The IAM M&A Due Diligence Checklist
The identity and access checks that belong in every deal: the ones that decide whether identity risk gets priced in, or shows up as a problem after close. 36 checks across six domains, built from real M&A engagements.
What's inside
Most diligence underwrites financials, contracts, and the tech stack. Identity and access management rarely gets the same scrutiny, yet it carries breach exposure, audit findings, and integration cost that all land on the acquirer after close. Use this checklist during the diligence window to turn unknown identity risk into a priced, planned line item. It follows the order a real assessment runs in: discover the estate first, then work the highest-risk areas, then read the signals that drive integration cost.
1 · Identity Estate & Directory Discovery
You cannot assess what you have not mapped. Establish the full footprint first.
2 · Privileged Access & Entitlements
Privilege is where breach impact concentrates. This is the highest-value section.
3 · Authentication & External Exposure
The most common path to compromise, and the easiest to evidence in diligence.
4 · Identity Lifecycle & Governance
Weak lifecycle controls are the root cause of most orphaned-access risk.
5 · Compliance & Audit Posture
Findings here often resurface immediately post-close, when scrutiny is highest.
6 · Integration Cost & Complexity Signals
Put findings in terms the deal model can use: cost, effort, and risk.
Built and maintained by a CISSP-certified IAM practitioner who runs these assessments on live transactions. Vendor-neutral, with no product pitch.