Securing Day-1 access after an acquisition

The deal closes and two organizations suddenly need to work together. The way you grant that first wave of cross-org access will either enable the integration or quietly build an attack path that outlives it.

Day 1 is a deadline, and deadlines make people generous with access. Teams need to collaborate, leadership wants to show momentum, and the fastest way to unblock everyone is to hand out broad access with a promise to clean it up later. In practice that cleanup rarely happens. The broad access hardens into standing privilege: durable, over-scoped, and largely invisible. And a newly merged environment that nobody has fully mapped is exactly where attackers go looking for paths like that.

The goal of a Day-1 access model is narrower than people expect. Let the right people do the work the integration actually requires on Day 1, nothing more, and avoid creating trust relationships you'll regret later.

Why the Day-1 scramble happens

Two identity estates that have never interoperated are now expected to, on a date set by the deal rather than by readiness. Neither side has a complete picture of the other's accounts, privilege, or entitlements. So the pressure is to establish broad connectivity first and worry about precision later. A domain trust here, a bulk group membership there, a shared admin account "just to get things moving."

Each of those shortcuts is a standing grant. Domain or directory trusts extend the blast radius of a compromise on either side. Bulk group adds hand out access nobody will ever recertify. Shared admin accounts destroy attribution at the exact moment you need it most. The scramble feels like progress, but really it's borrowing against the security of the combined entity.

Two principles that keep Day 1 safe

Most of the good decisions follow from two principles:

Least privilege, scoped to the Day-1 task. Access should map to specific work that genuinely cannot wait, like payroll continuity, a shared collaboration space, or a finance close. Not to a vague notion of "they're one company now."
Broker access; don't merge trust. Prefer time-bound, auditable, brokered access (federation, guest access, just-in-time elevation) over permanent structural trust between the two estates. Brokered access can be observed and unwound. A directory trust can't, at least not easily.

A sequenced Day-1 model

A workable model is a sequence, not a switch. In rough order:

Identify the Day-1 access requirements explicitly. Who needs to reach what, to do which task, by when. If a request can't name the task, it isn't a Day-1 requirement.
Establish a controlled bridge, not a merger. Use federation or B2B guest access so identities from one side can be granted scoped access on the other without standing up permanent trust or migrating anything yet.
Grant through groups you can recertify. Every cross-org grant should land in a named, owned, time-boxed group rather than an ad-hoc add to a privileged group, so it can be reviewed and revoked as one unit.
Keep privileged access just-in-time. Administrative access across the boundary should be elevation-on-demand and time-bound, with full logging, rather than standing membership in an admin group.
Instrument it from the first hour. Cross-org access is your highest-risk surface on Day 1, so it should be the most heavily logged and monitored surface too, with alerting on anomalous use.
Set the expiry up front. Day-1 grants should carry an explicit review or expiry date when they're created, so "temporary" access is enforced by the system instead of by good intentions.

Anti-patterns to refuse

Some requests deserve a flat no, however urgent they sound on the day:

A blanket directory or forest trust stood up "for now."
Shared or generic admin accounts spanning both organizations.
Bulk additions to existing privileged groups to save time.
Any cross-org grant with no owner and no expiry.

Each one is fast on Day 1 and expensive for years afterward. The combined entity ends up with a larger privileged footprint than either company had alone, and less visibility into it, which is the opposite of what the integration was supposed to achieve.

Day 1 is easier when diligence did its job

The smoothest Day-1 cutovers are the ones that were underwritten earlier. When IAM due diligence has already mapped the target's identity estate, privileged accounts, and authentication exposure, you arrive at Day 1 knowing where the risk concentrates and which access is safe to grant. When it hasn't, Day 1 doubles as discovery day, and discovery under deadline pressure is how shortcuts get made.

A secure Day-1 baseline is the first step of IAM integration, not a one-off event. Everything that follows, from directory consolidation and identity migration through privileged access rationalization and unified governance, goes easier when the starting point is least-privilege and brokered rather than broad and permanent.

Don't try to merge two identity estates on Day 1. Connect them deliberately, then merge them on your own timeline.

If you want a structured way to know what you're walking into before the date arrives, our IAM M&A Due Diligence Checklist covers the identity and access checks that make Day 1 predictable rather than frantic.