Who should be accountable for social media account governance?

Accountability should sit with security and IT, with marketing as the business owner of the channel. That split keeps policy, ownership, and recovery in the enterprise control plane while allowing the channel team to operate the account. Without a clear owner, lifecycle tasks and revocation decisions are usually deferred until they become incidents.

Why This Matters for Security Teams

Social media account governance is not just a brand issue. These accounts can publish on behalf of the organisation, receive direct messages with sensitive content, and become trusted targets for takeover, impersonation, and fraud. When accountability is unclear, password resets, MFA changes, recovery contacts, and deprovisioning often sit between teams, which is exactly where attackers exploit delay. NHI Management Group’s Top 10 NHI Issues consistently places lifecycle gaps and weak ownership near the top of practical failure modes.

The governance problem is that a social account behaves like a shared non-human identity, even when multiple humans can post through it. Security teams usually own control requirements, IT usually owns recovery and access tooling, and marketing usually owns content and audience outcomes. That split is workable only if accountability is explicit. The most common mistake is treating platform admin settings as a marketing detail instead of an enterprise access control issue. Guidance from the NIST Cybersecurity Framework 2.0 still points to clear ownership, access control, and recovery planning as core operational duties. In practice, many security teams encounter account loss only after a former employee, agency partner, or compromised recovery channel has already made the account unrecoverable.

How It Works in Practice

The cleanest model is a three-part accountability split. Security or IT owns the control plane, marketing owns business use, and platform administrators execute day-to-day operations under documented approval. That means security defines required controls, approves privileged access, and enforces recovery and revocation. Marketing defines who may publish, what content approval is needed, and how the account is used commercially. IT typically manages identity lifecycle, MFA enforcement, device trust, and the shared vault or ticketing workflow used to recover credentials.

Practitioners should anchor this to an explicit account register, just as they would for other NHIs. NHI Management Group’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because social accounts need onboarding, periodic review, emergency access, and retirement. The same logic applies to certificates, API keys, and vendor-connected identities: if the organisation cannot prove who owns it, who can recover it, and who can revoke it, the account is not governed.

• Assign one named enterprise owner for the account, even if multiple people publish content.
• Store recovery methods in an approved enterprise vault, not in personal inboxes or shared chat threads.
• Use MFA, named admin roles, and documented break-glass access for emergency recovery.
• Review connected apps, delegated publishing tools, and agency access on a fixed schedule.
• Remove access immediately when employees, contractors, or agencies change role or exit.

Current guidance suggests that shared social accounts should follow the same revocation discipline as other privileged identities, because compromise often occurs through stale recovery paths or over-broad third-party access. These controls tend to break down when a brand runs dozens of regional or campaign accounts and ownership is dispersed across agencies, because no single team has end-to-end authority over the full lifecycle.

Common Variations and Edge Cases

Tighter account governance often increases operational friction, requiring organisations to balance speed of publishing against control, auditability, and recovery readiness. That tradeoff is real, especially for global brands, regulated sectors, and crisis communications teams that need rapid posting authority.

There is no universal standard for every operating model, but the accountability principle stays stable. For a single-brand social presence, security can own the control framework directly and marketing can act as the business approver. For multi-brand or franchise models, corporate security should set minimum controls while business units manage local usage. Agencies should never be the sole custodians of recovery or privileged access, even if they manage most content.

This is where the broader NHI lesson matters: identities that can act on behalf of the organisation need lifecycle governance, not informal convenience. That is why Ultimate Guide to NHIs — Regulatory and Audit Perspectives is relevant even for a social account question. Auditors will ask who approved access, who can revoke it, and whether the organisation can prove control after a staff change or compromise. The current consensus is that marketing may own the channel outcome, but security and IT must own the identity and recovery mechanics. The exception is a temporary campaign account with no sensitive integrations, where the governance burden is lower, but even then the recovery path should remain enterprise-controlled.

Related resources from NHI Mgmt Group

• Why do shared social media accounts create a governance risk?
• Who should be accountable for software asset governance in large enterprises?
• Who is accountable when a former employee account or stolen token is used in a breach?
• Who should be accountable for API access governance in corporate banking?