TL;DR: Social media accounts sit outside standard IAM and IGA controls, so organizations fall back on manual provisioning, shared credentials, and weak recovery practices that drive orphaned access and poor visibility, according to Cerby. The control gap is structural because these accounts were built for consumer identity, not enterprise governance.
NHIMG editorial — based on content published by Cerby: securing social media accounts and the identity problems they create
By the numbers:
- More than half of companies (56%) have experienced social media hacking at least once.
Questions worth separating out
Q: How should organisations govern business social media accounts that sit outside IAM?
A: Treat social accounts as governed business identities, not informal marketing assets.
Q: Why do social media accounts create so many offboarding problems?
A: Because access is often tied to personal profiles, contractor credentials, or shared recovery methods rather than a durable enterprise identity.
Q: What breaks when teams rely on manual social account administration?
A: Manual administration breaks accountability first and scalability second.
Practitioner guidance
- Inventory every business social account Create a complete register of platform accounts, owners, approvers, recovery methods, and business purpose so no account exists outside governance.
- Eliminate shared password administration Replace credential sharing with individually attributable admin access wherever the platform allows it, and document exceptions where it does not.
- Test social account offboarding Run periodic offboarding checks for employees, contractors, and agencies to confirm access removal, recovery transfer, and account ownership reassignment.
What's in the full article
Cerby's full analysis covers the operational detail this post intentionally leaves for the source:
- Practical examples of how disconnected social platforms frustrate enterprise authentication and provisioning workflows
- The access patterns that lead to shared passwords, weak recovery, and ghost accounts in real organisations
- The operational model for bringing marketing-owned accounts into a more controlled access and audit process
👉 Read Cerby's analysis of why social media accounts sit outside IAM control →
Social media account security: what IAM teams are missing?
Explore further
Social media security is an identity governance failure, not a channel problem. These accounts carry brand, customer, and sometimes financial value, yet they often sit outside the systems designed to govern access, lifecycle, and auditability. That means the real issue is not the interface, it is the absence of authoritative identity control over a business-critical asset. Practitioners should treat social platforms as governed identities, not marketing exceptions.
A few things that frame the scale:
- only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security.
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, a gap that mirrors the visibility problems seen in disconnected business channels.
A question worth separating out:
Q: Who should own social media account governance in an organisation?
A: Business teams can operate the channel, but identity governance should remain with security or IAM leadership. The right model separates content ownership from access ownership, so marketing, communications, and IT each have defined responsibilities. That reduces the chance that critical accounts are managed solely for convenience instead of control.
👉 Read our full editorial: Social media account security is outside IAM control