Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Social media accounts: what IAM teams are missing now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Social media accounts often sit outside standard IAM and IGA controls because they rely on weak identity standards, shared credentials, and manual lifecycle work, according to Cerby. The structural issue is not the apps themselves but the governance gap between enterprise identity systems and disconnected business platforms.

NHIMG editorial — based on content published by Cerby: securing social media accounts by closing the app gap in IAM and IGA

By the numbers:

Questions worth separating out

Q: How should security teams govern social media accounts that do not support standard IAM integration?

A: They should classify those platforms as disconnected applications, then apply explicit ownership, lifecycle, MFA, and audit requirements outside the usual federation path.

Q: Why do shared social media accounts create a governance risk?

A: Shared accounts blur ownership, weaken accountability, and often lead to poor credential hygiene or delayed offboarding.

Q: What breaks when joiner-mover-leaver workflows are manual for disconnected apps?

A: Manual JML handling increases the chance that access persists after a role change or departure, especially when marketing or agencies manage the app.

Practitioner guidance

  • Inventory disconnected business apps by control gap Identify every social, marketing, and paid media platform that sits outside IAM or IGA integration, then assign a governance owner and a documented access path for each one.
  • Automate joiner-mover-leaver handling for shared accounts Replace manual account changes with identity-driven provisioning and deprovisioning so access is updated when users join, change roles, or leave.
  • Centralise credential custody and MFA enforcement Keep passwords and MFA factors under IT control, enforce rotation when access changes, and remove direct human sharing of codes or passwords.

What's in the full article

Cerby's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step lifecycle automation examples for onboarding, role changes, and offboarding across social platforms
  • Practical credential vaulting and password-rotation workflows for disconnected apps
  • Per-user session attribution details for shared accounts used by marketing and agencies
  • Customer examples showing how teams operationalise centralized access control for social media

👉 Read Cerby's analysis of social media account governance and lifecycle control →

Social media accounts: what IAM teams are missing now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

The app gap is the real governance problem, not social media itself. Social platforms become risky when they sit outside the standards, lifecycle hooks, and audit trails that identity teams use elsewhere. Once access management shifts to manual processes, the organisation is no longer enforcing policy consistently across its application stack. Practitioners should treat disconnected business apps as a governance class, not a special case.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • A separate finding from the same research shows that 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.

A question worth separating out:

Q: How can organisations keep MFA in place on shared business accounts?

A: They need central custody of the credential and MFA factors, plus a workflow that preserves usability without giving users direct control over the secret. The goal is to make MFA mandatory and recoverable, not optional or dependent on one employee holding the only code.

👉 Read our full editorial: Social media account governance exposes the app gap in IAM



   
ReplyQuote
Share: