Agency access in marketing tools: what IAM teams keep missing

TL;DR: Marketing tools keep former agencies and contractors active long after relationships end, and Ponemon Institute data cited by Cerby shows 68% of organisations cannot reliably remove employee access on departure, 77% have had incidents tied to disconnected apps, and 63% have failed audits because of securing gaps. The core problem is not intent but lifecycle control: access removal for external collaborators is treated as optional, so entitlement drift becomes normalised.

NHIMG editorial — based on content published by Cerby: agency access sprawl in marketing tools and the offboarding gap it creates

By the numbers:

• 68% of organizations can't reliably remove access when an employee leaves.
• 77% of organizations experienced at least one cybersecurity incident tied to disconnected apps in the past two years.
• 63% of organizations have failed an audit at least once because of gaps in securing these apps.

Questions worth separating out

Q: How should security teams handle agency access when contracts end?

A: Security teams should treat contract end as an identity event, not an administrative note.

Q: Why do disconnected apps create so much access risk?

A: Disconnected apps create risk because they sit outside the enterprise identity fabric, so access is granted and removed locally instead of through central controls.

Q: What breaks when access reviews rely on memory instead of ownership data?

A: Access reviews fail when reviewers have to recognise names instead of validating current business purpose.

Practitioner guidance

• Map all external collaborator accounts Build a complete inventory of agency, contractor, and freelancer access across marketing and business-owned tools, then assign a business owner and contract reference to each account.
• Tie deprovisioning to contract closure Make contract termination the trigger for access removal across every application the collaborator touched, including ad platforms, CMS tools, and automation systems.
• Run recertification on inherited users lists Review the full users list with contract status, last business purpose, and current relationship owner, not just names that look unfamiliar.

What's in the full article

Cerby's full article covers the operational detail this post intentionally leaves for the source:

• A practical five-minute audit for reviewing agency access across marketing tools and ad platforms
• The specific identity gaps created when tools do not support SSO or SCIM-based lifecycle controls
• Operational examples of how new marketing hires inherit unmanaged access from prior teams
• The context behind Cerby's automated access-control approach for applications IT cannot reach

👉 Read Cerby's analysis of agency access sprawl in marketing tools →

Agency access in marketing tools: what IAM teams keep missing?

Explore further

View Full Forum →  |  NHI Foundation Course →