Identity Providers Running Simultaneously

Almost every integration runs both companies' identity providers in parallel for weeks or months while a full migration is planned. During that period, there's no single source of truth for who someone is or what they're entitled to, and the same person can exist as two disconnected identities across the two systems. Contractors and vendors who work across both entities are especially prone to falling through this gap.

How Zluri closes this. Zluri connects both identity providers as separate, named instances rather than forcing a single connector configuration to cover both, the same mechanism that lets any connector type be added multiple times (for example, two BambooHR instances, or two Okta tenants) when an organization genuinely runs parallel systems. Each instance is then assigned its own place in a source priority order, including an explicit precedence ranking one identity provider above another, giving the integration team a deliberate, defined answer for which system is authoritative during the transition, rather than an arbitrary first-detected default.

Category 2: Reconciliation Risk

Once visibility exists, the next problem is that two organizations' records don't line up cleanly. Duplicate identities and orphaned ownership fields are the two most common failure points here.

Risk: Duplicate Identity and Application Records

Combining two organizations produces genuine duplication almost by default: the same vendor relationship represented separately in both companies' records, a contractor who's worked with both entities showing up as two unconnected identities, the same SaaS tool detected under different names because each company's systems reported it differently.

How Zluri closes this. User Merge and Application Map and Merge consolidate what would otherwise be a fragmented, doubled picture of the combined footprint into one accurate record. Deliberate restrictions apply throughout: a Managed application can't be merged into another, and records carrying contracts or direct integrations can't be merged at all, so the reconciliation process itself doesn't introduce new errors.

Risk: Ownership Gaps as People Leave or Change Roles

M&A integration almost always comes with departures and role changes on both sides. Every application, contract, and vendor relationship left behind by someone who exits needs a new accountable owner, and without a deliberate process, that ownership simply lapses. In an integration where dozens of people are leaving or changing roles at once, this is where accountability quietly disappears fastest.

How Zluri closes this. Application Owner, Finance Owner, IT Owner, Vendor Owner, and Contract Owner all transfer automatically to a surviving identity as a direct side effect of the user merge mechanic. Nobody has to manually track down and update every ownership field a departing person touched.

Category 3: Security and Governance Risk

This is the category with the highest stakes, because the acquiring company becomes legally and operationally responsible for it the moment the deal closes, whether or not anyone has assessed it yet. It covers risk the acquired company already carried, risk the integration itself creates, and the work of bringing the acquired population under one governance model.

Risk: Inherited Access Risk With No Visibility Into What Was Inherited

In practice, almost nobody has full visibility into the acquired company's access risk at close. It typically includes:

  • Orphaned accounts belonging to employees who left the acquired company months earlier
  • Over-permissioned roles that were never reviewed
  • Unmanaged service accounts and API keys
  • Toxic access combinations that were never evaluated, because the acquired company had no segregation of duties program at all

How Zluri closes this. Threat and risk scoring, Orphaned Access and Dormant Account detection, and Segregation of Duties evaluation, deployed against the newly discovered population, give the integration team a fast, structured risk picture instead of waiting on a slow, manual security audit.

Risk: Access Conflicts That Only Exist After Systems Connect

This category is easy to miss because it didn't exist before the deal closed. Once two organizations' systems are connected, someone can gain access spanning both environments and end up holding both halves of a conflict that was structurally impossible while the companies were separate. A finance employee from the acquiring company who gains access to the acquired company's systems is the clearest example of how this shows up in practice.

How Zluri closes this. Segregation of Duties evaluation runs continuously as integration proceeds, not as a single pre-close check. A one-time assessment before close can't catch a conflict that only comes into existence once the two environments are actually connected.

Risk: Governance Left Undefined for the Newly Acquired Population

Once discovered and risk-assessed, the acquired company's employees, contractors, and service accounts need to actually enter the same governance model the acquiring organization runs, not remain a separately managed population indefinitely.

How Zluri closes this. Directory Management gets configured against whatever HR or identity system the acquired company was using, at least until a full HRMS migration happens. Account Type classification distinguishes acquired staff who become contractors during a transitional period from those onboarding as full employees. A certification specifically scoped to the newly acquired population, using the same criteria-based scoping available for any Access Review, gives the team a defined, evidenced first checkpoint, rather than assuming everything's fine simply because discovery and risk scoring came back clean.

Category 4: Financial Exposure Risk

Access risk and financial risk overlap more than most integration plans account for. Redundant spend can't be found until discovery is complete, and consolidation decisions aren't actually finished until licenses move onto a single contract with a clean audit trail behind them.

Risk: Redundant Spend Nobody Can See Until Discovery Is Complete

Both companies were very likely paying separately for functionally overlapping tools, two CRMs, two project management platforms, sometimes several redundant tools in the same category. This is a financial risk, but it's blocked behind the same discovery gap that creates the access risk in Category 1.

How Zluri closes this. Similar Apps detection and category-based analysis, applied across the combined application inventory, surface the overlap. Contract and license tracking then quantifies the consolidation opportunity in real terms, current spend, contract end dates, and utilization, giving the team an evidence-based case for which tool to standardize on and when.

Risk: Consolidation Decisions That Never Actually Get Completed

Identifying a redundant tool for consolidation is only half the problem. The acquired company's users still need to move onto the surviving contract rather than continuing under a separate agreement indefinitely, and without a clean mechanism for that, organizations often end up running two parallel contracts for the same tool far longer than planned.

How Zluri closes this. The True Up agreement type adds licenses to an existing contract after the original agreement was signed, tracked explicitly rather than folded invisibly into the base contract. Using True Up amendments to bring the acquired population onto one surviving license is the direct mechanism for actually completing a consolidation decision, not just identifying that one should happen.

Risk: Consolidated Financial Reporting That Doesn't Reflect Reality

Two specific distortions show up here. Cross-border acquisitions bring spend data in a different currency than the acquiring organization's default, and applying today's exchange rate retroactively across historical transactions skews consolidated reporting. Separately, when a combined organization's license count for a given tool jumps sharply because an acquired company's users were just added, that jump needs a clear record explaining it, not an unexplained number that looks alarming out of context to finance or audit.

How Zluri closes this. Currency conversion uses historical exchange rates rather than the current rate applied backward, so spend comparisons reflect what was actually paid at the time. The dated-group mechanic behind license quantity tracking creates a new, timestamped group whenever a count changes, rather than silently overwriting the previous figure, producing a visible, dated audit trail automatically, directly useful when finance or audit later asks why a specific tool's seat count doubled in a given quarter.

The Volume Problem Underneath All Four Categories

Every category above runs at a scale routine operations never have to handle, potentially hundreds or thousands of identities and dozens of contracts entering the system close to simultaneously. Bulk Update Data lets large batches of user and application records be updated through a downloadable, editable CSV rather than one by one. Bulk Contract Upload accepts up to 10 contract PDFs per batch with AI parsing into draft records for review, so an acquired company's existing contract backlog can be brought into the system in batches rather than entered manually one at a time during an already time-constrained integration window.

Why This Matters More Than It Gets Credit For

Access risk sits underneath the risk categories that get the most attention during M&A planning. It doesn't show up on a balance sheet the way financial risk does, and it doesn't show up in an employee survey the way cultural risk does. But it's live the moment the deal closes, it compounds every week it stays unaddressed, and it's directly tied to the timeline pressure every real integration runs under. A hundred-day integration target doesn't move because access reconciliation is taking longer than expected, which makes closing this specific gap fast, not eventually, one of the more consequential decisions an integration team makes early on.

The Reverse Case: Divestitures

The identical risk categories apply, in reverse, when a business unit is being spun off or sold rather than acquired. Knowing exactly which applications, licenses, and identities genuinely belong to the unit being divested, as opposed to shared, organization-wide resources that shouldn't transfer, is the same visibility and classification problem M&A presents, just run in the opposite direction, carving an accurate, complete picture out of a combined environment rather than merging two into one.

Frequently Asked Questions

Does Zluri handle every risk category involved in a merger or acquisition?

No. Zluri specifically addresses identity, access, application, and license-related risk. Financial due diligence, cultural integration, legal risk, and strategic synergy assessment are separate disciplines that fall outside identity governance, though access risk directly compounds several of them if left unaddressed.

How quickly can Zluri surface an acquired company's real application and identity footprint?

Discovery through Zluri's multi-source model, deployed against the acquired organization's connected systems, typically surfaces the real footprint within days of connecting the relevant integrations, rather than the weeks or months a manual inventory process usually takes.

Is it normal for two companies to keep separate identity providers running after a deal closes?

Yes, this is close to the default state during a real integration. The acquired company frequently keeps its own identity provider running for weeks or months while a full migration is planned. Zluri handles this by connecting each identity provider as a separate instance with its own place in a source priority order, which is exactly the scenario that configuration is built for.

Can Zluri catch security risk created by the integration itself, not just risk the acquired company already had?

Yes. Segregation of Duties evaluation runs continuously through the integration process specifically to catch conflicts that only come into existence once two organizations' systems are connected, a distinct category from whatever risk the acquired company already carried on its own.

What happens to application and contract ownership when the person responsible leaves during integration?

Ownership transfers automatically as part of the user merge mechanic. Application Owner, Finance Owner, IT Owner, Vendor Owner, and Contract Owner all move to a surviving identity rather than being left attached to someone who no longer works at the company.

Does the same set of risks and mechanics apply to a divestiture, not just an acquisition?

Yes, it's the identical visibility and classification problem run in reverse: identifying exactly which applications, licenses, and identities belong to a unit being spun off, separate from shared organizational resources, rather than merging two environments into one.

Ready to secure your identity surface?