Social media account governance exposes the app gap in IAM

At a glance

What this is: This is an analysis of why social media accounts fall outside standard IAM and IGA control, and how that creates lifecycle, MFA, and audit gaps.

Why it matters: It matters because security teams cannot treat business-critical disconnected apps as exceptions forever when the same access, offboarding, and accountability problems appear across NHI, human, and delegated access programmes.

By the numbers:

• 58% of teams say former employees have retained access to systems after leaving the organization.
• 22% of all online ad spend is wasted due to ad fraud annually.

👉 Read Cerby's analysis of social media account governance and lifecycle control

Context

Social media account governance is a control problem, not a marketing preference. These applications often sit outside the standards and lifecycle workflows that IAM and IGA teams rely on, which means identity, access, and audit decisions get pushed into manual workarounds.

The primary issue is the app gap between enterprise identity infrastructure and disconnected business platforms. When access is still managed through shared passwords, individual ownership, or ad hoc approvals, the result is weak accountability, slow offboarding, and inconsistent enforcement across the identity programme.

Key questions

Q: How should security teams govern social media accounts that do not support standard IAM integration?

A: They should classify those platforms as disconnected applications, then apply explicit ownership, lifecycle, MFA, and audit requirements outside the usual federation path. If the app cannot participate in automated identity workflows, the organisation needs a compensating governance model with clear revocation responsibility, traceability, and evidence for access reviews.

Q: Why do shared social media accounts create a governance risk?

A: Shared accounts blur ownership, weaken accountability, and often lead to poor credential hygiene or delayed offboarding. The risk is not simply multiple users logging in. It is that the organisation loses confidence in who used the account, whether MFA was enforced, and whether access was actually removed when it should have been.

Q: What breaks when joiner-mover-leaver workflows are manual for disconnected apps?

A: Manual JML handling increases the chance that access persists after a role change or departure, especially when marketing or agencies manage the app. That breaks the identity lifecycle because the entitlement state no longer tracks the person's employment state in a reliable or auditable way.

Q: How can organisations keep MFA in place on shared business accounts?

A: They need central custody of the credential and MFA factors, plus a workflow that preserves usability without giving users direct control over the secret. The goal is to make MFA mandatory and recoverable, not optional or dependent on one employee holding the only code.

Technical breakdown

Why disconnected applications break IAM and IGA coverage

Disconnected applications fail when they do not support the identity standards and management APIs that IAM and IGA systems expect. In practice, that means no clean federation, no reliable lifecycle hooks, and no consistent entitlement sync. The result is not just operational inconvenience. It is a structural blind spot where access can exist without being governed through the enterprise control plane. Once business teams own the workflow, the security model drifts from policy to convenience, which is exactly where access exceptions become durable.

Practical implication: classify disconnected business apps as governance exceptions until they are brought under the identity control plane.

Lifecycle management and JML for shared app access

Joiner-mover-leaver processes depend on timely, machine-readable changes in access state. Where the application cannot integrate directly, provisioning and deprovisioning become manual, which increases the chance that access survives role changes or departures. That risk is amplified in shared-account environments because one person may hold the credential, while several others depend on it operationally. Without automated lifecycle handling, revocation becomes a best-effort task rather than a control with evidence.

Practical implication: map every disconnected app to an explicit JML owner and require automated revocation paths before access is granted.

SSO-like access, shared credentials, and MFA enforcement

Many social platforms do not support standard enterprise SSO, so organisations fall back to usernames, passwords, and shared codes. That creates a tension between usability and control. The security goal is not merely to store credentials centrally but to remove direct human handling from the login path, enforce MFA consistently, and preserve per-user accountability even when the app itself was never designed for enterprise federation. Centralised credential vaulting and attribute-based session attribution are what make that possible.

Practical implication: use central credential control and per-user attribution to avoid disabling MFA just because an app is shared.

Threat narrative

Attacker objective: The objective is to take over or abuse high-value social accounts, then use them for fraud, brand damage, unauthorised spend, or covert persistence.

1. Entry begins when a social media account is managed through individual-owned credentials or shared passwords outside the IAM control plane.
2. Escalation occurs when former employees, agencies, or contractors retain access because deprovisioning and MFA recovery are handled manually.
3. Impact follows when attackers or unauthorised insiders can post, spend advertising budget, or impersonate the organisation without reliable attribution.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

The app gap is the real governance problem, not social media itself. Social platforms become risky when they sit outside the standards, lifecycle hooks, and audit trails that identity teams use elsewhere. Once access management shifts to manual processes, the organisation is no longer enforcing policy consistently across its application stack. Practitioners should treat disconnected business apps as a governance class, not a special case.

Shared social accounts expose a standing-privilege problem in disguise. The issue is not only that multiple people use one account. The deeper issue is that access often persists through weak ownership, stale credentials, and informal handoff practices. That creates a durable entitlement surface that behaves much like unmanaged NHI access. Security teams should recognise the control pattern, not just the user experience.

Identity lifecycle controls fail when the application cannot participate in them. Joiner-mover-leaver processes assume the app can accept automated change events, but many social platforms force those changes through humans. That assumption was designed for systems that support central governance. It breaks when account ownership is fragmented across marketing, agencies, and individual employees. The implication is that lifecycle governance must be redesigned around the app's actual control surface.

Accountability collapses when shared access and MFA are managed as convenience features. Organisations often accept weaker controls because they believe the business function depends on them. That trade-off is backwards. Governance should preserve traceability, separation of duties, and recoverability even in platforms that were not built for enterprise identity. Practitioners should align social access with the same governance expectations used for other high-value enterprise accounts.

Fraud exposure turns identity weakness into direct financial loss. Paid media accounts are not just brand assets. They are budget-bearing identities with immediate economic impact when compromised or retained after offboarding. The same governance failure that leaves a dormant account open can also enable unauthorised spend. Security and finance teams should therefore assess social account control as an access-risk and spend-risk issue together.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• A separate finding from the same research shows that 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• That visibility gap reinforces why teams should treat disconnected app governance as part of the broader identity control plane, as outlined in Top 10 NHI Issues.

What this signals

Disconnected-app governance is becoming a core identity programme issue, not an edge-case cleanup task. As more business-critical platforms sit outside standard federation and lifecycle tooling, teams need a control model that can evidence ownership, revocation, and attribution across every account type. The same governance discipline used for machine identities now needs to extend to socially managed enterprise accounts.

Shared access will keep exposing lifecycle failures until organisations measure revocation quality, not just access provisioning. The meaningful signal is whether access disappears when the business relationship changes. If former users, agencies, or contractors can still operate accounts, the programme has an offboarding problem, not a policy problem.

Identity teams should expect more demand for lifecycle automation across disconnected applications as the control gap becomes visible. With 1.5 out of 10 organisations highly confident in securing NHIs, the broader lesson is that confidence tracks control coverage, not policy language. Organisations that cannot automate account change and attribution will keep absorbing manual risk into the security function.

For practitioners

• Inventory disconnected business apps by control gap Identify every social, marketing, and paid media platform that sits outside IAM or IGA integration, then assign a governance owner and a documented access path for each one.
• Automate joiner-mover-leaver handling for shared accounts Replace manual account changes with identity-driven provisioning and deprovisioning so access is updated when users join, change roles, or leave.
• Centralise credential custody and MFA enforcement Keep passwords and MFA factors under IT control, enforce rotation when access changes, and remove direct human sharing of codes or passwords.
• Require per-user attribution for shared sessions Capture which individual accessed or changed an account even when the underlying platform is shared, so audits and investigations have reliable evidence.
• Review ad account access as a financial control Treat paid media permissions as budget exposure, not only account access, and verify that offboarding actually removes the ability to spend.

Key takeaways

• Social media security fails when the app cannot participate in enterprise identity governance.
• Manual lifecycle handling leaves former users, agencies, and contractors with residual access far too often.
• Teams need automated revocation, central credential custody, and per-user attribution to make disconnected apps governable.

Key terms

• Disconnected application: An application that cannot participate cleanly in standard enterprise identity workflows such as federation, automated provisioning, or lifecycle updates. These apps force security teams to rely on compensating controls, manual administration, or custom integrations to preserve accountability and access governance.
• Joiner-mover-leaver process: The identity lifecycle workflow that updates access when a person joins, changes role, or leaves. In disconnected-app environments, the process is only effective if changes can be triggered automatically and verified after execution, otherwise access can outlive the business relationship.
• Shared account: A single account used by more than one person, often for operational convenience. Shared accounts complicate attribution, increase credential handling risk, and weaken offboarding unless the organisation can tie each session back to an individual user and enforce governance centrally.
• Identity control plane: The set of systems and processes that governs authentication, entitlement, lifecycle changes, and auditability across applications. When an app sits outside the control plane, identity teams lose consistent enforcement and must rely on exceptions that are usually harder to audit and maintain.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Cerby: securing social media accounts by closing the app gap in IAM and IGA. Read the original.