M&A runs on proof: governance diligence on both sides of the deal

Acquisitions are where governance becomes tangible in financial terms. The company being acquired has built something — a product, a customer base, a revenue line — and the question the acquiring party is trying to answer is: what are we actually buying? The technical due diligence answers questions about the code, the infrastructure, and the architecture. The commercial due diligence answers questions about the customers, the contracts, and the pipeline. The governance diligence answers a question that underlies all of them: does this company control what it says it controls, does it know what it knows, and has it been running the practices it represents?

The answer to that governance question has direct bearing on the deal. A company that can produce clear, current, verified evidence of its security posture, its data handling practices, its vendor relationships, and its AI governance is demonstrably lower risk than one that cannot. Lower risk means a cleaner path to close, fewer representations and warranties that require negotiation, fewer post-close surprises, and a valuation that reflects the business as it actually operates rather than a discount for the uncertainty the diligence team could not resolve. This is not legal or financial advice. It is governance practice described in terms of what it produces in a deal context.

The same logic applies on the buy side. When you acquire a company, you acquire its governance posture along with everything else. The controls it runs, the evidence it holds, the vendors it uses, the data it processes — all of it transfers to you. Understanding what you are inheriting before the deal closes is the work of buy-side governance diligence. Understanding what you will need to do to integrate it afterward is the work of post-close governance planning. Both are more manageable when the acquired company's governance record is clear, and both become much harder when it is not.

01 / Sell-side: what diligence teams are actually asking

Governance diligence on the sell side covers four substantive areas. Security controls: what access controls are in place, how is MFA enforced, how are privileged accounts managed, what logging is active, and how quickly does the company detect and respond to security events? Data handling: what personal data does the company process, under what legal bases, with what retention periods, and through which vendors and sub-processors? AI governance: which AI systems or features does the company operate or offer, what data do those systems access, what controls apply to their outputs, and how are AI-related risks tracked? Compliance posture: what certifications, attestations, or framework commitments has the company made, and what evidence supports them?

These questions are not new to any company that has been through an enterprise sales process. They are the same questions that appear in security questionnaires, in customer data processing agreement negotiations, and in audit requests. The difference in a deal context is that the diligence team is asking them on a compressed timeline, against a data room that was assembled specifically for the transaction, and with the understanding that the answers will materially affect the deal terms.

A company that maintains a continuous evidence record going into a sale is in a fundamentally different position from one that does not. The continuous record means the data room can be populated with current, verified evidence rather than assembled from screenshots and remembered configurations during the pre-close scramble. It means the diligence team's questions have answers that can be produced quickly and consistently. It means the representations the company makes about its governance posture are backed by evidence rather than assertion. The diligence team can verify them, and the lawyers on both sides spend less time negotiating around uncertainty.

02 / Why data-room evidence ages during a long deal

Deal timelines are rarely as short as they look in the letter of intent. A transaction that opens in January and is expected to close in ninety days frequently extends to six months or longer. Regulatory reviews take time. Financing conditions create delays. Negotiation of representations and warranties introduces multiple rounds. By the time the deal closes, the data room that was populated at the start of the process is months old.

Static evidence ages in a deal context. A screenshot of an Okta MFA configuration from January does not represent the configuration in June. A vendor list assembled before the deal opens does not reflect the vendors onboarded during the deal timeline. A SOC 2 report covering the period ending before the diligence process began does not cover the period under the most recent operating conditions. Diligence teams at sophisticated acquirers know this. They will ask for updated evidence as the timeline extends, and the company that cannot produce it quickly — because its evidence was assembled once for the data room and is not maintained continuously — faces a second scramble inside an already stressful process.

A data room populated once for a deal is a snapshot of a company that no longer exists by the time the deal closes. Current governance evidence does not age.

The company with a continuous evidence programme does not face this problem in the same way. When the acquirer's diligence team asks for an updated access control verification in month four of the deal, the answer is available because the verification has been running continuously. The updated evidence is produced from the same record the original data room drew from — not assembled from scratch under deal pressure.

03 / Buy-side: you are acquiring the governance debt

The buy side of a governance diligence exercise is less discussed but equally consequential. When an acquirer takes on a company, it inherits the full governance posture of that company — including everything the diligence process did not surface. Unknown vendors. Unmanaged AI features. Controls that existed in policy but were not running in practice. Data that was retained beyond its defined period because no one enforced the retention schedule. Personal data processed under a legal basis that has since been invalidated. These are not hypothetical risks. They are the normal accumulation of a company that has grown faster than its governance did.

The acquirer's governance diligence on the buy side is the effort to understand the size and character of the debt it is taking on. This requires more than reviewing the target company's policies and certifications. It requires asking whether the controls described in those policies are actually running, and whether the evidence for that exists in a form that can be verified. A target company with a mature evidence record makes this assessment possible. A target company whose governance posture exists primarily in policy documents makes it very difficult.

The systems involved are the ones both companies actually run. Salesforce, Microsoft 365, Google Workspace, AWS, Okta — these are the platforms where access is managed, data is processed, and controls either operate or do not. A buy-side governance assessment that does not get to the system level is an assessment of stated intent, not operating reality. The gap between intent and reality is what produces post-close surprises.

04 / Integration as a governance event

Post-close integration is where governance debt becomes operational. Two identity systems that need to become one: which authentication policies apply during the transition period, how are privileged accounts in the acquired company provisioned into the acquirer's Okta environment, and what is the evidence that the migration was completed cleanly? Two data retention regimes: which periods apply to the acquired company's Salesforce data, who enforces them during the integration window, and how is the evidence of enforcement maintained? Two vendor lists: which vendors from the acquired company are now sub-processors in the combined entity, have they been assessed, and do their data processing agreements cover the expanded scope of data they now touch?

These are not edge cases. They are the standard integration questions for any acquisition that involves customer data. The companies that navigate them well treat integration as a mapped, evidenced programme — a defined set of governance steps with clear ownership, sequenced milestones, and evidence of completion at each stage. The companies that navigate them poorly discover eighteen months after close that they are still operating two identity systems in practice, that the acquired company's vendor list was never fully assessed, and that the combined entity's governance posture is less coherent than either company's was before the deal.

The integration programme is more tractable when both companies arrive with clear governance records. The acquirer knows its own control baseline. It has verified evidence of what its systems are doing and how its controls operate. When it brings an acquired company into that baseline, the delta is measurable: here is what we operate, here is what the acquired company operates, here is the gap, and here is the programme to close it. That is a governance integration plan. It is different from, and substantially better than, discovering the gap through the operational friction that accumulates in the months after close.

05 / What diligence-ready evidence looks like

Diligence-ready evidence has three characteristics. It is current: produced within a timeframe that reflects the company's present operating state, not a historical snapshot assembled for a previous purpose. It is verified: produced by an independent process that confirmed the control was actually operating, not by the team that operates the control attesting that it is. It is comprehensive: covering the full population of systems, users, and data in scope, not a sample selected for presentation purposes.

The systems that produce this evidence are the same ones the business runs daily. Okta for identity and access. Salesforce for customer data and access controls. Microsoft 365 or Google Workspace for collaboration and document governance. AWS or equivalent for infrastructure configuration. The evidence programme observes control states in these systems, records findings with timestamps and population coverage, and holds the record independently. That record, maintained continuously, is what populates the data room cleanly, answers the diligence team's questions without scramble, and gives the combined entity a governance baseline to integrate from after close.

A company that builds this programme before it is in a deal is in the best position. It arrives at any transaction — whether it is the target or the acquirer — with its governance posture already documented, already verified, and already capable of being updated on demand. The deal does not create the governance record. The governance record makes the deal easier. That sequence is the right one, and the companies that establish it before the deal cycle begins are the ones that find the governance stage of a transaction materially less expensive than their counterparts who build it under deal pressure.