Securiti AI’s Chris Joynt on Tackling Dark Data Risks in M&A Deals

We sat down with Chris Joynt of Securiti AI to explore how “dark data” complicates mergers and acquisitions. In this conversation, Chris breaks down the hidden risks that surface during due diligence and why traditional approaches often miss them. He also shares practical strategies for governance, automation, and data minimization that can help organizations reduce exposure while keeping deals on track.

What are some of the most common “dark data” pitfalls you see during M&A deals, and why are they so often overlooked until it’s too late?

Dark data, unstructured or unused information like forgotten file shares, untagged SaaS repositories, or stale cloud buckets, often contains sensitive or regulated information. The challenge is that this data does not show up in standard asset inventories, so it gets ignored during M&A due diligence. Manual mapping during this phase is error-prone and almost always misses hidden data, which is why it tends to surface only after M&A integration when access is broader and the risks are magnified. At that point, companies are already exposed to compliance violations or unexpected liabilities.

You recommend building a dedicated governance transition team. What does that team look like in practice, and how do you get IT, legal, and compliance to actually align?

The most effective transition teams bring together IT, legal, compliance, cybersecurity, and business leaders, each with clear responsibility for specific data sets and decisions. Alignment and cross-team collaboration come from more than meetings. It requires a shared, accurate view of the data environment, the risks, and the policies in place. Without that, each group defaults to siloed reports and conflicting assumptions. Shared visibility of risk is what allows cross-functional teams to move quickly and speak the same language.

How realistic is it for organizations to enforce file-level and identity-centric controls from day one of a merger or acquisition? What barriers usually get in the way?

It’s realistic with the right automation, but without it, most organizations struggle to scale. During a merger, organizations have to deal with the high complexity of managing millions of files, countless applications, and varying permissions. Manual access reviews and role reassignment can’t keep up with the pace of the complexity, especially under the tight timeline of M&A activity. With automated identity and access reviews, organizations can continuously analyze who is accessing what data and apply least-privilege access from day one, reducing exposure while keeping the transition on track.

You’ve highlighted the importance of minimizing redundant, obsolete, and trivial (ROT) data. Can you share an example of how failing to do this created security or cost headaches in a transaction?

Everyone has ROT data. We have seen 100s of identical copies of files in some organizations. It’s quite commonplace. File shares are filled with copies and derivatives that are scattered in different locations, owned by various individuals, and have different security configurations, and therein lies the problem. When regulated data ends up in insecure locations during M&A, it’s a problem. As for costs, one large enterprise projected savings of $4 million from storage costs alone in the first year of a data minimization project. Now consider that moving data can be 10x more expensive than storing it, and you’ll see why data minimization should be part of M&A planning.

Deals often move fast. How do you balance the need for speed in closing with maintaining strong audit trails and breach readiness in such a volatile period?

The key is automation. This means automating data discovery and mapping to uncover hidden “dark data” early; establishing a cross-functional governance team with clear ownership; enforcing least-privilege access controls to prevent risky entitlements from carrying over; minimizing ROT data to cut costs and reduce exposure; and ensuring auditability and breach readiness with an immutable and verifiable history of data interactions. Together, these steps let companies move quickly without sacrificing security or compliance.