Marketing agency access sprawl is an offboarding failure, not a one-off

At a glance

What this is: This is an analysis of how marketing and business tools retain inactive agency and contractor access, with the key finding that offboarding and access review gaps leave accounts active far beyond the relationship end date.

Why it matters: It matters because the same lifecycle failure that leaves ex-employees in systems also leaves third parties in SaaS tools, creating hidden access paths outside IAM, PAM, and audit oversight.

By the numbers:

• 68% of organizations can't reliably remove access when an employee leaves.
• 77% of organizations experienced at least one cybersecurity incident tied to disconnected apps in the past two years.
• 63% of organizations have failed an audit at least once because of gaps in securing these apps.

👉 Read Cerby's analysis of agency access sprawl in marketing tools

Context

Marketing stacks often sit outside enterprise identity controls even when they handle sensitive audiences, spend data, and customer systems. The result is a governance gap where agencies and contractors keep access after the work ends because no one owns the offboarding event.

This is a lifecycle problem, not a user-awareness problem. When contract end dates do not trigger deprovisioning across the full application set, access reviews become stale, audit evidence becomes incomplete, and the identity boundary between internal teams and external collaborators disappears.

Key questions

Q: How should security teams handle agency access when contracts end?

A: Security teams should treat contract end as an identity event, not an administrative note. Access should be revoked across every tool the agency touched, ownership should transfer to a named internal admin, and the final state should be recorded for audit evidence. If a tool cannot be centrally governed, it still needs a documented deprovisioning step.

Q: Why do disconnected apps create so much access risk?

A: Disconnected apps create risk because they sit outside the enterprise identity fabric, so access is granted and removed locally instead of through central controls. That makes it easy for former vendors, contractors, or employees to remain active long after the business need ends. The risk is highest when no one can prove who currently has access.

Q: What breaks when access reviews rely on memory instead of ownership data?

A: Access reviews fail when reviewers have to recognise names instead of validating current business purpose. Without contract status, owner context, and last-use evidence, a reviewer cannot distinguish a legitimate retained account from dormant privilege. That turns recertification into guesswork and allows stale access to survive repeated review cycles.

Q: Who is accountable for third-party access after a campaign or project ends?

A: The business owner who engaged the agency remains accountable until access is removed, even if IT never administered the account directly. Security can define the control standard, but the sponsoring team must confirm the relationship is closed and the access is gone. Accountability fails when ownership is shared but action is not.

Technical breakdown

Why agency access becomes dormant privilege in SaaS tools

Agency and contractor access often persists because the tools that marketing teams use do not sit inside the central IAM stack. Users are added directly, permissions are granted ad hoc, and the relationship often ends without a final revocation step. That creates dormant privilege, meaning an account remains valid even though the business purpose for access is gone. The risk increases when the tool has no native lifecycle integration, no SCIM-based deprovisioning, and no owner who is required to confirm removal when the contract closes.

Practical implication: map every externally granted account to a named business owner and revoke it when the relationship ends, not when someone remembers.

Why disconnected apps defeat enterprise access governance

Disconnected apps are systems that do not participate in the enterprise identity fabric, so access is managed locally instead of centrally. That means IT may not see who has access, security may not see what data they can reach, and the business may not know which former vendors remain active. In practice, this creates a shadow governance layer where trust is maintained by habit rather than control. The problem is especially severe in marketing, where agencies, freelancers, and contractors are routinely granted direct access to ad platforms, CMS tools, and automation systems.

Practical implication: treat disconnected apps as governed identity assets and build a complete app-to-owner inventory before you attempt recertification.

How access review fails when the user list is not the source of truth

Access review only works when the user list reflects current business reality. In many marketing tools, it does not, because people can be added by different admins, retained for convenience, or forgotten after a campaign ends. If the review process depends on recognition rather than authoritative metadata, the reviewer cannot tell whether an account is still justified. That turns recertification into a subjective exercise and allows legacy access to survive multiple business cycles without detection.

Practical implication: enrich user lists with contract status, ownership, and last-business-purpose data before recertification starts.

Threat narrative

Attacker objective: The objective is to retain or exploit active third-party access to marketing systems so campaign data, customer assets, or admin controls can be reached without fresh compromise.

1. Entry occurs when agencies, freelancers, or contractors receive direct access to marketing platforms and remain active after the work ends.
2. Credential access persists because the accounts are not removed when the relationship fades, leaving standing privilege in tools such as ad managers and automation systems.
3. Impact follows when a former partner, a compromised vendor account, or an internal admin error exposes campaigns, audiences, budgets, or customer data through still-valid access.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Vendor access without lifecycle offboarding: This article exposes a failure mode where external collaborator access survives the end of the business relationship. That is not ordinary privilege creep, it is lifecycle collapse at the boundary between marketing ownership and security governance. The implication is that offboarding must be tied to the contract end state, not to informal human memory.

Disconnected apps create governance blind spots: Marketing tools frequently live outside the identity stack, so IAM teams cannot see who has access, and marketing teams rarely own the controls needed to remove it. This splits accountability across functions that do not share a control plane. The practitioner conclusion is that visibility alone is not enough if the app estate is intentionally outside central governance.

Audit failure is the symptom, not the disease: When 63% of organisations fail audits because of securing gaps in disconnected apps, the real problem is that review evidence is reconstructed after the fact from incomplete data. That is a control design flaw, not a documentation issue. The implication is that evidence generation must be built into access governance for external collaborators from the start.

External access should be treated as enterprise identity, not vendor convenience: Agencies and contractors are often managed as temporary exceptions, but their access patterns create the same governance demands as any other non-human or third-party identity. Once a business partner can reach production-adjacent systems, the identity model has to account for lifecycle, accountability, and revocation with the same seriousness as employee access. The practitioner conclusion is to govern collaborator identities as first-class identities.

New concept: agency access residuals. This is the leftover access that remains after a campaign, contract, or retainer has ended but before the account is removed. It matters because residual access turns commercial relationships into latent security exposure, especially when the new owner of the account cannot tell whether the access is still justified. Practitioners should treat this as a distinct governance state, not a simple missed cleanup.

From our research:

• 68% of organizations can't reliably remove access when an employee leaves, according to The State of Secrets in AppSec.
• 75% of organizations express strong confidence in their secrets management capabilities despite the same research finding a 27-day average to remediate a leaked secret.
• For a deeper lifecycle view, see NHI Lifecycle Management Guide for how revocation, ownership, and offboarding should be structured.

What this signals

Agency access residuals will become a more visible governance category as organisations realise that third-party access can outlive the commercial relationship by months or years. The control question is no longer whether the tool supports SSO, but whether access state changes are tied to contract state across the whole app estate.

The practical shift is toward lifecycle evidence, not just access inventory. Teams that can prove contract-close deprovisioning, owner sign-off, and post-departure recertification will be better positioned for audit, especially in environments where disconnected apps still dominate operational workflows.

For teams formalising this work, the NIST Cybersecurity Framework 2.0 remains a useful organising model for ownership, protection, and response. Pair that with the NHI Lifecycle Management Guide to define how external identities are removed, not just added.

For practitioners

• Map all external collaborator accounts Build a complete inventory of agency, contractor, and freelancer access across marketing and business-owned tools, then assign a business owner and contract reference to each account. The goal is to know who can still log in before the next campaign starts.
• Tie deprovisioning to contract closure Make contract termination the trigger for access removal across every application the collaborator touched, including ad platforms, CMS tools, and automation systems. If the tool cannot integrate with central IAM, use a compensating control and manual evidence trail.
• Run recertification on inherited users lists Review the full users list with contract status, last business purpose, and current relationship owner, not just names that look unfamiliar. Remove accounts whose justification is no longer current, even if the business relationship was friendly.
• Create an offboarding checklist for external identities Extend the offboarding process beyond employees so agencies and contractors are removed from every system they touched when the relationship ends. Include a final check for shared workspaces, ad accounts, and automation tools that are often missed.

Key takeaways

• Former agencies and contractors often remain active because offboarding is not wired into the identity lifecycle for marketing tools.
• The cited evidence shows that disconnected apps already drive incidents and audit failures, which makes this a control gap with measurable operational impact.
• Revocation tied to contract closure, not human recall, is the control that would have prevented most of the exposure described here.

Key terms

• Disconnected App: A disconnected app is a business system that does not participate in the enterprise identity fabric and is managed outside central IAM workflows. Access is often granted locally, reviewed manually, and forgotten easily. These apps create governance blind spots because ownership, revocation, and evidence are fragmented across teams.
• Dormant Privilege: Dormant privilege is access that remains technically active after the business reason for using it has ended. The account still works, but the relationship, project, or contract that justified it no longer does. In practice, dormant privilege is a lifecycle failure that turns routine collaboration into lingering exposure.
• Agency Access Residuals: Agency access residuals are the leftover entitlements that stay in place after a campaign, retainer, or contractor relationship has ended. The access is usually not intentionally malicious, but it remains reachable and unaudited. This state is especially risky because nobody may own the cleanup, yet the credentials still function.

Deepen your knowledge

Marketing stack access governance is covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your teams manage agencies, contractors, or disconnected apps, the lifecycle patterns in this post are directly relevant.

This post draws on content published by Cerby: agency access sprawl in marketing tools and the offboarding gap it creates. Read the original.