A separation plan presents dates: Day 1 readiness, transition services, migration waves, exit. Each date contains a security assumption about what can be disentangled without losing authority or importing exposure.
Shared identity is shared sovereignty
If the carved-out business still depends on the seller’s directory, administrators or recovery services, it does not yet control who may act. A new logo and legal owner do not change that.
Data does not separate by copying
The parties must identify which records transfer, which remain, which are duplicated, which are subject to hold and which derived datasets cannot be cleanly divided. A rushed copy can expose seller information; an incomplete copy can leave the buyer unable to operate or prove a decision.
Vendors carry hidden timing
Licences, consent, technical reconfiguration and provider security review may set the real critical path. A separation date that assumes instant novation is a commercial promise built on untested third-party behaviour.
Administrators are the final dependency
The people who understand the shared system may be leaving, transferring or supporting both sides. Their access can become conflicted before replacement capability exists. Separation must assign clean identities, duties, evidence and expiry.
The security critical path
- Independent identity and recovery.
- Authoritative data and legal transfer basis.
- Network and application trust removal.
- Vendor assignment and administrative control.
- Logging, monitoring and incident ownership.
- Revocation of transition access with proof.
Map each to the earliest date evidence can exist, not the date the project wishes to report. Use transition services as explicit dependencies with boundaries and exit tests, not as a fog around incomplete separation.
Timeline challenge
For every milestone, ask: what authority still sits with the other party, what data still crosses the boundary and what evidence proves the old trust is gone? The latest honest answer is the security separation date.
