Social media accounts: what IAM teams are missing now

TL;DR: Social media accounts often sit outside standard IAM and IGA controls because they rely on weak identity standards, shared credentials, and manual lifecycle work, according to Cerby. The structural issue is not the apps themselves but the governance gap between enterprise identity systems and disconnected business platforms.

NHIMG editorial — based on content published by Cerby: securing social media accounts by closing the app gap in IAM and IGA

By the numbers:

• 58% of teams say former employees have retained access to systems after leaving the organization.
• 22% of all online ad spend is wasted due to ad fraud annually.

Questions worth separating out

Q: How should security teams govern social media accounts that do not support standard IAM integration?

A: They should classify those platforms as disconnected applications, then apply explicit ownership, lifecycle, MFA, and audit requirements outside the usual federation path.

Q: Why do shared social media accounts create a governance risk?

A: Shared accounts blur ownership, weaken accountability, and often lead to poor credential hygiene or delayed offboarding.

Q: What breaks when joiner-mover-leaver workflows are manual for disconnected apps?

A: Manual JML handling increases the chance that access persists after a role change or departure, especially when marketing or agencies manage the app.

Practitioner guidance

• Inventory disconnected business apps by control gap Identify every social, marketing, and paid media platform that sits outside IAM or IGA integration, then assign a governance owner and a documented access path for each one.
• Automate joiner-mover-leaver handling for shared accounts Replace manual account changes with identity-driven provisioning and deprovisioning so access is updated when users join, change roles, or leave.
• Centralise credential custody and MFA enforcement Keep passwords and MFA factors under IT control, enforce rotation when access changes, and remove direct human sharing of codes or passwords.

What's in the full article

Cerby's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step lifecycle automation examples for onboarding, role changes, and offboarding across social platforms
• Practical credential vaulting and password-rotation workflows for disconnected apps
• Per-user session attribution details for shared accounts used by marketing and agencies
• Customer examples showing how teams operationalise centralized access control for social media

👉 Read Cerby's analysis of social media account governance and lifecycle control →

Social media accounts: what IAM teams are missing now?

Explore further

View Full Forum →  |  NHI Foundation Course →