Social media accounts and IAM: where enterprise controls break down

TL;DR: Social media accounts often sit outside enterprise IAM and IGA because platform standards, shared access patterns, and employee-owned credentials prevent central control, according to Cerby. The result is a governance gap that makes least privilege, MFA, lifecycle automation, and auditability difficult to enforce at scale across marketing-managed channels.

NHIMG editorial — based on content published by Cerby: why social media accounts are hard to secure with existing IAM controls

By the numbers:

• 89% of enterprises fail to enforce MFA (or the similarly effective passkeys) for social media accounts.
• 49% of respondents said the single most important step they would take to reduce identity risk is extending automation across more applications and workflows.

Questions worth separating out

Q: How should security teams govern social media accounts that sit outside IAM?

A: Treat them as disconnected identities that still need ownership, lifecycle control, and auditability.

Q: Why do shared social media credentials create so much risk?

A: Shared credentials remove individual accountability, make least privilege hard to enforce, and complicate investigations because activity cannot be reliably tied to one person.

Q: What breaks when social media access is tied to employee-owned accounts?

A: Continuity breaks when the owner leaves, changes roles, or is unavailable for authentication prompts and recovery.

Practitioner guidance

• Inventory disconnected social accounts Create a complete register of business social platforms, identify which ones cannot support federation or lifecycle automation, and assign a control owner for each exception.
• Move to organisation-owned account structures Use enterprise-controlled email addresses, phone numbers, and recovery methods so the business retains ownership when employees or contractors change roles.
• Remove shared credential distribution channels Ban passwords in email, spreadsheets, and chat, then replace them with an access process that preserves attribution and revocation.

What's in the full article

Cerby's full blog post covers the operational detail this post intentionally leaves for the source:

• How the platform-specific control gaps differ across major social networks and why that matters for implementation planning
• The practical mechanics of shared credential management, including org-owned account recovery and factor sharing patterns
• Examples of why password managers and custom scripts still leave lifecycle and audit gaps unresolved
• The playbook for moving from employee-owned access to organisation-owned governance without breaking marketing workflows

👉 Read Cerby's analysis of social media account governance and IAM gaps →

Social media accounts and IAM: where enterprise controls break down?

Explore further

View Full Forum →  |  NHI Foundation Course →