액센추어가 영국 AI 스타트업 패컬티(Faculty)를 인수하기로 합의했다고 6일 밝혔다. 인수 금액은 공개되지 않았다. 컨설팅 업계 전반이 AI 전문성을 빠르게 강화하려는 상황에서 이번 거래는 주목할 만한 움직임으로 평가된다.

액센추어에 따르면 영국에 기반을 둔 패컬티의 직원 400명은 ‘AI 네이티브 전문가’로, 향후 액센추어의 컨설팅 조직에 통합된다. 이를 통해 액센추어는 고객에게 ‘높은 수준의 AI 역량’을 제공할 계획이다. 아울러 패컬티의 AI 의사결정 인텔리전스 플랫폼인 ‘프런티어(Frontier)’도 액센추어 내부 서비스에 통합할 계획이다.

액센추어 회장 겸 최고경영자 줄리 스위트는 “패컬티와 함께 신뢰할 수 있고 고도화된 AI를 고객 비즈니스의 핵심으로 가져오려는 전략을 한층 더 가속할 것”이라고 설명했다.

이번 인수에서 이례적인 점으로 꼽히는 부분은 패컬티의 현 CEO인 마크 워너가 액센추어 글로벌 경영위원회에 최고기술책임자(CTO)로 합류할 예정이라는 점이다. 이 내용이 확정될 경우, 수백 명 규모의 기업이 전 세계 약 80만 명의 직원을 둔 대형 컨설팅 기업의 핵심 이사회 직책을 맡게 되는 셈이다.

현재 액센추어는 CTO로 라젠드라 프라사드를 공식적으로 기재하고 있다. 프라사드는 그룹 최고경영자–기술 부문이라는 또 다른 직책에 집중하기 위해 CTO 역할에서 물러날 가능성이 있는 것으로 보인다. CIO닷컴은 새로운 역할에 대해 액센추어와 패컬티에 확인을 요청했지만, 기사 작성 시점까지 답변을 받지 못했다.

AI 중심 재편

전통적인 기술 기업 인수는 대개 특허, 제품, 고객이 지닌 가치에 의해 결정된다. 그러나 AI 기업의 경우 현재는 인적 전문성 역시 그에 못지않게 중요한 요소로 부각되고 있다.

패컬티는 이러한 요소를 모두 갖춘 기업으로 평가된다. 패컬티는 2014년 당시 하버드대 양자물리학 연구원이던 마크 워너가 ASI 데이터 사이언스라는 이름으로 공동 설립했다. 이후 2019년 사명을 패컬티로 변경했다. 이는 스캔들로 논란이 된 케임브리지 애널리티카의 모기업 SCL 그룹을 통해 동일한 인턴십 프로그램에 참여했다는 의혹과 거리를 두기 위한 시도였던 것으로 해석된다. 패컬티 측은 해당 의혹을 강하게 부인해 왔다.

이후 패컬티는 영국 정부와의 협업을 통해 공공 부문에서의 프로젝트 수행 경험을 축적했다. 대표적으로 코로나19 팬데믹 기간 동안 병원 입원 수요와 인공호흡기 필요량을 예측하는 데 활용된 NHS 조기경보시스템(EWS) 구축에 참여했다.

이 같은 이력은 최근 액센추어의 방향성과도 맞물린다. 액센추어는 지난 1년간 AI 중심의 조직 개편을 진행해 왔다. 지난 6월에는 다섯 개 사업부를 ‘리인벤션 서비스(Reinvention Services)’라는 단일 조직으로 통합하며 ‘AI 시대를 위한 자사 재창조’ 전략을 추진했다. 이와 동시에 직원들을 ‘리인벤터’라고 부르기 시작했다.

액센추어는 오픈AI와 앤트로픽과의 협력도 구축했다. 이를 통해 수만 명의 직원이 두 기업의 챗봇과 에이전트형 기술을 활용하고 이를 확산하는 교육을 받게 될 예정이다.

스위트는 이번 인수 발표와 함께 “우리는 세계에서 가장 AI에 기반한, 고객 중심의 전문 서비스 기업이 되기 위한 플레이북을 만들어가고 있다”라고 언급했다.
dl-ciokorea@foundryco.com

Accenture has announced that it has agreed to acquire UK AI startup Faculty for an undisclosed sum, a potentially significant move in a consultancy sector currently scrambling to add greater artificial intelligence expertise.

According to Accenture, Faculty’s UK-based workforce of 400 “AI native professionals” will be integrated with its consulting teams, allowing the company to offer its customer base “world‑class AI capabilities.” The company will also integrate Faculty’s AI decision intelligence platform, Frontier, into its services.

“With Faculty, we will further accelerate our strategy to bring trusted, advanced AI to the heart of our clients’ businesses,” commented Accenture chair and CEO, Julie Sweet.

One detail that marks the acquisition as unusual is that Faculty’s current CEO, Marc Warner, will reportedly join Accenture’s Global Management Committee as chief technology officer (CTO). If confirmed, this means that a company employing a few hundred people will take a key board position in a huge consulting outfit with nearly 800,000 employees worldwide.

Accenture still lists its CTO as Rajendra Prasad, who will presumably step back from this role to focus on his other day job as the company’s Group Chief Executive – Technology. CIO.com contacted Accenture and Faculty to confirm the new roles, but had no response by publication time.

AI reinvention

Traditional tech acquisitions are usually motivated by the value offered by a company’s patents, products and customers. With AI companies, just as important right now is human expertise.

Faculty offers all of these. Co-founded in 2014 as ASI Data Science by then Harvard quantum physics research fellow Warner, it was renamed Faculty in 2019. This might have been an attempt to disassociate it from allegations, which it strenuously denied, that it was part of the same internship program as scandal-hit company Cambridge Analytica, through the latter’s parent company, SCL Group.

Since then, Faculty has established a solid reputation through its work with the UK government, including the creation of an NHS Early Warning System (EWS) system used to predict hospital admissions and ventilator requirements during the Covid pandemic.

This dovetails well with Accenture’s direction; it has spent the last year undergoing an AI makeover. In June, the company folded five business units into a single division, Reinvention Services, as part of a plan to “re-invent Itself for the Age of AI.” At the same time, it started calling its employees “reinventors”.

The company has also formed alliances with OpenAI and Anthropic which will see tens of thousands of its employees trained to use and promote both companies’ chatbot and agentic technologies.

“We are writing the playbook for how to be the most AI-enabled, client-focused professional services company in the world,” said Accenture CEO Sweet in this week’s announcement of the acquisition.

When mergers and acquisitions grab headlines, the cybersecurity posture of the involved organization is rarely scrutinized, unless one of the parties suffers a breach. But once the deal is done, a key factor that determines how well two companies become one is the gap between what they believe is the state of their security posture and what actually holds up under scrutiny.

We call this the cyber delta.

The unique attributes of a deal, such as compressed timelines, regulatory hurdles and political and market factors, make it virtually impossible to reduce that gap to a single risk score or cyber delta metric. But we can pinpoint the common risk vectors that occur in cases where the companies envision some level of IT consolidation and/or governance.

In a world where adversaries are opportunistic and regulations unforgiving, cyber due diligence can’t remain a late-stage checkbox. It needs to be a strategic pillar of how deals are evaluated, structured and executed.

While every transaction is different, here are some common problems.

Legacy risk

Legacy systems often carry the highest risk — not because they’re old or broken, but because no one truly understands them anymore. Unpatched servers, outdated middleware, forgotten databases and unsupported operating systems often become liabilities after the deal closes.

Traditional due diligence frequently overlooks this kind of technical debt.

To surface it, security teams need configuration-level visibility to determine key issues such as whether critical systems are running end-of-life software, administrative interfaces are exposed externally or if patches can be applied without breaking core dependencies.

This level of scrutiny can’t wait for post-merger integration. It must be baked into early risk modeling before the deal is done.

Risk assessment misalignment

A large organization buying a much smaller one or a highly regulated company buying one in a less regulated space will have very different risk profiles, so the goal isn’t necessarily parity, it’s unification. But even if you don’t unite all the technologies, you still need a unified view of risk.

Establishing open lines of communication across teams is essential to establishing measurable baselines for both sides. That provides a framework for measuring progress and spotting where the biggest gaps are. The goal is to agree on what “good” looks like, what needs fixing and where the priorities are.

Security scores or shared risk indexes can help, especially when you’re trying to compare two environments that work differently. It’s less about having one perfect KPI and more about knowing what you’ve got, what it’s going to take to secure it and how you’ll track that over time.

Security maturity misalignment

Another common risk is the mismatch in security maturity between the acquiring organization and its target. One company might have rigorous asset inventories, patch SLAs and automated detection; the other may be operating with ad hoc response plans and minimal logging. This misalignment creates serious friction — and risk — during integration.

Each security team should understand the other company’s threat modeling, incident response and vulnerability triage processes. They also need to identify where alignment is mandatory (e.g., access controls, endpoint protection) and where temporary coexistence is acceptable.

While every deal has a different integration blueprint, most can be split into two broad categories. First is full integration, which requires collaboration across each company’s security teams to map interdependencies between systems, understand identity sprawl and simulate interconnectivity to identify points of weakness that could ripple through both environments.

Second is partial integration or a standalone operation. In these cases, the focus shifts to interface points. Are APIs between the two firms secured and rate-limited? Are shared systems — like CRMs or collaboration tools — properly monitored and segmented? Security diligence should also reflect the business function of the acquired entity. A dev team’s cloud environment presents different risks than a customer service platform handling PII.

Compliance by inheritance

You’re not just acquiring infrastructure — you’re inheriting obligations. A target’s security program may be sufficient to avoid breaches but still fall short of current regulatory standards. To avoid latent compliance risk:

• Map systems to relevant regulatory frameworks (e.g., GDPR, HIPAA, CCPA, SEC cybersecurity disclosure rules)
• Review how sensitive data is classified, encrypted and audited
• Flag high-risk areas such as weak authentication, unmonitored data transfers, legacy encryption, etc.

These issues often stay hidden until audits, legal inquiries or customer complaints surface. Addressing them proactively avoids painful surprises.

Technology culture clash

When a cloud-native company is acquired by a company that is less so, the due diligence process must align with the velocity and architecture of modern development. Risks often lie in the operational details, such as cloud infrastructure concerns around over-permissive IAM roles and misconfigured storage buckets.

CI/CD pipelines require examination to ensure build processes are secure and secrets aren’t stored in plain text or version control. APIs and integrations need assessment to confirm tokens are properly scoped and revocable, with endpoints protected by rate limiting and authentication. For IoT and edge devices, critical considerations include whether firmware updates are available and signed and whether remote management ports are exposed.

Security culture clash

When two companies come together, you’re not just dealing with different tools — you’re dealing with different ways of thinking about risk. One team might have a solid process for tracking and prioritizing issues. The other might be in constant firefighting mode, just trying to keep up.

Trying to force everyone into one framework right away usually doesn’t work. A better move is to start with shared visibility. Get both sides looking at the same data and using the same language when they talk about risk. The next step is to focus on the areas where the two environments actually touch — things like identity, access and shared infrastructure. That’s where misalignment causes the most problems.

Security leaders don’t need to have it all figured out on day one. They just need people to see the same picture and be willing to work on it together.

Global deals, local risk

Cross-border M&A introduces another layer of complexity. Different regions carry distinct legal, technical and cultural definitions of risk. A European company may prioritize data sovereignty and breach notification timelines; a U.S. firm may focus more on operational resilience and insurance coverage.

Smart security teams build region-specific exposure profiles that account for local laws and regulatory disclosure requirements, threat actor activity by regions and technical norms and enforcement capacity. Global harmonization isn’t always possible, but understanding the landscape in advance helps prevent surprises down the road.

Gaining an advantage by reducing the cyber delta

There will always be some level of uncertainty in M&A cybersecurity. But the organizations that work actively to shrink the cyber delta will have an operational edge.

Don’t let a breach become part of the deal.

This article is published as part of the Foundry Expert Contributor Network.
Want to join?