The numbers are in, and the M&A wave IT teams have been bracing for didn’t just arrive, it surged. According to McKinsey’s 2026 M&A trends report, global deal value finished 2025 up 43% to $4.7 trillion, landing 20% above the 10-year average. The number of deals clearing the $10 billion mark swelled to 60, the most since the post-pandemic peak in 2021, and momentum is continuing into 2026. The view from the server room confirms it. In a recent survey, 80% of IT leaders told ShareGate they were already involved in or planning an M&A in the next year.
The survey of 650 IT professionals in North America and Europe captures what that looks like on the ground. The picture isn’t just one of volume; it’s one of AI adoption challenges and cybersecurity concerns colliding with an unprecedented pace of mergers and acquisitions. The survey covered several topics, including M&A migrations, Copilot readiness and the influence of channel partners on migrations, among others.
In this article, I will unpack the findings and offer quick wins you can use before your merger memo drops.
Security Speed-Bumps: 41% See Security & Compliance As A Top Concern
More M&A activity means more tenant-to-tenant migrations, more data in motion and more surface area for things to go wrong. With so many companies migrating their environments due to mergers and acquisitions, it would be normal for any IT leader to be concerned about safely identifying, migrating and securing data that contains sensitive intellectual property, proprietary information, and trade secrets. Periods of change tend to widen the attack surface, especially when identity, permissions, and data move quickly. Perhaps for this reason, security and compliance have emerged as the top migration concern among IT leader, 41% of ShareGate’s survey respondents reported it as their primary worry.
One thing that almost every M&A I have seen do wrong is rush migration and tackle reorganization/optimization concurrently. To achieve success, your M&A migration is best accomplished in two separate phases: migration first, then reorganization and optimization. While it’s true that migrations must include foundational work to align security posture, governance and compliance, that doesn’t mean we have to merge all the content at once. If the source environment is more secure and has better governance, consider maintaining that posture as you bring it over, establishing an implemented example of how security and governance can be elevated across existing environments.
Try this: Two-Phase Migration Heat-Map
- List every dataset or workload you’ll touch in the merger (SharePoint sites, file shares, mailbox stores, Power Platform apps, etc.).
- Score each item on three axes (1 = low, 5 = high):
- Sensitivity: Regulatory or IP risk if exposed
- Change Rate: How frequently the data is updated
- Re-work Value: How much business benefit you gain by restructuring or automating it
- Assign a phase based on the pattern. Here are a few quick examples:
- High Sensitivity / Low Change Rate / Low Re-work Value? Migrate “as is” first, and reorganize later. Locks down your riskiest data fast without stalling the cut-over.
- Low Sensitivity / High Change Rate / High Re-work Value? Leave in place, flip last. Minimizes disruption to active teams; buys time to design new processes and org mapping.
- High Sensitivity / Low Change Rate / High Re-work Value? Pilot in the new tenant. Lets you prove your elevated security/governance model before rolling it out broadly.
- Low Sensitivity / Low Change Rate / Low Re-work Value? Batch-lift for quick wins.
- Color-code the grid (Red = Phase 1 “lift-and-lock”, Yellow = Phase 1 pilot, Green = Phase 2 optimization).
- Share the heat map in your steering meeting. It gives the business a visual, one-page answer to:
- What has to move now for security/governance reasons?
- What can wait until after Day 1 to capture re-organization gains?
Migration is very much like air traffic control; we need to land multiple priorities safely and urgently but do so in a way that clears the runway for the emerging technology, practices and process improvements that enable our organizations to succeed.
Why 64% Turn to Microsoft 365 for Improved Security
More than half of IT professionals (64%) cited security improvements as the primary driver behind their decision to migrate to Microsoft 365. The decadeslong existence of Microsoft and its widespread ecosystem, compared to newcomers in the market, may explain the preference. Yet, its strengths in familiarity, connectedness and breadth of capability also make it a challenging migration destination and a central part of many mergers and acquisitions.
Two organizations may use Microsoft 365 or Microsoft technologies but have extremely different ways in which they have adopted, secured and managed their implementations. Perhaps this reality contributes to the survey finding that 55% of respondents select their migration solution before the M&A event, a critical period when many organizations fail to assess integration risks fully.
When the full scope of the migration is not discussed and adjusted following an M&A announcement, the entire migration runs the risk of creating avoidable vulnerabilities, attack vectors for cybercriminals, or failure to account for regulatory deletion requirements like GDPR, which could expose an organization to hefty fines. Ad hoc fixes encountered later without proper planning could be a primary driver for breaches following M&A-related migrations.
Try this: Security & Governance Deltas Table
Before data moves, map where you’re weakening or strengthening controls so legal and security can sign off, or push back early. The table below surfaces integration gaps and makes them visible and discussable before the M&A event:
| Column | What To Capture | Example Entry |
| System / Dataset | Mailboxes, Teams chats, Finance site | “Finance-Ops SharePoint” |
| Current Control (Source) | Sensitivity label, retention, MFA? | Label = Highly Confidential; 7-yr retain; MFA enforced |
| Target Control (Destination) | Planned setting post-migration | Label = Internal Only; 7-yr retain; MFA enforced |
| Delta | Tighten / Loosen / Match | Tighten (label will be down-scoped) |
| Migration Phase | Day 1 vs Post-Day 1 | Day 1 |
| Owner & Due Date | Person + date | CISO – 30 days |
AI Readiness & Migration: Who Owns Copilot And Who Should?
One important new trend is how organizations are adopting Microsoft’s Copilot within the M&A context. When asked who drives adoption, 42% of ShareGate survey respondents said IT operations and infrastructure teams, while 38% said security and compliance, implying that the majority of organizations have IT leading AI adoption beyond just IT controls.
An IT-owned approach to AI adoption is, perhaps, a good thing for M&A scenarios because ownership of the AI migration aligns with the owner of security, enablement and deployment. However, business executives and groups like HR tend to be more clued into the broader needs of the organization. IT teams that fail to encourage the right dialogue run the risk of creating a merged AI adoption strategy that is siloed and ill-fitted to the actual needs of their post-M&A organization. AI adoption without fully auditing those needs could accidentally contribute to increased shadow IT, wasted money and increased preventable risk for everyone.
Also Read: CIO Influence Interview With Jake Mosey, Chief Product Officer at Recast
Try this: 90-Day AI Micro Council
Appoint a three-person M&A AI micro-council for the first 90 days after Day 1: the IT lead (enablement), a security/compliance owner (risk) and one rotating business sponsor (value).
They meet for 15 minutes every Friday to:
- Green-light or block new Copilot use-cases that surfaced that week
- Spot shadow-IT signals or AI access gaps created by the merger
- Log one open action each to resolve before the next huddle
At the 90-day mark, the council disbands or rolls into your broader AI governance forum, but those first dozen touchpoints keep the IT-driven and security-driven camps aligned with the business while the new org finds its footing. Supplement with polls and surveys that solicit where users are leveraging AI outside of sanctioned tools, so the council can assess and act on real usage data.
Governance by Design: Build It, Don’t Patch It
When asked about top blockers for adopting and scaling Microsoft Copilot, 62% of ShareGate survey respondents listed security and governance, specifically data quality, retention and access control. Migrating core business tools provides an opportunity to build governance directly into the operational foundation rather than treating it as a bolt-on afterthought. Better conversations among M&A parties before migration begins can alleviate many of these concerns by aligning all parties on the environment and continued operation plan.
Try this: Digital-Space Directory & Orphan Sweep
During discovery, tag every major collection you’ll migrate, such as, SharePoint sites, Teams, and workspaces by department, product, function or project. Then:
- Mark anything unknown as “Unknown.”
- Publish a read-only inventory in Power BI or a SharePoint list, give all managers view rights and sort by “Unknown” to surface spaces with missing ownership.
- Run a 30-day “claim or close” window: owners confirm or correct their tags, and orphaned spaces get flagged for deferred migration, archive or deletion.
- Once tags are clean, wire them to automated policies: Auto-archive projects past end-date plus 180 days, for example.
Keep the directory live post-migration as a navigation asset and integrate it into provisioning so new spaces inherit a “Temp” tag that must be replaced within 30 days or the owner receives an automated nudge. This makes the 62% governance blocker everyone’s shared problem, not just IT’s.
Avoiding the $14K-a-Minute Mistake
Enterprise Management Associates has reported that unplanned downtime now averages $14,056 per minute, rising to $23,750 for large enterprises, according to their most recent research. When you consider what an outage during a planned migration would cost, the native tools that were factored into the budget as “free” suddenly become very expensive. Enterprises must fully assess how to prevent any unexpected downtime wherever possible.
Try this: Blackout Blitz
Pick one critical workspace, run a controlled 60-minute outage on your staging environment, and execute your fail-over playbook. Track three numbers:
- Time to switch
- Time to restore permissions and access
- Time to reconnect key experiences like search and Copilot
Multiply the total by $14,056–$23,750 per minute and brief executives on the true price of every lag. If anything takes more than 15 minutes, schedule a full 4-hour simulation drill before the production cut-over. The drill assigns a hard dollar figure to every lost minute, giving leaders a concrete budget case for safeguards while exposing permission gaps and Copilot quirks that only surface in live fail-over.
Surveys, Advice & Insights Only Go So Far
The ShareGate data is clear: AI ambition, governance gaps and record M&A velocity are converging. IT leaders who step into that overlap, bridging risk and innovation, business curiosity and technical guardrails, will shape not just smoother migrations but stronger execution advantage and resilience.
When the deal closes and the lawyers pop champagne, the real story shifts to the server room. Will that story be a thriller of late-night outages and shadow-IT plot twists, or a quiet success no one posts about because everything “just works”? The difference is decided now, by heat maps, delta tables, blackout drills, and 15-minute Friday huddles. Choose your ending; then write it into the migration plan.
Catch more CIO Insights: The New Business of QA: How Continuous Delivery and AI Will Reshape 2026
[To share your insights with us, please write to psen@itechseries.com ]
