Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Social media accounts and IAM: where enterprise controls break down


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Social media accounts often sit outside enterprise IAM and IGA because platform standards, shared access patterns, and employee-owned credentials prevent central control, according to Cerby. The result is a governance gap that makes least privilege, MFA, lifecycle automation, and auditability difficult to enforce at scale across marketing-managed channels.

NHIMG editorial — based on content published by Cerby: why social media accounts are hard to secure with existing IAM controls

By the numbers:

Questions worth separating out

Q: How should security teams govern social media accounts that sit outside IAM?

A: Treat them as disconnected identities that still need ownership, lifecycle control, and auditability.

Q: Why do shared social media credentials create so much risk?

A: Shared credentials remove individual accountability, make least privilege hard to enforce, and complicate investigations because activity cannot be reliably tied to one person.

Q: What breaks when social media access is tied to employee-owned accounts?

A: Continuity breaks when the owner leaves, changes roles, or is unavailable for authentication prompts and recovery.

Practitioner guidance

  • Inventory disconnected social accounts Create a complete register of business social platforms, identify which ones cannot support federation or lifecycle automation, and assign a control owner for each exception.
  • Move to organisation-owned account structures Use enterprise-controlled email addresses, phone numbers, and recovery methods so the business retains ownership when employees or contractors change roles.
  • Remove shared credential distribution channels Ban passwords in email, spreadsheets, and chat, then replace them with an access process that preserves attribution and revocation.

What's in the full article

Cerby's full blog post covers the operational detail this post intentionally leaves for the source:

  • How the platform-specific control gaps differ across major social networks and why that matters for implementation planning
  • The practical mechanics of shared credential management, including org-owned account recovery and factor sharing patterns
  • Examples of why password managers and custom scripts still leave lifecycle and audit gaps unresolved
  • The playbook for moving from employee-owned access to organisation-owned governance without breaking marketing workflows

👉 Read Cerby's analysis of social media account governance and IAM gaps →

Social media accounts and IAM: where enterprise controls break down?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Social media access is a disconnected identity problem, not a platform convenience issue. The article shows that many business social accounts sit outside federated IAM and IGA, which means the normal enterprise control plane cannot see or govern them. That creates a distinct class of unmanaged identity surface. Practitioners should treat these accounts as exceptions that require explicit governance ownership.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which shows how often lifecycle control lags access reality.

A question worth separating out:

Q: Who should be accountable for social media account governance?

A: Accountability should sit with security and IT, with marketing as the business owner of the channel. That split keeps policy, ownership, and recovery in the enterprise control plane while allowing the channel team to operate the account. Without a clear owner, lifecycle tasks and revocation decisions are usually deferred until they become incidents.

👉 Read our full editorial: Social media identity gaps are breaking enterprise IAM controls



   
ReplyQuote
Share: